Bugtraq mailing list archives

Re: Vulnerability in ccdconfig

From: imp () VILLAGE ORG (Warner Losh)
Date: Tue, 30 Dec 1997 21:28:24 -0700


-----BEGIN PGP SIGNED MESSAGE-----

In message <19971231020231.1448.qmail () ginseng indigo ie> Niall Smart writes:
:  * FreeBSD and NetBSD have been notified of the problem and have fixed
:    it in their source tree's as of yesterday  (FreeBSD-current,
:    FreeBSD-stable, NetBSD-current)  Retrieve the patched ccdconfig.c
:    and compile yourself a new ccdconfig.

I want to publically thank Niall for the responsibility he showed with
this information by privately corresponding with the FreeBSD and
(presumably) NetBSD teams on this issue.  This gave us a chance to
work up a fix, test it and make sure that the users of our systems
were covered when he released his information.

Warner

P.S.  Here are the changes that I applied to FreeBSD.  They are taken
from the OpenBSD source base, possibly with minor formatting tweaks,
and seem to represent the work of Theo de Raadt and
oliver () secnet com.

Index: ccdconfig.c
===================================================================
RCS file: /home/imp/FreeBSD/CVS/src/sbin/ccdconfig/ccdconfig.c,v
retrieving revision 1.7
diff -u -r1.7 ccdconfig.c
- --- ccdconfig.c       1997/06/10 11:04:50     1.7
+++ ccdconfig.c 1997/12/30 05:08:24
@@ -161,6 +161,15 @@
        if (options > 1)
                usage();

+       /*
+        * Discard setgid privileges if not the running kernel so that bad
+        * guys can't print interesting stuff from kernel memory.
+        */
+       if (core != NULL || kernel != NULL || action != CCD_DUMP) {
+               setegid(getgid());
+               setgid(getgid());
+       }
+
        switch (action) {
                case CCD_CONFIG:
                case CCD_UNCONFIG:
@@ -307,11 +316,16 @@
        char line[_POSIX2_LINE_MAX];
        char *cp, **argv;
        int argc, rval;
+       gid_t egid;

+       egid = getegid();
+       setegid(getgid());
        if ((f = fopen(ccdconf, "r")) == NULL) {
+               setegid(egid);
                warn("fopen: %s", ccdconf);
                return (1);
        }
+       setegid(egid);

        while (fgets(line, sizeof(line), f) != NULL) {
                argc = 0;

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQCVAwUBNKnJ59xynu/2qPVhAQG4OgP/Tg4p+NPEwxH2pxIRCUYsnDABqTaJEpgq
2LxYiaRGaoCsF/QnHb/vSTehUcSh8OJ/AERY5fPRKC2b/LiIpX9bKp0yMHBTqZ1Z
cfCT30K0lW9ODz1eUHw2fol2tieqaIszAFrMNuVeUY+N8JwhJ5GTVTfuqleZ2TKL
71goCAxTvQc=
=mdrd
-----END PGP SIGNATURE-----

Current thread:

Re: Apache DoS attack? Zen (Dec 30)
- Re: Apache DoS attack? Jim Hribnak (Dec 30)
- <Possible follow-ups>
- Re: Apache DoS attack? Michał Zalewski (Dec 30)
  - Re: Apache DoS attack? Marc Slemko (Dec 30)
    - Re: Apache DoS attack? Marc Slemko (Dec 30)
    - Vulnerability in ccdconfig Niall Smart (Dec 30)
    - Re: Vulnerability in ccdconfig Warner Losh (Dec 30)
    - vhost Solar Designer (Dec 30)