Bugtraq mailing list archives
Re: Potential security problem with mtr
From: lamont () SECURITY HP COM (LaMont Jones)
Date: Fri, 3 Mar 2000 13:12:24 -0700
Since the saved uid survives across fork() and exec(), any buffer overrun or similar bug in mtr is just as bad as if mtr had never done the seteuid() at all.
Saved-uid should get dropped on exec(), shouldn't it?
The mtr code uses setuid() on HPUX, which according to the comments in the mtr code doesn't have the seteuid() call. It does seteuid() on all other systems though. It is unclear why the mtr authors favoured seteuid() before setuid() on platforms that have it.
Just FYI, HP-UX has setresuid() which allows you to change any of the 3. Hence, seteuid() could be written (since days long gone by) as 'setresuid(-1,uid,-1)'. Now, as to _why_ they chose to add a setregid() system call, instead of making it a libc stub to setresgid(), I still don't understand... lamont
Current thread:
- Re: [ Hackerslab bug_paper ] Linux dump buffer overflow, (continued)
- Re: [ Hackerslab bug_paper ] Linux dump buffer overflow H D Moore (Feb 29)
- Re: [ Hackerslab bug_paper ] Linux dump buffer overflow Derek Callaway (Mar 01)
- Foundry Networks ServerIron sequence predictability fix soon to be available Andrew van der Stock (Mar 01)
- Re: [ Hackerslab bug_paper ] Linux dump buffer overflow Przemyslaw Frasunek (Mar 01)
- Re: [ Hackerslab bug_paper ] Linux dump buffer overflow Ronald Huizer (Mar 04)
- OpenLinux 2.3: rpm_query harikiri (Mar 04)
- Re: [ Hackerslab bug_paper ] Linux dump buffer overflow Eugene Teo (Mar 02)
- Re: [ Hackerslab bug_paper ] Linux dump buffer overflow Derek Callaway (Mar 02)
- Re: [ Hackerslab bug_paper ] Linux dump buffer overflow Przemyslaw Frasunek (Mar 03)
- Potential security problem with mtr Viktor Fougstedt (Mar 03)
- Re: Potential security problem with mtr LaMont Jones (Mar 03)
- Re: Potential security problem with mtr Viktor Fougstedt (Mar 03)
- [RHSA-2000:006-01] New nmh packages available bugzilla () REDHAT COM (Mar 06)
- Microsoft Security Bulletin (MS00-015) Microsoft Product Security (Mar 06)
- @Stake Advisory: Microsoft Office 2000 ClipArt Vulnerablity Weld Pond (Mar 07)
- Re: @Stake Advisory: Microsoft Office 2000 ClipArt Vulnerablity Dustin Miller (Mar 07)
- Re: @Stake Advisory: Microsoft Office 2000 ClipArt Vulnerablity Weld Pond (Mar 08)
- Re: [ Hackerslab bug_paper ] Linux dump buffer overflow Derek Callaway (Mar 02)
- Problem with MacOS 9 Multiple Users and Netware AFP Don Lambert (Mar 03)
- Re: Potential security problem with mtr Rogier Wolff (Mar 03)
- Re: Potential security problem with mtr Viktor Fougstedt (Mar 04)
- Re: Potential security problem with mtr - fixed Jeff Dafoe (Mar 06)