[15463] in bugtraq
Re: [Stan Bubrouski : Re: rh 6.2 -
daemon@ATHENA.MIT.EDU (Satan)
Sat Jun 24 04:18:46 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <3953C99D.78969CA@fastdial.net>
Date: Fri, 23 Jun 2000 16:33:33 -0400
Reply-To: satan@fastdial.net
From: Satan <satan@FASTDIAL.NET>
X-To: Frank da Cruz <fdc@columbia.edu>
To: BUGTRAQ@SECURITYFOCUS.COM
Frank da Cruz wrote:
> > Ya know the sad thing is I pointed out these problems in
> > bugzilla posts the gkermit being sgid uucp I reported
> > two+ weeks ago. No response. My description of the
> > gkermit bug which I reported couple weeks ago can be
> > found here:
> > http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11870
> >
> Hi all. I'm the author of gkermit, and this is the first
> I've heard of any of this (your message was forwarded to
> me by somebody who saw it on a mailing list). The author /
> support contact address is listed in the usage message and the
> man page; as a matter of courtesy, it should be included in
> bug reports.
>
> So who said gkermit should be installed suid or sgid? It
> shouldn't. It does not need privileges for anything. The
> documetantion says so:
>
Nobody that's why I only reported this to Red Hat. According
to the changelogs in the RPMs for gkermit and C-Kermit it was
people at Red Hat who adde the sgid bit and that is why I only
reported the problem to them because it seemed obvious that
they should not have been set sgid. That's all. If I thought that
this was a problem with a larger scope than just Red Hat I would
have reported it to you, but as it was the problem was not with
your code so much as with Red Hat making them sgid uucp I
chose not to bug you with things you had no control over.
>
> The makefile creates a binary called "gkermit". Simply
> move this binary to the desired directory, such as
> /usr/local/bin. It needs no special permissions other than
> read, write, and execute for the desired users and groups:
> no setuid, no setgid, or any other form of privilege.
>
> This is from:
>
> http://www.columbia.edu/kermit/gkermit.html
>
> > The C-Kermit package that comes on the Powertools CD with
> > Red Hat 6.2 is installed sgid uucp as well and contains
> > a plethera of unchecked buffers than can be used to run
> > commands as gid uucp. Details can be found here:
> > http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11723
> >
> This one is news too and, again, I'd appreciate receiving
> reports like this. Of course I'll follow up on it. There
> might be a couple unchecked buffers, but there is not a
> plethora of them. A great deal of effort has gone into
> pre-checking buffer copy operations, and if some places
> were missed they can be fixed.
>
Reading the C-Kermit code is in my opinion disorganized and very
messy. Regardless of whether you agree with this or not, it appears
to me the code is very old and needs alot of work. I know you and
others have put much time into modernizing, changing, and removing
large chunks of unnecessary code from the sources in order to improve
the security and overall integrity of the code. The fact remains
however
that the code is old and because of that much is still in need of
extensive
review. I'm not saying you guys aren't trying and I'm not saying you
people on the C-Kermit project aren't improving it, all I'm saying is
that
there are alot of problems and thus I feel that it should not be made
sgid on systems where users could try to take advantage of bugs/problems
in it. I see a handful of unchecked buffers as I'm sitting here writing
this
so I'm still convinced much needs to be done before it is safe to make
this program sgid. I'll try to make note of all of the ones I see when
I
have time and I'll attempt to fix the ones I can and send you diffs ok?
Oh yeah and here are some numbers regarding function use:
strcat 302
strncat 31
strcpy 477
strncpy 625 (includes ckstrncpy)
sprintf 886
snprintf 0!
vsprintf 5
vsnprintf 0
Now in all seriousness do you really think that most of those
886 sprintf calls have bounds-checking? Anyway, I was
wondering why do you guys use no snprintf calls in your code?
Just curious, I can definately see some places that would benefit
from it.
-Stan Bubrouski
>
> Frank da Cruz
> The Kermit Project
> Columbia University
> 612 West 115th Street
> New York NY 10025-7799
> USA
> Email: fdc@columbia.edu
> Web: http://www.columbia.edu/kermit/
