[5896] in bugtraq
Re: Vulnerability in ccdconfig
daemon@ATHENA.MIT.EDU (Warner Losh)
Wed Dec 31 01:25:17 1997
Date: Tue, 30 Dec 1997 21:28:24 -0700
Reply-To: Warner Losh <imp@VILLAGE.ORG>
From: Warner Losh <imp@VILLAGE.ORG>
X-To: Niall Smart <rotel@INDIGO.IE>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Wed, 31 Dec 1997 02:02:31 GMT."
<19971231020231.1448.qmail@ginseng.indigo.ie>
-----BEGIN PGP SIGNED MESSAGE-----
In message <19971231020231.1448.qmail@ginseng.indigo.ie> Niall Smart writes:
: * FreeBSD and NetBSD have been notified of the problem and have fixed
: it in their source tree's as of yesterday (FreeBSD-current,
: FreeBSD-stable, NetBSD-current) Retrieve the patched ccdconfig.c
: and compile yourself a new ccdconfig.
I want to publically thank Niall for the responsibility he showed with
this information by privately corresponding with the FreeBSD and
(presumably) NetBSD teams on this issue. This gave us a chance to
work up a fix, test it and make sure that the users of our systems
were covered when he released his information.
Warner
P.S. Here are the changes that I applied to FreeBSD. They are taken
from the OpenBSD source base, possibly with minor formatting tweaks,
and seem to represent the work of Theo de Raadt and
oliver@secnet.com.
Index: ccdconfig.c
===================================================================
RCS file: /home/imp/FreeBSD/CVS/src/sbin/ccdconfig/ccdconfig.c,v
retrieving revision 1.7
diff -u -r1.7 ccdconfig.c
- --- ccdconfig.c 1997/06/10 11:04:50 1.7
+++ ccdconfig.c 1997/12/30 05:08:24
@@ -161,6 +161,15 @@
if (options > 1)
usage();
+ /*
+ * Discard setgid privileges if not the running kernel so that bad
+ * guys can't print interesting stuff from kernel memory.
+ */
+ if (core != NULL || kernel != NULL || action != CCD_DUMP) {
+ setegid(getgid());
+ setgid(getgid());
+ }
+
switch (action) {
case CCD_CONFIG:
case CCD_UNCONFIG:
@@ -307,11 +316,16 @@
char line[_POSIX2_LINE_MAX];
char *cp, **argv;
int argc, rval;
+ gid_t egid;
+ egid = getegid();
+ setegid(getgid());
if ((f = fopen(ccdconf, "r")) == NULL) {
+ setegid(egid);
warn("fopen: %s", ccdconf);
return (1);
}
+ setegid(egid);
while (fgets(line, sizeof(line), f) != NULL) {
argc = 0;
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQCVAwUBNKnJ59xynu/2qPVhAQG4OgP/Tg4p+NPEwxH2pxIRCUYsnDABqTaJEpgq
2LxYiaRGaoCsF/QnHb/vSTehUcSh8OJ/AERY5fPRKC2b/LiIpX9bKp0yMHBTqZ1Z
cfCT30K0lW9ODz1eUHw2fol2tieqaIszAFrMNuVeUY+N8JwhJ5GTVTfuqleZ2TKL
71goCAxTvQc=
=mdrd
-----END PGP SIGNATURE-----
