[7205] in bugtraq
Re: ncurses 4.1 security bug
daemon@ATHENA.MIT.EDU (Casper Dik)
Thu Jul 9 16:34:44 1998
Date: Thu, 9 Jul 1998 21:27:24 +0200
Reply-To: Casper Dik <casper@HOLLAND.SUN.COM>
From: Casper Dik <casper@HOLLAND.SUN.COM>
X-To: Duncan Simpson <dps@IO.STARGATE.CO.UK>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Tue, 07 Jul 1998 20:06:11 BST."
<199807071906.UAA10451@io.stargate.co.uk>
>ncurses version 4.1 fails to drop priviledges before opening the
>termcap database and you can set any file(s) you like. I am not sure
>any setuid program allows an exploit but this is not good in any case.
>Here is a patch that stops that game. (Using the patch requires
>autoconf because I have not supplied diffs against the configure
>script).
It seems to me that the below fix is broken; what happens if:
- the program already swapped uids? (using setreuid(euid,ruid)?
- you introduce a security hole
- the program swapped using saved uids (using setreuid(-1. ruid))
- fine with setfsuid
- but with saved uids, you reset the saved euid to ruid.
(you throw way the privileges you had for good.)
Juggling with uids in the library is hard; you don't know what the
original uids were and you really have no way to find out.
>+#ifdef HAVE_SETFSUID
>+ /* drop privs to make sure file allowed */
>+ fsuid=setfsuid(getuid());
>+ fsgid=setfsgid(getgid());
>+#else
>+ fsuid=getuid();
>+ fsgid=getgid();
>+#ifdef HAVE_SETREUID
>+ /* Swap real and effective uid */
>+ setreuid(geteuid(), getuid());
>+ serregid(getegid(), getgid());
>+#else
>+ seteuid(getuid()); /* Saved ids or broken */
>+ setegid(getgid());
>+#endif /* HAVE_SETREUID */
