Bugtraq mailing list archives

Re: Splitvt exploit

From: saw () SAW SW COM SG (Andrey Savochkin)
Date: Fri, 16 Jun 2000 17:38:20 +0800


Hello,

On Wed, Jun 14, 2000 at 07:28:37PM -0700, Joey Hess wrote:

Note that in addition to the above fix, version 1.6.4-3 of splitvt in
Debian is no longer suid root, just sgid utmp. If any further security
holes are found (the program could use a thurough audit), I hope this
will greatly reduce the magnitude of the exploit. A patch for glibc
systems follows, which I have already sent to the author of splitvt.

[snip]

@@ -108,6 +108,9 @@

              /* Set our uid to our real uid if necessary */
              (void) setuid(getuid());
+             /* Same for gid (program may be setgid utmp on some
+              * systems). */
+             (void) setgid(getgid());
                      
              /* Run the requested program, with possible leading dash. */
              execvp(((*argv[0] == '-') ? argv[0]+1 : argv[0]), argv);


I don't know what splitvt is, but shouldn't setgid go _before_ setuid call
for dropping privileges?

Best regards
                                        Andrey V.
                                        Savochkin

Current thread:

Security Advisory: REMOTE ROOT VULNERABILITY IN GSSFTP DAEMON, (continued)
- - Security Advisory: REMOTE ROOT VULNERABILITY IN GSSFTP DAEMON Tom Yu (Jun 14)
  - Security Advisory: local ROOT exploit in BRU Technical Support (Jun 14)
  - Re: Snort 1.6 and nmap 2.54beta1 Martin Roesch (Jun 14)
- Re: Sendmail local root exploit on linux 2.2.x Mark K. Pettit (Jun 08)
- Reporting Security Issues to Microsoft Microsoft Security Response Center (Jun 08)
- Re: Sendmail local root exploit on linux 2.2.x Christophe GRENIER (Jun 08)
- arprelay: a tool to edit TCP connections in a LAN Felix von Leitner (Jun 09)
- Re: Sendmail local root exploit on linux 2.2.x Alan Iwi (Jun 12)
- Splitvt exploit syzop (Jun 14)
  - Re: Splitvt exploit Joey Hess (Jun 14)
    - Re: Splitvt exploit Andrey Savochkin (Jun 16)
    - Re: Splitvt exploit Joey Hess (Jun 16)
    - NAI WebShield SMTP does not scan base64 encoding chris.paget () ANALYSYS COM (Jun 20)
  - Re: Splitvt exploit Kris Kennaway (Jun 15)
  - Re-release of IIS 5.0 Patch for MS00-031 Microsoft Product Security (Jun 16)
  - Infosec.20000617.panda.a Ian Vitek (Jun 17)
- Reliable Software Technologies releases new e-mail virus protection software Tim Hollebeek (Jun 14)
- Microsoft Security Bulletin (MS00-041) Microsoft Product Security (Jun 14)