5219251 2000-06-22 06:16 /69 rader/ Postmaster
Mottagare: Bugtraq (import) <11379>
Ärende: rh 6.2 - gid compromises, etc
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
X-Hate: Where do you want to go to die?
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.21.0006211209500.22969-100000@nimue.tpi.pl>
Date: Wed, 21 Jun 2000 12:54:08 +0200
Reply-To: Michal Zalewski <lcamtuf@TPI.PL>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Michal Zalewski <lcamtuf@TPI.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
Probably it's nothing exciting, but several packets supplied with RH
6.2 will allow <500 gid/uid compromises. On every system it HAS some
kind of meaning - sometimes just a little (exceeding quotas, hiding
from accounting, anonymous intrusions to other systems) - but
sometimes compromised uucp or news privledges might be used to
intercept/modify/deny important traffic on server itself.
IMHO, it's good to minimalise number of setuid root applications in
system. But moving to setgids won't solve anything. Of course, you
might avoid root security compromise, but uid/gid 'news' gained on
newsserver, 'http' or 'nobody' gained on webserver or 'uucp' gained
on UUCP machine is not the thing that should happen.
I checked about 15 setgid applications from RH 6.2, performing some
basic tests - environment parsing, privledges dropping and input
validation. And it looks bad:
- slrnpull (setgid: news) - using eg. NNTPSERVER environmental variable,
you can cause nice SEGV... egid==news, of course. On systems running
innd server (and probably other newsservers as well), group 'news' can
be used to control content of whole spool, and to elevate privledges,
gaining euid news. From this point, we can simply takeover nntp
service.
Under some conditions, inews can be used in the same way, but bug
is hidden a little bit deeper. I'll leave it as an exercise to
readers (and maintainers - please audit your code, not only fix
published bugs),
- gkermit - can read/write/append files with egid==uucp; these file
include many /dev/ entries, /etc/uucp/passwd etc; can
be dangerous on systems running uucp.
- slocate - custom input file can be specified using LOCATE_PATH;
due to almost no input validation, it's possible to
supply many different input patterns, some of them will
cause potentially exploitable SEGVs; please review this
code. Ah, forgotten, gid slocate can be used to
access slocate database in unrestricted mode (every
file in filesystem indexed, including eg. /root,
web scripts etc),
Also, I'm still surprised with number of world-writable
files/directories shipped with every RH installation. It is difficult
to perform something like:
# find / -perm -2 \! -type l -exec ls -ld {} \;
? People are very often setting up /tmp on separate partitions, with eg.
nosuid option, the same about /home, but most of them are missing _a_lot_
of these directories (some of them are even setuid, huh).
_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
(5219251) ------------------------------------------(Ombruten)