Bugtraq mailing list archives
Re: [Stan Bubrouski <satan () FASTDIAL NET>: Re: rh 6.2 - gidcompromises, etc [+ MORE!!!]]
From: fdc () COLUMBIA EDU (Frank da Cruz)
Date: Sat, 24 Jun 2000 15:41:05 EDT
It should be noted the program does not run suid or sgid except the following places: 1. When opening the SET LINE device. 2. When creating the UUCP lockfile. 3. When reading a UUCP lockfile. 4. When deleting the UUCP lockfile.This is probably old hat to many in the bugtraq crowd, but it bears repeating. Temporarily dropping your raised permissions does not offer ANY real protection against buffer overruns. The malicious shell code can do that set[ug]id() syscall just as well as you can. Many exploits have been written to do this.
Fair enough. Although this begs the question of why dialout programs have to be privileged in the first place, which has been my pet Unix peeve for, well, forever. Other operating systems manage perfectly well without all the lockfile silliness, and even manage to share serial ports between dialin and dialout service -- it's all done with modem signals and kernel code. A Unix-like example is QNX. A non-Unix-like example is VMS. A Unix version that's moving in this direction is FreeBSD. For a longer rant on this topic, see Section 10 of: ftp://kermit.columbia.edu/kermit/f/ckuins.txt In any case, even with a successful buffer exploit that executes its own set[ug]id() call, the most to be gained is access to the dialout device and lockfile directory, which is not exactly a Chernobyl-class catastrophe. Anyway, special thanks to those who told me about plp_[v]snprintf(); I didn't know about it before and it looks very promising. Finally, I'd like to get the idea across to everybody that C-Kermit is vigorously and aggressively supported. Anybody who has a problem with it is welcome, and in fact requested, to contact kermit-support () columbia edu about it. We'll probably be issuing a 7.1 version fairly soon. - Frank
Current thread:
- Re: [Stan Bubrouski <satan () FASTDIAL NET>: Re: rh 6.2 - gidcompromises, etc [+ MORE!!!]] Frank da Cruz (Jun 23)
- Possible root exploit in ISC DHCP client. Ted Lemon (Jun 24)
- Re: Possible root exploit in ISC DHCP client. Security (Jun 28)
- Re: [Stan Bubrouski <satan () FASTDIAL NET>: Re: rh 6.2 - gidcompromises, etc [+ MORE!!!]] Mitchell Blank Jr (Jun 24)
- <Possible follow-ups>
- Re: [Stan Bubrouski <satan () FASTDIAL NET>: Re: rh 6.2 - gidcompromises, etc [+ MORE!!!]] Frank da Cruz (Jun 24)
- Re: [Stan Bubrouski <satan () FASTDIAL NET>: Re: rh 6.2 - gidcompromises, etc [+ MORE!!!]] Stan Bubrouski (Jun 24)
- Proxy+ Telnet Gateway Problems Andrew Lewis (Jun 26)
- BOA Webserver local path problem Ian Shaughnessy (Jun 27)
- Possible root exploit in ISC DHCP client. Ted Lemon (Jun 24)