Bugtraq mailing list archives
Re: Vulnerability in ccdconfig
From: imp () VILLAGE ORG (Warner Losh)
Date: Tue, 30 Dec 1997 21:28:24 -0700
-----BEGIN PGP SIGNED MESSAGE----- In message <19971231020231.1448.qmail () ginseng indigo ie> Niall Smart writes: : * FreeBSD and NetBSD have been notified of the problem and have fixed : it in their source tree's as of yesterday (FreeBSD-current, : FreeBSD-stable, NetBSD-current) Retrieve the patched ccdconfig.c : and compile yourself a new ccdconfig. I want to publically thank Niall for the responsibility he showed with this information by privately corresponding with the FreeBSD and (presumably) NetBSD teams on this issue. This gave us a chance to work up a fix, test it and make sure that the users of our systems were covered when he released his information. Warner P.S. Here are the changes that I applied to FreeBSD. They are taken from the OpenBSD source base, possibly with minor formatting tweaks, and seem to represent the work of Theo de Raadt and oliver () secnet com. Index: ccdconfig.c =================================================================== RCS file: /home/imp/FreeBSD/CVS/src/sbin/ccdconfig/ccdconfig.c,v retrieving revision 1.7 diff -u -r1.7 ccdconfig.c - --- ccdconfig.c 1997/06/10 11:04:50 1.7 +++ ccdconfig.c 1997/12/30 05:08:24 @@ -161,6 +161,15 @@ if (options > 1) usage(); + /* + * Discard setgid privileges if not the running kernel so that bad + * guys can't print interesting stuff from kernel memory. + */ + if (core != NULL || kernel != NULL || action != CCD_DUMP) { + setegid(getgid()); + setgid(getgid()); + } + switch (action) { case CCD_CONFIG: case CCD_UNCONFIG: @@ -307,11 +316,16 @@ char line[_POSIX2_LINE_MAX]; char *cp, **argv; int argc, rval; + gid_t egid; + egid = getegid(); + setegid(getgid()); if ((f = fopen(ccdconf, "r")) == NULL) { + setegid(egid); warn("fopen: %s", ccdconf); return (1); } + setegid(egid); while (fgets(line, sizeof(line), f) != NULL) { argc = 0; -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBNKnJ59xynu/2qPVhAQG4OgP/Tg4p+NPEwxH2pxIRCUYsnDABqTaJEpgq 2LxYiaRGaoCsF/QnHb/vSTehUcSh8OJ/AERY5fPRKC2b/LiIpX9bKp0yMHBTqZ1Z cfCT30K0lW9ODz1eUHw2fol2tieqaIszAFrMNuVeUY+N8JwhJ5GTVTfuqleZ2TKL 71goCAxTvQc= =mdrd -----END PGP SIGNATURE-----
Current thread:
- Re: Apache DoS attack? Zen (Dec 30)
- Re: Apache DoS attack? Jim Hribnak (Dec 30)
- <Possible follow-ups>
- Re: Apache DoS attack? Micha³ Zalewski (Dec 30)
- Re: Apache DoS attack? Marc Slemko (Dec 30)
- Re: Apache DoS attack? Marc Slemko (Dec 30)
- Vulnerability in ccdconfig Niall Smart (Dec 30)
- Re: Vulnerability in ccdconfig Warner Losh (Dec 30)
- vhost Solar Designer (Dec 30)
- Re: Apache DoS attack? Marc Slemko (Dec 30)