Bugtraq mailing list archives
Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight
From: viktor () DTEK CHALMERS SE (Viktor Fougstedt)
Date: Wed, 7 Apr 1999 20:00:33 +0200
On Tue, 6 Apr 1999, Stefan Rompf wrote:
Exploited overflow in ipop3d could be used to gain superuser access (the only thing done by ipop3d is setuid+setgid, no seteuid/setreuid).Fortunately, you are wrong here. Quoting from the Solaris' setuid() manpage: If the effective user ID of the process calling setuid() is the super-user, the real, effective, and saved user IDs are set to the uid parameter.
You make an important point. In fact I have several times seen the opposite problem to what which the original poster suggested. Some programs running setuid root only does a seteuid(), which does not touch the saved-user-id. The programmers have done this in the belief that it drops all root priviledges (the programs did not need to re-aquire priviledges at a later time, and the comments in the code suggested that the call's intention was to get rid of all priviledges). These programs should probably do a setuid() instead, which affects saved-user-id as well. This problem isn't huge, you might say, because whenever you do a fork() or similar, the saved-user-id should be reset. But if you can take control of the application via a buffer overflow or the like, and saved-user-id is root then you have no problem of getting the root priviledges back before doing a fork(). Just my $.02 worth. /Viktor... --| Viktor Fougstedt, system administrator at dtek.chalmers.se |-- --| http://www.dtek.chalmers.se/~viktor/ |-- --| ...soon we'll be sliding down the razor blade of life. /Tom Lehrer |--
Current thread:
- ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Commander Michal Zalewski (Mar 06)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Michal Zalewski (Mar 07)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Pavel Machek (Apr 09)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Luca Berra (Apr 10)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Miguel de Icaza (Apr 11)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Pavel Machek (Apr 09)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Michal Zalewski (Mar 07)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Miguel de Icaza (Apr 05)
- Multiple WinGate Vulnerabilities[Tad late] Marc (Apr 05)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Stefan Rompf (Apr 06)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Viktor Fougstedt (Apr 07)
- security hole (READ AS: security chasm) in ICQ-Webserver DaChronic (Apr 07)
- Re: security hole (READ AS: security chasm) in ICQ-Webserver sven () MSC-MEDIA COM (Apr 08)
- Bug in Winroute 3.04g Michael R. Rudel (Apr 08)
- Re: Bug in Winroute 3.04g Max Vision (Apr 09)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Viktor Fougstedt (Apr 07)
- Re: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Casper Dik (Apr 08)