[15349] in bugtraq
Re: Splitvt exploit
daemon@ATHENA.MIT.EDU (Joey Hess)
Thu Jun 15 14:11:28 2000
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="vtzGhvizbBRQ85DL"
Message-Id: <20000614192837.A20973@kitenet.net>
Date: Wed, 14 Jun 2000 19:28:37 -0700
Reply-To: Joey Hess <joey@KITENET.NET>
From: Joey Hess <joey@KITENET.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3947DBCB.5E24DC5D@dds.nl>; from syz@DDS.NL on Wed, Jun 14,
2000 at 09:23:55PM +0200
--vtzGhvizbBRQ85DL
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
syzop wrote:
> Splitvt 1.6.3 contains a buffer overflow, if you have installed splitvt s=
uid root (like
> Debian/Redhat/etc, btw not slackware) you should upgrade to 1.6.4.
>=20
> Solution
> =3D=3D=3D=3D=3D=3D=3D
> Debian users:
> see http://www.debian.org/security/2000/20000605a
Note that in addition to the above fix, version 1.6.4-3 of splitvt in
Debian is no longer suid root, just sgid utmp. If any further security
holes are found (the program could use a thurough audit), I hope this
will greatly reduce the magnitude of the exploit. A patch for glibc
systems follows, which I have already sent to the author of splitvt.
Index: misc.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/cvs/repository/joey-cvs/public/packages/splitvt/misc.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 misc.c
--- misc.c 1999/09/11 08:27:29 1.1.1.1
+++ misc.c 2000/06/14 22:02:47
@@ -108,6 +108,9 @@
=20
/* Set our uid to our real uid if necessary */
(void) setuid(getuid());
+ /* Same for gid (program may be setgid utmp on some
+ * systems). */
+ (void) setgid(getgid());
=09
/* Run the requested program, with possible leading dash. */
execvp(((*argv[0] =3D=3D '-') ? argv[0]+1 : argv[0]), argv);
@@ -181,12 +184,18 @@
#else /* ! IRIX */
=20
=20
-#ifdef SOLARIS /* System V.4 pty routines from W. Richard Stevens */
+#if defined(SOLARIS) || defined(__GLIBC__)
+/* System V.4 pty routines from W. Richard Stevens */
+/* GLIBC is very similar, so this will handle it too. */
=20
+#ifdef SOLARIS
+
#include <stropts.h>
=20
#define DEV_CLONE "/dev/ptmx"
=20
+#endif
+
extern char *ptsname();
=20
int get_master_pty()
@@ -194,9 +203,14 @@
=20
char *ttyptr;
=20
+#ifdef SOLARIS
if ( (master_fd=3Dopen(DEV_CLONE, O_RDWR)) < 0 )
return(-1);
-
+#else /* GLIBC */
+ if ( (master_fd=3Dgetpt()) =3D=3D -1 )
+ return (-1);
+#endif
+=09
if ( grantpt(master_fd) < 0 ) /* grant access to slave */
{
close(master_fd);
@@ -240,6 +254,7 @@
return(-1);
}
=20
+#ifdef SOLARIS
if ( ioctl(slave_fd, I_PUSH, "ptem") < 0 )
{
close(master_fd);
@@ -260,7 +275,8 @@
close(slave_fd);
return(-1);
}
-
+#endif
+=09
return(slave_fd);
}
=20
Index: utmp.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/cvs/repository/joey-cvs/public/packages/splitvt/utmp.c,v
retrieving revision 1.2
diff -u -r1.2 utmp.c
--- utmp.c 1999/09/11 08:27:38 1.2
+++ utmp.c 2000/06/14 22:02:47
@@ -187,12 +187,13 @@
#endif
(void) time(&ut.ut_time);
=20
-#if !defined(SOLARIS) && !defined(IRIX)
- /* Solaris and Irix machines do this automatically */
+#if !defined(SOLARIS) && !defined(IRIX) && !defined(__GLIBC__)
+ /* Solaris and Irix and GLIBC machines do this automatically */
/* Change the ownership and mode of the tty */
if ( stat(tty, &sb) =3D=3D 0 ) {
(void) chmod(tty, 0620); /* crw--w---- */
(void) chown(tty, uid, sb.st_gid);
+ =09
}
#endif
return(set_utmp(tty, &ut));
--=20
see shy jo, splitvt maintainer for Debian
--vtzGhvizbBRQ85DL
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE5SD9V2tp5zXiKP0wRATu7AKC/hDUx9tg5yczhpTl/SCmtxediMQCfXBlL
PocE+MREXtq0tQDQoQInwjk=
=CA7X
-----END PGP SIGNATURE-----
--vtzGhvizbBRQ85DL--
