[2244] in bugtraq
Re: load.root (loadmodule hole)
daemon@ATHENA.MIT.EDU (Karl Strickland)
Mon Sep 18 09:58:58 1995
Date: Mon, 18 Sep 1995 00:22:14 +0100
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Karl Strickland <karl@bagpuss.demon.co.uk>
X-To: BUGTRAQ@CRIMELAB.COM
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
In-Reply-To: <199509152312.QAA00636@olympics.Eng.Sun.COM> from "Brad Powell"
at Sep 15, 95 04:12:54 pm
>
> >From owner-bugtraq@CRIMELAB.COM Fri Sep 15 15:46:48 1995
> >Am I overlooking something obvious here, or would simply turning off the
> >set-UID bit on "loadmodule" be an acceptable temporary workaround for
> >most sites?
> >-----
> >Fred Blonder fred@nasirc.hq.nasa.gov
> >
> >Hughes STX Corp. (301) 441-4079
> >7701 Greenbelt Rd.
> >Greenbelt, Md. 20770
> >
>
> turning of the suid bit works *mostly*
>
> of course don't expect to be able to run openwindows :-)
>
> I say mostly because there is still the problem if the process running
> is running as root, as well as the problem of if another
> setuid executable calls loadmodule.
>
> Neither of these is as big a problem, but they are still there.
>
> Calling system() has never been a smart thing, just a simple thing.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Given that statement, the following questions arise.
1. Did SUN know they were doing the 'simple but not smart' thing when
they released the broken patch?
2. Did the SUN Quality-Control people know that system() is dangerous?
If not, do they know now, and can we have an assurance that this will
not happen again in the future? If they did know, why did they pass
the patch?
--
------------------------------------------+-----------------------------------
Mailed using ELM on FreeBSD | Karl Strickland
PGP 2.3a Public Key Available. | Internet: karl@bagpuss.demon.co.uk
|
