Bugtraq mailing list archives
asciiSECURE advisory (2002-07-17/1)
From: lumpy <lumpy () the whole net>
Date: Wed, 17 Jul 2002 13:31:10 -0400 (EDT)
____________________________________________________________________________
ASCII HEADER ADVISORY !! ALERT !! ASCII HEADER ADVISORY !! ALERT !! ASCII HE
:::::::: ADDIUNG A POORLY GENERATED ASCII HEADERZ FOR BUGTACKY READERZAAZSZ!
:::::apparentlytheonlywaytogetamessageacceptedonbugtraqistodothis:::::::::::
:::GREETZ2MOIher0z...mali/malificient/the mali amazing san fran treat:::::::
____________________________________________________________________________
Summary: The BSDs, and even SUSE has been warned of this problem
but for some reason they decided to ignore it, and act like it
wasnt worth fixing. Well, thats cool and all, unless you actually
care about your system being able to do such basic features as:
+ BACK UP DATA USING 'dump'
+ USE SEVERAL MODEM BASED PROGRAMS USING 'tip'
Any system user using 'flock()' can prevent the above features
from working.
____________________________________________________________________________
Vulnerable OSes:
ALL RELEASED VERSIONS OF:
+ OpenBSD (SEQUOORITY CONSCIENCESSOUS OPERATING
SYSTEM THAT DISREGARDS LOCAL SECURITY!)
+ FreeBSD
+ NetBSD
+ SUSE Linoocks
(All have been notified, and none have provided
suitable responses indicating fixes that will
be implemented. If they have gotten around to
fixing it in the window between then and now,
shame on them for not contacting us back and
letting us know. We have a tight schedule at
WENDY'S, yo. DAIRYFR33Z3 MANG)
____________________________________________________________________________
Creditz: Dead M1ke, the amazing wonder c0w, and Maynard the Public Works CSR
____________________________________________________________________________
Explanation:
[SNIPPETS TO MAKE ME SOUND MORE BELIEVABLE!!$!$]
----------------------------------
(void) flock(fileno(df), LOCK_SH);
readdumptimes(df);
(void) fclose(df);
----------------------------------
The application 'dump' is used by system
administrators to backup filesystems. If your system
gets compromised, its generally nice to have backups,
but ANY USER can stop dump from being able to run simply
by flock()ing the /etc/dumpdates file.
It has been said before that flock security holes
are 'unlikely' and 'easy to track down', but this was only
said in reference to a small minded view of the method of
attack. A clever system penetrator would definitely be
able to use this to their advantage, especially as a
'nobody' user run out of a web server. Thats just one
simple example, but if youre creative you could think of
more.
Perhaps you dont use dump, but you do use an
application that uses 'tip' to communicate with a serial
device. Do you use it for notification? I wouldnt on
BSD or Linux and heres why.. if 'ACCULOG' is flocked
(generally /var/log/acculog), it will freeze dead in its
tracks too.
There are more instances of questionable uses of
flock()ing, but since we cant even get these ones fixed,
its hard to imagine they would be worth writing about.
____________________________________________________________________________
Exploit:
If youre using freebsd, you simply use the /usr/bin/lockf
command. Other people can compile that.. grab it off of
http://www.freebsd.org/.
Thats all you need, and you can do really bad things on
a system..
HOWEVER -- it seems bugtraq is all about no name CGIs from
russia that have poor perl mistakes and are exploitable on
all of 3 servers in the world, so maybe you wont see this
warning. SUCKS TO BE YOU I GUESS.
____________________________________________________________________________
PEACE
____________________________________________________________________________
Current thread:
- asciiSECURE advisory (2002-07-17/1) lumpy (Jul 18)