From owner-freebsd-security Mon Nov 3 10:17:08 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id KAA20978 for security-outgoing; Mon, 3 Nov 1997 10:17:08 -0800 (PST) (envelope-from owner-freebsd-security) Received: from syl.syl.nj.nec.com (syl.syl.nj.nec.com [138.15.50.1]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id KAA20973 for ; Mon, 3 Nov 1997 10:17:03 -0800 (PST) (envelope-from rmiller@syl.nj.nec.com) Received: from localhost (rmiller@localhost) by syl.syl.nj.nec.com (8.8.7/8.8.7) with SMTP id NAA19988 for ; Mon, 3 Nov 1997 13:16:26 -0500 (EST) Date: Mon, 3 Nov 1997 13:16:26 -0500 (EST) From: Ruth Miller X-Sender: rmiller@syl Reply-To: rmiller@syl.nj.nec.com To: security@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk join? From owner-freebsd-security Mon Nov 3 13:04:00 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id NAA03482 for security-outgoing; Mon, 3 Nov 1997 13:04:00 -0800 (PST) (envelope-from owner-freebsd-security) Received: from bytetech.com (bytetech.com [204.186.19.139]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id NAA03417; Mon, 3 Nov 1997 13:03:41 -0800 (PST) (envelope-from todd@bytetech.com) Received: from localhost (todd@localhost) by bytetech.com (8.8.3/8.8.3) with SMTP id QAA03167; Mon, 3 Nov 1997 16:03:42 -0500 (EST) Date: Mon, 3 Nov 1997 16:03:41 -0500 (EST) From: Todd E Ehrhart To: freebsd-bugs@freebsd.org, freebsd-chat@freebsd.org, freebsd-questions@freebsd.org, freebsd-ports@freebsd.org, freebsd-security-notifications@freebsd.org, freebsd-security@freebsd.org, freebsd-hackers@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk subscribe From owner-freebsd-security Tue Nov 4 14:24:57 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id OAA13184 for security-outgoing; Tue, 4 Nov 1997 14:24:57 -0800 (PST) (envelope-from owner-freebsd-security) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id OAA13172 for ; Tue, 4 Nov 1997 14:24:52 -0800 (PST) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.8.5/8.8.5) id RAA17913; Tue, 4 Nov 1997 17:24:51 -0500 (EST) Date: Tue, 4 Nov 1997 17:24:51 -0500 (EST) From: Garrett Wollman Message-Id: <199711042224.RAA17913@khavrinen.lcs.mit.edu> To: security@freebsd.org Subject: FreeBSD Security Advisory: FreeBSD-SA-97:05.open In-Reply-To: <199711041951.UAA02408@gvr.gvr.org> References: <199711041951.UAA02408@gvr.gvr.org> Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk < said: > III. Impact > The problem can be used by any user on the system to do unauthorised > io instructions. One other impact which I have not seen mentioned yet should be obvious: there is a potential DoS if an unfriendly user opens and holds open an exclusive-open device (such as a tape drive) which is necessary for system operation. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick From owner-freebsd-security Tue Nov 4 16:19:12 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id QAA21093 for security-outgoing; Tue, 4 Nov 1997 16:19:12 -0800 (PST) (envelope-from owner-freebsd-security) Received: from helium.vapornet.com (root@helium.vapornet.com [208.202.126.112]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id QAA21050 for ; Tue, 4 Nov 1997 16:17:28 -0800 (PST) (envelope-from john@helium.vapornet.com) Received: from argon.vapornet.com (vapornet.xnet.com [205.243.141.107]) by helium.vapornet.com (8.8.7/VaporServer-v3.0+SpamNot) with ESMTP id SAA25485 for ; Tue, 4 Nov 1997 18:17:28 -0600 (CST) Received: by argon.vapornet.com (8.8.7/VaporClient-1.1) id SAA00712; Tue, 4 Nov 1997 18:17:11 -0600 (CST) Date: Tue, 4 Nov 1997 18:17:11 -0600 (CST) Message-Id: <199711050017.SAA00712@argon.vapornet.com> From: John Preisler MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: freebsd-security@freebsd.org Subject: norfork hole X-Mailer: VM 6.22 under 19.15 XEmacs Lucid Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk last i heard about the norfork hole was the lkm to patch. Has this issue been resolved? -jrp From owner-freebsd-security Wed Nov 5 05:40:06 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id FAA10111 for security-outgoing; Wed, 5 Nov 1997 05:40:06 -0800 (PST) (envelope-from owner-freebsd-security) Received: from vasfw01.fdic.gov (firewall-user@vasfw01.fdic.gov [192.147.69.34]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id FAA10083 for ; Wed, 5 Nov 1997 05:40:02 -0800 (PST) (envelope-from njohns@fdic.gov) Received: by vasfw01.fdic.gov; id IAA22155; Wed, 5 Nov 1997 08:39:28 -0500 Received: from mailhub.fdic.gov(151.174.3.31) by vasfw01.fdic.gov via smap (3.2) id xma021958; Wed, 5 Nov 97 08:39:03 -0500 Received: by MAILHUB.FDIC.GOV with VINES-ISMTP; Wed, 5 Nov 97 8:39:04 -0500 Date: Wed, 5 Nov 97 8:38:27 -0500 Message-ID: X-Priority: 3 (Normal) To: From: "Nathan Z. Johns" Reply-To: Subject: ...no subject... X-Incognito-SN: 1377 X-Incognito-Version: 4.10.130 MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk From owner-freebsd-security Thu Nov 6 12:29:13 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id MAA10908 for security-outgoing; Thu, 6 Nov 1997 12:29:13 -0800 (PST) (envelope-from owner-freebsd-security) Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.91.116]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id MAA10899 for ; Thu, 6 Nov 1997 12:29:06 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from cyrus.watson.org (cyrus.pr.watson.org [192.0.2.4]) by fledge.watson.org (8.8.7/8.6.10) with SMTP id PAA20714; Thu, 6 Nov 1997 15:28:44 -0500 (EST) Date: Thu, 6 Nov 1997 15:30:39 -0500 (EST) From: Robert Watson Reply-To: Robert Watson To: freebsd-security@freebsd.org cc: Mattias Amnefelt Subject: Re: Major security-hole in kerberos rsh, rcp and rlogin. (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Does this affect the FreeBSD distributed version of kerberos? I get the following on one of our machines, which suggests that it may not: robert@cyrus:cyrus:~> whoami robert robert@cyrus:cyrus:~> ls -l /tmp/tkt_mccann_1000 -rw------- 1 mccann bin 211 Nov 3 01:18 /tmp/tkt_mccann_1000 robert@cyrus:cyrus:~> setenv KRBTKFILE /tmp/tkt_mccann_1000 robert@cyrus:cyrus:~> rlogin fledge.watson.org krcmd_mutual: Can't access ticket file (tf_util) rlogin: the -x flag requires Kerberos authentication robert@cyrus:cyrus:~> klist Ticket file: /tmp/tkt_mccann_1000 klist: Can't access ticket file (tf_util) robert@cyrus:cyrus:~> I may be misinterpretting the report -- please let me know if that is the case. Robert N Watson Junior, Logic+Computation, Carnegie Mellon University http://www.cmu.edu/ Network Administrator, SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org rwatson@safeport.com http://www.watson.org/~robert/ ---------- Forwarded message ---------- Date: Thu, 6 Nov 1997 11:25:03 +0100 From: Mattias Amnefelt To: BUGTRAQ@NETSPACE.ORG Subject: Re: Major security-hole in kerberos rsh, rcp and rlogin. The security hole in kerberos: Affects: kth-krb4 Background: Every user on a kerberized system has a ticket-file. Only the owner should be able to read this file. The name of the ticketfile is stored in the environment-variable KRBTKFILE. The hole: The versions of rsh, rcp and rlogin in the kth-krb4 package are setuid to work with bsd-style rshd and rlogind. When they attempt to read the ticketfile, there is no check if the user starting the program has read access of the file. Thus, a user can use any other user on the system's ticketfile by simply changing an environment variable. Quick Workaround: Disable the suid-bits on rcp, rsh and rlogin. This will disable the program's capabilities to fallback to the non-kerberised protocols if the a user fails to authenticate himself. Permanent fix: Change the uid of the program to the user's uid as early as possible (patches from the development team are included, plus two other security patches for kth-kerberos which might be useful to the bugtraq community). _- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - _ | Mattias Amnefelt | This is a Unix system, I know this. | | email: mattiasa@stacken.kth.se | - Lex, Jurassic Park | | phone: +46-(0)70-6970872 | | -_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - ------- Start of forwarded mail ------- >From assar@sics.se Tue Nov 4 22:08:18 1997 Date: 03 Nov 1997 18:35:40 +0100 From: Assar Westerlund To: krb4@sics.se, krb4-announce@sics.se Subject: security patches for 0.9.6 The enclosed patch to 0.9.6 fixes three security problems: 1. the tgetent buffer overflow. This is fixed by simply not calling tgetent. 2. vulnerability of setuid rsh, rlogin, and rcp. (mentioned in a confusion post on bugtraq). 3. missing IP-nummer check in telnetd. NOTE: we recommend against running rsh/rlogin/rcp setuid. This fix will of course be included in an upcoming version RSN. Assar, Bjorn, and Johan Index: appl/bsd/rcp.c =================================================================== RCS file: /afs/pdc.kth.se/src/packages/kth-krb/src/krb4/appl/bsd/rcp.c,v retrieving revision 1.43 retrieving revision 1.44 diff -u -w -r1.43 -r1.44 --- rcp.c 1997/05/13 09:41:26 1.43 +++ rcp.c 1997/11/03 11:18:02 1.44 @@ -49,6 +49,9 @@ static uid_t userid; static int pflag, iamremote, iamrecursive, targetshouldbedirectory; +static int argc_copy; +static char **argv_copy; + #define CMDNEEDS 64 static char cmd[CMDNEEDS]; /* must hold "rcp -r -p -d\0" */ @@ -403,8 +406,9 @@ kerberos(char **host, char *bp, char *locuser, char *user) { int sock = -1, err; -again: + if (use_kerberos) { + setuid(getuid()); rem = KSUCCESS; errno = 0; if (dest_realm == NULL) @@ -439,13 +443,11 @@ rem = sock; #endif if (rem < 0) { - use_kerberos = 0; - port = get_shell_port(use_kerberos, 0); if (errno == ECONNREFUSED) oldw("remote host doesn't support Kerberos"); else if (errno == ENOENT) oldw("can't provide Kerberos authentication data"); - goto again; + execv(_PATH_RCP, argv_copy); } } else { if (doencrypt) @@ -906,8 +908,28 @@ { int ch, fflag, tflag; char *targ; + int i; set_progname(argv[0]); + + /* + * Prepare for execing ourselves. + */ + + argc_copy = argc + 1; + argv_copy = malloc((argc_copy + 1) * sizeof(*argv_copy)); + if (argv_copy == NULL) + err(1, "malloc"); + argv_copy[0] = argv[0]; + argv_copy[1] = "-K"; + for(i = 1; i < argc; ++i) { + argv_copy[i + 1] = strdup(argv[i]); + if (argv_copy[i + 1] == NULL) + errx(1, "strdup: out of memory"); + } + argv_copy[argc + 1] = NULL; + + fflag = tflag = 0; while ((ch = getopt(argc, argv, OPTIONS)) != EOF) switch(ch) { /* User-visible flags. */ @@ -951,8 +973,10 @@ * kshell service, pass 0 for no encryption */ port = get_shell_port(use_kerberos, 0); + userid = getuid(); + #ifndef __CYGWIN32__ - if ((pwd = k_getpwuid(userid = getuid())) == NULL) + if ((pwd = k_getpwuid(userid)) == NULL) errx(1, "unknown user %d", (int)userid); #endif Index: appl/bsd/rlogin.c =================================================================== RCS file: /afs/pdc.kth.se/src/packages/kth-krb/src/krb4/appl/bsd/rlogin.c,v retrieving revision 1.61 retrieving revision 1.62 diff -u -w -r1.61 -r1.62 --- rlogin.c 1997/05/25 01:14:47 1.61 +++ rlogin.c 1997/11/03 11:18:09 1.62 @@ -594,14 +594,12 @@ usage(); } optind += argoff; - argc -= optind; - argv += optind; /* if haven't gotten a host yet, do so */ - if (!host && !(host = *argv++)) + if (!host && !(host = argv[optind++])) usage(); - if (*argv) + if (argv[optind]) usage(); if (!(pw = k_getpwuid(uid = getuid()))) @@ -609,7 +607,6 @@ if (!user) user = pw->pw_name; - if (user_port) sv_port = user_port; else @@ -636,17 +633,8 @@ get_window_size(0, &winsize); - try_connect: if (use_kerberos) { - struct hostent *hp; - - /* Fully qualify hostname (needed for krb_realmofhost). */ - hp = gethostbyname(host); - if (hp != NULL && !(host = strdup(hp->h_name))) { - errno = ENOMEM; - err(1, NULL); - } - + setuid(getuid()); rem = KSUCCESS; errno = 0; if (dest_realm == NULL) @@ -659,15 +647,22 @@ rem = krcmd(&host, sv_port, user, term, 0, dest_realm); if (rem < 0) { - use_kerberos = 0; - if (user_port == 0) - sv_port = get_login_port(use_kerberos, - doencrypt); + int i; + char **newargv; + if (errno == ECONNREFUSED) warning("remote host doesn't support Kerberos"); if (errno == ENOENT) warning("can't provide Kerberos auth data"); - goto try_connect; + newargv = malloc((argc + 2) * sizeof(*newargv)); + if (newargv == NULL) + err(1, "malloc"); + newargv[0] = argv[0]; + newargv[1] = "-K"; + for(i = 1; i < argc; ++i) + newargv[i + 1] = argv[i]; + newargv[argc + 1] = NULL; + execv(_PATH_RLOGIN, newargv); } } else { if (doencrypt) Index: appl/bsd/rsh.c =================================================================== RCS file: /afs/pdc.kth.se/src/packages/kth-krb/src/krb4/appl/bsd/rsh.c,v retrieving revision 1.36 retrieving revision 1.37 diff -u -w -r1.36 -r1.37 --- rsh.c 1997/06/26 13:48:35 1.36 +++ rsh.c 1997/11/03 11:18:14 1.37 @@ -247,9 +247,6 @@ err(1, "can't exec %s", _PATH_RLOGIN); } - argc -= optind; - argv += optind; - #ifndef __CYGWIN32__ if (!(pw = k_getpwuid(uid = getuid()))) errx(1, "unknown user id."); @@ -266,12 +263,12 @@ if (doencrypt) nfork = 0; - args = copyargs(argv); + args = copyargs(argv+optind); sv_port=get_shell_port(use_kerberos, doencrypt); -try_connect: if (use_kerberos) { + setuid(getuid()); rem = KSUCCESS; errno = 0; if (dest_realm == NULL) @@ -284,13 +281,22 @@ rem = krcmd(&host, sv_port, user, args, &rfd2, dest_realm); if (rem < 0) { + int i; + char **newargv; + if (errno == ECONNREFUSED) warning("remote host doesn't support Kerberos"); if (errno == ENOENT) warning("can't provide Kerberos auth data"); - use_kerberos = 0; - sv_port=get_shell_port(use_kerberos, doencrypt); - goto try_connect; + newargv = malloc((argc + 2) * sizeof(*newargv)); + if (newargv == NULL) + err(1, "malloc"); + newargv[0] = argv[0]; + newargv[1] = "-K"; + for(i = 1; i < argc; ++i) + newargv[i + 1] = argv[i]; + newargv[argc + 1] = NULL; + execv(_PATH_RSH, newargv); } } else { if (doencrypt) Index: appl/bsd/pathnames.h =================================================================== RCS file: /afs/pdc.kth.se/src/packages/kth-krb/src/krb4/appl/bsd/pathnames.h,v retrieving revision 1.23 retrieving revision 1.24 diff -u -w -r1.23 -r1.24 --- pathnames.h 1996/11/17 06:36:42 1.23 +++ pathnames.h 1997/11/03 11:17:19 1.24 @@ -65,6 +65,9 @@ #undef _PATH_RSH /* Redifine rsh */ #define _PATH_RSH BINDIR "/rsh" +#undef _PATH_RCP /* Redifine rcp */ +#define _PATH_RCP BINDIR "/rcp" + #undef _PATH_LOGIN #define _PATH_LOGIN BINDIR "/login" @@ -186,6 +189,8 @@ #define _PATH_RLOGIN "/usr/athena/bin/rlogin" #undef _PATH_RSH #define _PATH_RSH "/usr/athena/bin/rsh" +#undef _PATH_RCP +#define _PATH_RCP "/usr/athena/bin/rcp" #undef _PATH_LOGIN #define _PATH_LOGIN "/usr/athena/bin/login" #endif Index: appl/telnet/libtelnet/kerberos.c =================================================================== RCS file: /afs/pdc.kth.se/src/packages/kth-krb/src/appl/telnet/libtelnet/kerberos.c,v retrieving revision 1.34 retrieving revision 1.36 diff -u -w -r1.34 -r1.36 --- kerberos.c 1997/10/21 21:15:24 1.34 +++ kerberos.c 1997/11/03 06:12:14 1.36 @@ -265,9 +267,11 @@ void kerberos4_is(Authenticator *ap, unsigned char *data, int cnt) { + struct sockaddr_in addr; char realm[REALM_SZ]; char instance[INST_SZ]; int r; + int addr_len; if (cnt-- < 1) return; @@ -288,8 +292,17 @@ printf("\r\n"); } k_getsockinst(0, instance, sizeof(instance)); - if (r = krb_rd_req(&auth, KRB_SERVICE_NAME, - instance, 0, &adat, "")) { + addr_len = sizeof(addr); + if(getpeername(0, (struct sockaddr *)&addr, &addr_len) < 0) { + if(auth_debug_mode) + printf("getpeername failed\r\n"); + Data(ap, KRB_REJECT, "getpeername failed", -1); + auth_finished(ap, AUTH_REJECT); + return; + } + r = krb_rd_req(&auth, KRB_SERVICE_NAME, + instance, addr.sin_addr.s_addr, &adat, ""); + if (r) { if (auth_debug_mode) printf("Kerberos failed him as %s\r\n", name); Data(ap, KRB_REJECT, (void *)krb_get_err_text(r), -1); Index: appl/telnet/telnetd/telnetd.c =================================================================== RCS file: /afs/pdc.kth.se/src/packages/kth-krb/src/appl/telnet/telnetd/telnetd.c,v retrieving revision 1.47 retrieving revision 1.48 diff -u -w -r1.47 -r1.48 --- telnetd.c 1997/10/29 01:26:58 1.47 +++ telnetd.c 1997/11/03 06:08:26 1.48 @@ -647,21 +647,7 @@ int terminaltypeok(char *s) { - char buf[1024]; - - if (terminaltype == NULL) - return(1); - - /* - * tgetent() will return 1 if the type is known, and - * 0 if it is not known. If it returns -1, it couldn't - * open the database. But if we can't open the database, - * it won't help to say we failed, because we won't be - * able to verify anything else. So, we treat -1 like 1. - */ - if (tgetent(buf, s) == 0) - return(0); - return(1); + return 1; } From owner-freebsd-security Fri Nov 7 00:56:19 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id AAA19558 for security-outgoing; Fri, 7 Nov 1997 00:56:19 -0800 (PST) (envelope-from owner-freebsd-security) Received: from firewall.ftf.dk (root@mail.ftf.dk [129.142.64.2]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id AAA19552 for ; Fri, 7 Nov 1997 00:56:13 -0800 (PST) (envelope-from regnauld@deepo.prosa.dk) Received: from mail.prosa.dk ([192.168.100.2]) by firewall.ftf.dk (8.7.6/8.7.3) with ESMTP id LAA24522 for ; Fri, 7 Nov 1997 11:29:31 +0100 Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.5/8.8.5/prosa-1.1) with ESMTP id KAA19736 for ; Fri, 7 Nov 1997 10:14:37 +0100 (CET) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.5/8.8.5/prosa-1.1) id JAA12375; Fri, 7 Nov 1997 09:55:07 +0100 (CET) Message-ID: <19971107095506.35947@deepo.prosa.dk> Date: Fri, 7 Nov 1997 09:55:06 +0100 From: Philippe Regnauld To: security@freebsd.org Subject: Fwd: "possible freebsd su problem?" Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Description: Main Body X-Mailer: Mutt 0.69 X-Operating-System: FreeBSD 2.2.1-RELEASE i386 Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Is there any potential concern for this ? -----Forwarded message from taz ----- Date: Thu, 6 Nov 1997 11:30:02 -0600 From: taz Subject: possible freebsd su problem? To: BUGTRAQ@NETSPACE.ORG I checked the archives, not a word of this was to be found so here goes. First off, my o/s: FreeBSD xxxxxx 2.2.1-RELEASE Upon running su today, which is obviously setuid on most systems, I used the argument '--' instead of '-'. This caused it to seg fault. I ran gdb on it and found the problem was in a getpwnam() call. here is the source. -- FreeBSD su.c (line 175)-- } /* get target login information, default to root */ ---> if ((pwd = getpwnam(user)) == NULL) { <--- errx(1, "unknown login: %s", user); } -- end -- It turns out an earlier call to getopt() returns eof, yet it still thinks it has an extra argument for the username, which it doesnt, so it points user to argv[2], which is null. It then calls getpwnam() with the null argument, as shown in the code, and the getpwnam() function in libc tries to do an strlen() on the null pointer and seg faults. End of program. Exploitable in any way? I have no idea. I would be very interesting in comments on this if it is exploitable. Attached to this is a small patch which checks to see if user is valid or not before making the getpwnam() call. Again this patch is meant for FreeBSD su only. I tried this same thing on sun and linux and it didnt seem to work. -taz ------------------------------------------------------------------------ taz on IRC taz@dal.net -----End of forwarded message----- -- -- Phil -[ Philippe Regnauld / Systems Administrator / regnauld@deepo.prosa.dk ]- -[ Location.: +55.4N +11.3E PGP Key: finger regnauld@hotel.prosa.dk ]- From owner-freebsd-security Fri Nov 7 16:26:31 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id QAA03933 for security-outgoing; Fri, 7 Nov 1997 16:26:31 -0800 (PST) (envelope-from owner-freebsd-security) Received: from mx3.cso.uiuc.edu (root@mx3.cso.uiuc.edu [128.174.5.24]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id QAA03928 for ; Fri, 7 Nov 1997 16:26:15 -0800 (PST) (envelope-from igor@alecto.physics.uiuc.edu) Received: from alecto.physics.uiuc.edu (alecto.physics.uiuc.edu [128.174.83.167]) by mx3.cso.uiuc.edu (8.8.7/8.8.7) with SMTP id SAA09103 for <@mailhost.uiuc.edu:freebsd-security@freebsd.org>; Fri, 7 Nov 1997 18:26:04 -0600 (CST) Received: by alecto.physics.uiuc.edu (940816.SGI.8.6.9/940406.SGI) for freebsd-security@freebsd.org id SAA02078; Fri, 7 Nov 1997 18:25:16 -0600 From: igor@alecto.physics.uiuc.edu (Igor Roshchin) Message-Id: <199711080025.SAA02078@alecto.physics.uiuc.edu> Subject: Count.cgi To: freebsd-security@freebsd.org Date: Fri, 7 Nov 1997 18:25:16 -0600 (CST) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Cc: ache@freebsd.org Hello! I just looked at ftp.freebsd.org, and found that all the port-directories, except -current seemed to have the old 2.3 version, which seems to be vulnerable. >From the difference in the checksum for -current, I think that nothing has been changed in ports since the Count 2.4 has been patched. So, I am afraid that it went unnoticed for some people in the FreeBSD community. Sorry, if I mixed something. IgoR Forwarded message: >From owner-bugtraq@NETSPACE.ORG Wed Nov 5 15:57:38 1997 Approved-By: aleph1@UNDERGROUND.ORG X-Received: from coal.cert.org by dfw.dfw.net (4.1/SMI-4.1) id AA15751; Wed, 5 Nov 97 13:03:01 CST X-Received: (from cert-advisory@localhost) by coal.cert.org (8.6.12/CERT) id LAA08588 for cert-advisory-queue-40; Wed, 5 Nov 1997 11:34:35 -0500 Message-ID: Date: Wed, 5 Nov 1997 13:46:09 -0600 Reply-To: cert-advisory-request@cert.org Sender: Bugtraq List Comments: Resent-From: Aleph One Comments: Originally-From: CERT Advisory From: Aleph One Organization: CERT(sm) Coordination Center - +1 412-268-7090 Subject: CERT Advisory CA-97.24 - Count_cgi To: BUGTRAQ@NETSPACE.ORG -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= CERT* Advisory CA-97.24 Original issue date: Nov. 05, 1997 Last revised: --- Topic: Buffer Overrun Vulnerability in Count.cgi cgi-bin Program - ----------------------------------------------------------------------------- The text of this advisory was originally released on October 31, 1997, as AA-97.27, developed by the Australian Computer Emergency Response Team. To more widely broadcast this information, we are reprinting the AUSCERT advisory here with their permission. Only the contact information at the end has changed: AUSCERT contact information has been replaced with CERT/CC contact information. We will update this advisory as we receive additional information. Look for it in an "Updates" section at the end of the advisory. ============================================================================= The Australian Computer Emergency Response Team (AUSCERT) has received information that a buffer overrun vulnerability exists in the Count.cgi cgi-bin program. A new version of Count.cgi has been released addressing this vulnerability. AUSCERT recommends that sites that have the Count.cgi cgi-bin program installed take the steps outlined in Section 3 as soon as possible. - - --------------------------------------------------------------------------- 1. Description AUSCERT has received information that a vulnerability exists in the Count.cgi cgi-bin program. The Count.cgi cgi-bin program is used to record and display the number of times a WWW page has been accessed. Due to insufficient bounds checking on arguments which are supplied by users, it is possible to overwrite the internal stack space of the Count.cgi program while it is executing. By supplying a carefully designed argument to the Count.cgi program, intruders may be able to force Count.cgi to execute arbitrary commands with the privileges of the httpd process. The Count.cgi program is extremely widely used. Sites are encouraged to check for its existence and its possible exploitation. To check whether exploitation of this vulnerability has been attempted at your site, search for accesses to the Count.cgi program in your access logs. An example of how to do this is: # grep -i 'Count.cgi' {WWW_HOME}/logs/access_log Where, {WWW_HOME} is the base directory for your web server. If this command returns anything, further investigation is necessary. Specifically, look for accesses to Count.cgi that contain long strings of nonsensical characters. If sites find any evidence showing that they have been probed using this vulnerability, they are encouraged to report the incident to AUSCERT or their local incident response team. Reports of all attacks help AUSCERT gain a better overview of intruder activity within the constituency. 2. Impact Remote user may be able to execute arbitrary commands with the privileges of the httpd process which answers HTTP requests. This may be used to compromise the http server and under certain configurations gain privileged access. 3. Workarounds/Solution AUSCERT recommends that sites upgrade to the current version of Count.cgi (Section 3.1). For sites that can not immediately install the current version of Count.cgi, it is recommended that the workaround described in Section 3.2 be applied. 3.1 Upgrade to the current Count.cgi version The author of Count.cgi has recently released version 2.4 which addresses the vulnerability described in this advisory. AUSCERT recommends that sites upgrade to the latest version as soon as possible. The current version is available from: http://www.fccc.edu/users/muquit/Count.html 3.2 Remove execute permissions To prevent the exploitation of the vulnerability described in this advisory, AUSCERT recommends that the execute permissions be removed from Count.cgi immediately. Note that this will have the side effect of preventing the page hit counter from being incremented and displayed on web pages using Count.cgi. The remainder of such web pages should still display. 4. Additional measures It is important to note that attacks similar to this may succeed against any CGI program which has not been written with due consideration for security. Sites using HTTP servers, and in particular CGI applications, are encouraged to develop an understanding of the security issues involved. Sites should consider taking this opportunity to examine their httpd configuration and web servers. In particular, all CGI programs that are not required should be removed, and all those remaining should be examined for possible security vulnerabilities. It is also important to ensure that all child processes of httpd are running as a non-privileged user. This is often a configurable option. See the documentation for your httpd distribution for more details. Numerous resources relating to WWW security are available. The following pages may provide a useful starting point. They include links describing general WWW security, secure httpd setup and secure CGI programming. The World Wide Web Security FAQ: http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html NSCA's "Security Concerns on the Web" Page: http://hoohoo.ncsa.uiuc.edu/security/ The following books contain useful information including sections on secure programming techniques. "Web Security Sourcebook", Aviel Rubin, Daniel Geer and Marcus Ranum, John Wiley & Sons, Inc., 1997. "Practical Unix & Internet Security", Simson Garfinkel and Gene Spafford, 2nd edition, O'Reilly and Associates, 1996. Please note that the URLs and books referenced in this advisory are not under AUSCERT's control and therefore AUSCERT cannot be responsible for their availability or content. - - --------------------------------------------------------------------------- AUSCERT thanks Muhammad Muquit for his assistance in the preparation of this advisory. - - --------------------------------------------------------------------------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (see http://www.first.org/team-info/) CERT/CC Contact Information - ---------------------------- Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4) and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA Using encryption We strongly urge you to encrypt sensitive information sent by email. We can support a shared DES key or PGP. Contact the CERT/CC for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key Getting security information CERT publications and other security information are available from http://www.cert.org/ ftp://info.cert.org/pub/ CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org In the subject line, type SUBSCRIBE your-email-address - --------------------------------------------------------------------------- Copyright 1997 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff . If you do not have FTP or web access, send mail to cert@cert.org with "copyright" in the subject line. *CERT is registered in the U.S. Patent and Trademark Office. - --------------------------------------------------------------------------- This file: ftp://info.cert.org/pub/cert_advisories/CA-97.24.Count_cgi http://www.cert.org click on "CERT Advisories" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision history -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNGCSv3VP+x0t4w7BAQF50wQAszcp6TXkVUpxH8Srz3/TFxNroPJVWork rfW1kpFQyeBoMwUO1LevnmJnXeK6O5YEMZKniy9vxq15KOFDLPvRdhMpBFPZSTlC 5UfYbQs8URETtItLUvgmJTvETfILleI2VdnGkT7HwtG1JPYMZLq/4oLzflgRLDUk 4L9wHCeBL5Q= =DBiR -----END PGP SIGNATURE----- From owner-freebsd-security Fri Nov 7 16:46:39 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id QAA05167 for security-outgoing; Fri, 7 Nov 1997 16:46:39 -0800 (PST) (envelope-from owner-freebsd-security) Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id QAA05141 for ; Fri, 7 Nov 1997 16:46:18 -0800 (PST) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.8.8/frmug-2.1/nospam) with UUCP id BAA15307 for security@FreeBSD.ORG; Sat, 8 Nov 1997 01:46:13 +0100 (CET) (envelope-from roberto@keltia.freenix.fr) Received: (from roberto@localhost) by keltia.freenix.fr (8.8.7/keltia-2.12/nospam) id BAA01319; Sat, 8 Nov 1997 01:26:02 +0100 (CET) (envelope-from roberto) Message-ID: <19971108012602.14691@keltia.freenix.fr> Date: Sat, 8 Nov 1997 01:26:02 +0100 From: Ollivier Robert To: security@FreeBSD.ORG Subject: Re: Fwd: "possible freebsd su problem?" References: <19971107095506.35947@deepo.prosa.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.84 In-Reply-To: <19971107095506.35947@deepo.prosa.dk>; from Philippe Regnauld on Fri, Nov 07, 1997 at 09:55:06AM +0100 X-Operating-System: FreeBSD 3.0-CURRENT ctm#3780 AMD-K6 MMX @ 208 MHz Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk According to Philippe Regnauld: > Is there any potential concern for this ? > > -----Forwarded message from taz ----- > > Date: Thu, 6 Nov 1997 11:30:02 -0600 > From: taz > Subject: possible freebsd su problem? > To: BUGTRAQ@NETSPACE.ORG > > I checked the archives, not a word of this was to be found so here > goes. > > First off, my o/s: > FreeBSD xxxxxx 2.2.1-RELEASE > > Upon running su today, which is obviously setuid on most systems, > I used the argument '--' instead of '-'. This caused it to seg fault. I > ran gdb on it and found the problem was in a getpwnam() call. here is the > source. Fixed a while ago: joerg 1997/08/23 07:09:37 PDT Modified files: usr.bin/su su.c Log: Prevent a NULL dereferencation when given a garbage command line. PR: bin/3206 Submitted by: blank@fox.uni-trier.de -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #46: Sun Nov 2 16:51:01 CET 1997