[9624] in bugtraq
Re: [HERT] Advisory #002 Buffer overflow in lsof
daemon@ATHENA.MIT.EDU (Vic Abell)
Thu Feb 18 11:20:39 1999
Date: Thu, 18 Feb 1999 07:10:47 -0500
Reply-To: abe@purdue.edu
From: Vic Abell <abe@PURDUE.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19990218013035.B4950@red.blood.int>
I would have appreciated the courtesy of an advance notice
that this problem had been discovered. 5 minutes after I
learned of it *third-hand* via DejaNews this patch was
available and announced to the lsof-l mailing list:
ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/patches/4.40/arg.c.patch
Vic Abell <abe@purdue.edu>, lsof author
> -----Original Message-----
> From: Bugtraq List [mailto:BUGTRAQ@netspace.org]On Behalf Of Anthony C .
> Zboralski
> Sent: Wednesday, February 17, 1999 7:31 PM
> To: BUGTRAQ@netspace.org
> Subject: [HERT] Advisory #002 Buffer overflow in lsof
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> - --------------------------------------------------------------
> HERT - Hacker Emergency Response Team
> alert@hert.org - http://www.hert.org
>
> Advisory: #00002
> Title: lsof
> Date: 17 February 1999
> Summary: Buffer overflow in lsof version 4.40 and prior
> IMPACT: Local users may obtain root priviledge.
>
> Author: Mariusz Tmoggie Marcinkiewicz <tmoggie@hert.org>
> Test Exploit: kil3r@hert.org
> - ---------------------------------------------------------------
>
> Copyright (C) 1999 Hacker Emergency Response Team
>
> Permission is granted to reproduce and distribute HERT advisories in their
> entirety, provided the HERT PGP signature is included and provided the alert is used for noncommercial purposes and with
> the intent of increasing the aware-
> ness of the Internet community.
>
> This advisory is distributed in the hope that it will be useful,
> but WITHOUT ANY WARRANTY; without even the implied warranty of
> MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
>
> 1. Background:
>
> lsof - list open files
> Lsof lists information about files opened by processes for most
> UNIX dialects.
>
> When lsof is setuid-root or setgid kmem, it is vulnerable to a buffer
> overflow that will lead to direct root compromise or root compromise
> thru live kernel patching.
>
> The paradox is that lsof is a great security tool for administrators and
> we encourage its uses as long as it is NOT setuid-root or setgid.
>
> Test exploit code for this vulnerability was developped by kil3r@hert.org
> and will be made available to lsof author, HERT collaborators, sponsors
> and partners.
>
> 2. Distributions known to be affected.
>
> OpenBSD 2.4's ports facility retrieves and builds lsof package setgid kmem.
> FreeBSD's ports facility retrieves and builds lsof package setgid kmem.
> SuSe Linux ships lsof setgid kmem.
> Debian GNU/Linux 2.0 ships lsof setgid kmem.
> Redhat Linux 5.2 ships lsof setgid kmem.
>
> 3. Recommendations
>
> Fix:
>
> chmod 0755 lsof
>
> To subscribe to the HERT Alert mailing list, email alert@hert.org
> with subscribe in the body of the message.
>
> Contact hert@hert.org for more information.
> The HERT PGP public key is available at ftp://ftp.hert.org/pub/HERT_PGP.key
>
> To report a vulnerability: http://www.hert.org/vul_reporting_form
>
> We would like to thank the individuals who donates some of their time to HERT.
>
> HERT is a non-profit international organisation based in France.
> If you wish to join the HERT effort please send a note to hert@hert.org.
> - --
> Please respect the privacy of this mailing list.
> To UNSUBSCRIBE, email to hert-private-request@hert.org
> with "unsubscribe" in the body. Trouble? Contact listmaster@hert.org
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3ia
> Charset: latin1
>
> iQCVAwUBNss8D7iV3oeHg1NdAQGHZwP+L76JOU2iHtvl2i3AHP3VDdEJ6W8M5zjf
> vVWDpQY7z4qmW4Ai/D5mnzeRwUey8W9imkoY4J4cF3/O+s/70+rsbwAKsmVgztBm
> DjhdWfMl/yz0ZT8zATJV+YVGtPQsmzvPbZR7YWOQh7oQQyPwzQXkswHkTB24Fsdg
> ehmkQnF1N9c=
> =Ohr4
> -----END PGP SIGNATURE-----
>
