![[LWN Logo]](/images/lc.png) |
|
![[Timeline]](/images/Included.png) |
Date: Wed, 21 Jun 2000 12:54:08 +0200
From: Michal Zalewski <lcamtuf@TPI.PL>
Subject: rh 6.2 - gid compromises, etc
To: BUGTRAQ@SECURITYFOCUS.COM
Probably it's nothing exciting, but several packets supplied with RH 6.2
will allow <500 gid/uid compromises. On every system it HAS some kind of
meaning - sometimes just a little (exceeding quotas, hiding from
accounting, anonymous intrusions to other systems) - but sometimes
compromised uucp or news privledges might be used to intercept/modify/deny
important traffic on server itself.
IMHO, it's good to minimalise number of setuid root applications in
system. But moving to setgids won't solve anything. Of course, you might
avoid root security compromise, but uid/gid 'news' gained on newsserver,
'http' or 'nobody' gained on webserver or 'uucp' gained on UUCP machine
is not the thing that should happen.
I checked about 15 setgid applications from RH 6.2, performing some basic
tests - environment parsing, privledges dropping and input validation. And
it looks bad:
- slrnpull (setgid: news) - using eg. NNTPSERVER environmental variable,
you can cause nice SEGV... egid==news, of course. On systems running
innd server (and probably other newsservers as well), group 'news' can
be used to control content of whole spool, and to elevate privledges,
gaining euid news. From this point, we can simply takeover nntp
service.
Under some conditions, inews can be used in the same way, but bug
is hidden a little bit deeper. I'll leave it as an exercise to
readers (and maintainers - please audit your code, not only fix
published bugs),
- gkermit - can read/write/append files with egid==uucp; these file
include many /dev/ entries, /etc/uucp/passwd etc; can
be dangerous on systems running uucp.
- slocate - custom input file can be specified using LOCATE_PATH;
due to almost no input validation, it's possible to
supply many different input patterns, some of them will
cause potentially exploitable SEGVs; please review this
code. Ah, forgotten, gid slocate can be used to
access slocate database in unrestricted mode (every
file in filesystem indexed, including eg. /root,
web scripts etc),
Also, I'm still surprised with number of world-writable files/directories
shipped with every RH installation. It is difficult to perform something
like:
# find / -perm -2 \! -type l -exec ls -ld {} \;
? People are very often setting up /tmp on separate partitions, with eg.
nosuid option, the same about /home, but most of them are missing _a_lot_
of these directories (some of them are even setuid, huh).
_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=