[1089] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] vulnerability in splitvt

daemon@ATHENA.MIT.EDU (Rob Hagopian)
Tue Aug 27 09:03:50 1996

In-Reply-To: <199608260132.VAA02026@shmooze.net>
Date: Mon, 26 Aug 1996 20:19:14 -0400
To: linux-security@tarsier.cv.nrao.edu
From: Rob Hagopian <hagopiar@vuser.vu.union.edu>

>There is a vulnerability in the program splitvt that bundles
>with linux slackware that allows any account on the system
>that can access a c compiler, get root.

>From the man page:

       splitvt  can be made set-uid root.  splitvt will reset its
       user id to that of the person running it, just  before  it
       exec()'s  the shell under the window.  The splitvt process
       remains with root permissions, and will  change  ownership
       of  the  pseudo  terminals  to  that of the person running
       splitvt, and then reset it to  root  when  the  window  is
       closed.

       SPLITVT IS NOT GUARANTEED TO BE A SAFE SET-UID PROGRAM!

       I  have  done  all  I know to keep splitvt a safely usable
       set-uid program, but I do not know everything, and am  not
       responsible  for  any  security  weaknesses  splitvt might
       posess.

I have changed our splitvt to a simple non-suid executable. This provides
almost no change in features as far as I can tell. The manual doesn't say
much about why it needs to be suid root, except for the following:

       splitvt will attempt to erase the current utmp entry,  and
       replace  it with entries for the two windows.  This allows
       you to use programs such as 'talk' within the splitvt win-
       dows.   If  you  do  not  have  write  permission  to  the
       /etc/utmp file, you will not be able to  modify  the  utmp
       entries.

As someone mentioned, we should be wary of all suid programs. This seems
more so with packages like slackware where all sorts of programs can be
installed without the users's immeadiate knowledge (I didn't know we had
splitvt until I just now checked!).
Does anyone have a list of suid programs that are installed in
Redhat/Slackware? I may compile a list of ones I can find if noone has done
so already.

[REW: Adding write permission to /etc/utmp for everybody is a solution
that Sun tried. It is not secure. Having programs like splitvt and
xterm not beeing able to chown/chmod your pty's will not show in
the form of "reduced functionality" but in the form of "extra security
holes". In short you won't notice until someone expliots the new holes.]

							-Rob Hagopian

home help back first fref pref prev next nref lref last post