[20718] in bugtraq
Re: dqs 3.2.7 local root exploit.
daemon@ATHENA.MIT.EDU (Roman Drahtmueller)
Sat May 19 15:55:05 2001
Date: Sat, 19 May 2001 05:26:40 +0200 (MEST)
From: Roman Drahtmueller <draht@suse.de>
Reply-To: Roman Drahtmueller <draht@suse.de>
To: <bugtraq@securityfocus.com>
In-Reply-To: <20010519000911.4356.qmail@securityfocus.com>
Message-ID: <ENOCOKE.draht.silence.0101051905112599024188505005-100000@suse>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
> DESCRIPTION:
> I found a buffer overflow vunerability on the
> /usr/bin/dsh (dqs 3.2.7
> package).
>
> I really don't know if this bug was discovered
> already. if thats right,
> then sorry =).
No, this is yet unknown to security@suse.de.
> If a long line on the first argument is gived, the
> program gives a SIGSEGV
> signal.
>
> This bug was reported to Drake Diedrich, Mantainer
> for dqs
> (Drake.Diedrich@anu.edu.adu).
>
> AFFECTED:
> SusE 6.3, 6.4, 7.0 have the dqs 3.2.7 by default
> an then it are vunerable,
> maybe others.
I confirm this vulnerability and that dqs has the setuid bit on the file
/usr/bin/dsh, but the package (as a package in the clustering series) is
not installed by default.
The fix (to remove the suid bit) is correct. If you have selected to set
the variable PERMISSION_SECURITY in /etc/rc.config to "secure local" in
SuSE-7.1 (recommended for security-enhanced settings), you are not
vulnerable. On SuSE-7.1, in addition to the chmod command below, change
the files /etc/permissions.*, too, to reflect the removed suid bit.
If you do not need the dqs package, simply remove it using the command
rpm -e dqs
Of course, we will provide update packages as soon as possible.
> FIX:
> Remove the SUID permission
> |root@netdex /root|# ls -la /usr/bin/dsh
> -rwsr-xr-x 1 root root 502748 May 18
> 00:36 /usr/bin/dsh
> |root@netdex /root|# chmod -s /usr/bin/dsh
> |root@netdex /root|# ls -la /usr/bin/dsh
> -rwxr-xr-x 1 root root 502748 May 18
Regards,
Roman Drahtmüller,
SuSE Security.
--
- -
| Roman Drahtmüller <draht@suse.de> "Caution: Cape does not |
SuSE GmbH - Security enable user to fly."
| Nürnberg, Germany (Batman Costume warning label) |
- -
