Bugtraq mailing list archives
Re: Splitvt exploit
From: saw () SAW SW COM SG (Andrey Savochkin)
Date: Fri, 16 Jun 2000 17:38:20 +0800
Hello, On Wed, Jun 14, 2000 at 07:28:37PM -0700, Joey Hess wrote:
Note that in addition to the above fix, version 1.6.4-3 of splitvt in Debian is no longer suid root, just sgid utmp. If any further security holes are found (the program could use a thurough audit), I hope this will greatly reduce the magnitude of the exploit. A patch for glibc systems follows, which I have already sent to the author of splitvt.
[snip]
@@ -108,6 +108,9 @@ /* Set our uid to our real uid if necessary */ (void) setuid(getuid()); + /* Same for gid (program may be setgid utmp on some + * systems). */ + (void) setgid(getgid()); /* Run the requested program, with possible leading dash. */ execvp(((*argv[0] == '-') ? argv[0]+1 : argv[0]), argv);
I don't know what splitvt is, but shouldn't setgid go _before_ setuid call for dropping privileges? Best regards Andrey V. Savochkin
Current thread:
- Security Advisory: REMOTE ROOT VULNERABILITY IN GSSFTP DAEMON, (continued)
- Security Advisory: REMOTE ROOT VULNERABILITY IN GSSFTP DAEMON Tom Yu (Jun 14)
- Security Advisory: local ROOT exploit in BRU Technical Support (Jun 14)
- Re: Snort 1.6 and nmap 2.54beta1 Martin Roesch (Jun 14)
- Re: Sendmail local root exploit on linux 2.2.x Mark K. Pettit (Jun 08)
- Reporting Security Issues to Microsoft Microsoft Security Response Center (Jun 08)
- Re: Sendmail local root exploit on linux 2.2.x Christophe GRENIER (Jun 08)
- arprelay: a tool to edit TCP connections in a LAN Felix von Leitner (Jun 09)
- Re: Sendmail local root exploit on linux 2.2.x Alan Iwi (Jun 12)
- Splitvt exploit syzop (Jun 14)
- Re: Splitvt exploit Joey Hess (Jun 14)
- Re: Splitvt exploit Andrey Savochkin (Jun 16)
- Re: Splitvt exploit Joey Hess (Jun 16)
- NAI WebShield SMTP does not scan base64 encoding chris.paget () ANALYSYS COM (Jun 20)
- Re: Splitvt exploit Joey Hess (Jun 14)
- Re: Splitvt exploit Kris Kennaway (Jun 15)
- Re-release of IIS 5.0 Patch for MS00-031 Microsoft Product Security (Jun 16)
- Infosec.20000617.panda.a Ian Vitek (Jun 17)
- Reliable Software Technologies releases new e-mail virus protection software Tim Hollebeek (Jun 14)
- Microsoft Security Bulletin (MS00-041) Microsoft Product Security (Jun 14)