[12816] in bugtraq
Re: [Re: Several FreeBSD-3.3 vulnerabilities]
daemon@ATHENA.MIT.EDU (Brock Tellier)
Thu Dec 2 13:47:03 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Message-Id: <19991201202144.12612.qmail@nwcst277.netaddress.usa.net>
Date: Wed, 1 Dec 1999 13:21:44 MST
Reply-To: Brock Tellier <btellier@USA.NET>
From: Brock Tellier <btellier@USA.NET>
X-To: kris@hub.freebsd.org
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
Kris Kennaway <kris@hub.freebsd.org> wrote:
On Tue, 30 Nov 1999, Brock Tellier wrote:
>> All of the vulnerabilities discussed herein are based on my work on
>> FreeBSD 3.3-RELEASE. Each of the programs was installed with the
>> default permissions given when unpacked with sysinstall.
>> These permissions are:
>> -rwxr-sr-x 1 bin dialer 88480 Sep 11 00:55 /usr/X11R6/bin/seyon
>This one was fixed a month ago after your last advisory. Obviously, if
>you're still using the same version of the OS you used in your initial
>advisory, it's not going to be fixed :-)
No, I mentioned that older hole but I also revealed six more that were equally
serious and presumably unpatched. Unless your fix was to remove the suid-bit
by default, seyon would still be vulnerable.
>> -rwsr-xr-x 1 uucp bin 7780 Sep 11 05:15 /usr/X11R6/bin/xmindpath
>This one is a hole in the vendor-provided software, which wants to >install
>it setuid uucp by default. With ~2800 third-party apps shipped with
>FreeBSD, we can't be held responsible for the security of all of them :-)
This is the statement I have a bit of a problem with. Sure there are 2800
ports, but how many of these are suid/sgid? I'm thinking *maybe* 50 that I
saw when I did a full install of 3.3-RELEASE. Fifty apps, most of which are
small like xmindpath, isn't a ridiculous number to audit. At LEAST auditing
them for command-line overflows and setting up a /tmp watcher.
You may not be legally responsible, or be able to take responsibility for the
quality of the code, but when you allow a third-party to put a *suid* program
into your distribution you imply some sort of trust with the end-user
regarding it's security integrity. At least to the point that we can assume
that someone has taken the time to xmindpath -arg $BUF. Note that this isn't
specifically directed at FreeBSD or free OS's.
>> -r-xr-sr-x 1 bin games 481794 Sep 11 01:10 /usr/X11R6/bin/angband
>This one is our fault (in the sense that installing it setgid games so it
>can write a high score file is not something the software does by
>default).
>Your advisory wasn't clear whether or not you contacted the port
>maintainers directly about these, and they were just slow off the mark, >or
>if it was just security-officer@freebsd.org. Assuming the former, one way
>of expediting the process would be to send mail to the (new)
>audit@freebsd.org mailing list which has several people who will be quite
>happy to do some butt-kicking to get a response :-)
No, I contacted security-officer@freebsd.org who responded that HE had
contacted the maintainers. That was the last I ever heard of it.
Brock Tellier
UNIX Systems Administrator
Chicago, IL, USA
btellier@usa.net
____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1
