[535] in Best-of-Security
BoS: Vulnerability in ccdconfig
daemon@ATHENA.MIT.EDU (Niall Smart)
Sun Jan 18 04:49:19 1998
X-Delivering-To: best-of-security-mtg@menelaus.mit.edu
XDelivering-To: best-of-security@cyber.com.au
Delivering-To: best-of-security@cyber.com.au
Date: Wed, 31 Dec 1997 02:02:31 +0000
Reply-To: Niall Smart <rotel@INDIGO.IE>
From: Niall Smart <rotel@INDIGO.IE>
Old-X-Originally-To: To: BUGTRAQ@NETSPACE.ORG
Old-X-Originated-From: From: Niall Smart <rotel@INDIGO.IE>
Errors-To: best-of-security-request@cyber.com.au
To: best-of-security@cyber.com.au
Resent-From: best-of-security@cyber.com.au
Hi,
FreeBSD and NetBSD's ccdconfig doesn't do proper checking of the
argument to -f:
[nsmart@ginseng ~]$ ccdconfig -U -f /dev/mem 2>&1 | strings | grep Charlie
root:iDeLeTeDiT:0:0::0:0:Charlie: No such file or directory
^C
I had to cat /etc/master.passwd in another window to get this to
work though :) So perhaps its not very easily exploitable, but
is worth fixing nonetheless.
This bug was also spotted by olivier@secnet.com and fixed in OpenBSD
some time ago.
Fixes:
* FreeBSD and NetBSD have been notified of the problem and have fixed
it in their source tree's as of yesterday (FreeBSD-current,
FreeBSD-stable, NetBSD-current) Retrieve the patched ccdconfig.c
and compile yourself a new ccdconfig.
* "chmod g-s /sbin/ccdconfig". I can't think of any reason for it to be
sgid kmem.
Regards,
Niall
