Re: Vulnerability in ccdconfig

From: Warner Losh (impat_private)
Date: Tue Dec 30 1997 - 20:28:24 PST

Next message: Ranaur the Elven Warlock: "Re: StackGuard: Automatic Protection From Stack-smashing Attacks"

Previous message: Niall Smart: "Vulnerability in ccdconfig"
Maybe in reply to: Niall Smart: "Vulnerability in ccdconfig"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----

In message <19971231020231.1448.qmailat_private> Niall Smart writes:
:  * FreeBSD and NetBSD have been notified of the problem and have fixed
:    it in their source tree's as of yesterday  (FreeBSD-current,
:    FreeBSD-stable, NetBSD-current)  Retrieve the patched ccdconfig.c
:    and compile yourself a new ccdconfig.

I want to publically thank Niall for the responsibility he showed with
this information by privately corresponding with the FreeBSD and
(presumably) NetBSD teams on this issue.  This gave us a chance to
work up a fix, test it and make sure that the users of our systems
were covered when he released his information.

Warner

P.S.  Here are the changes that I applied to FreeBSD.  They are taken
from the OpenBSD source base, possibly with minor formatting tweaks,
and seem to represent the work of Theo de Raadt and
oliverat_private

Index: ccdconfig.c
===================================================================
RCS file: /home/imp/FreeBSD/CVS/src/sbin/ccdconfig/ccdconfig.c,v
retrieving revision 1.7
diff -u -r1.7 ccdconfig.c
- --- ccdconfig.c       1997/06/10 11:04:50     1.7
+++ ccdconfig.c 1997/12/30 05:08:24
@@ -161,6 +161,15 @@
        if (options > 1)
                usage();

+       /*
+        * Discard setgid privileges if not the running kernel so that bad
+        * guys can't print interesting stuff from kernel memory.
+        */
+       if (core != NULL || kernel != NULL || action != CCD_DUMP) {
+               setegid(getgid());
+               setgid(getgid());
+       }
+
        switch (action) {
                case CCD_CONFIG:
                case CCD_UNCONFIG:
@@ -307,11 +316,16 @@
        char line[_POSIX2_LINE_MAX];
        char *cp, **argv;
        int argc, rval;
+       gid_t egid;

+       egid = getegid();
+       setegid(getgid());
        if ((f = fopen(ccdconf, "r")) == NULL) {
+               setegid(egid);
                warn("fopen: %s", ccdconf);
                return (1);
        }
+       setegid(egid);

        while (fgets(line, sizeof(line), f) != NULL) {
                argc = 0;

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQCVAwUBNKnJ59xynu/2qPVhAQG4OgP/Tg4p+NPEwxH2pxIRCUYsnDABqTaJEpgq
2LxYiaRGaoCsF/QnHb/vSTehUcSh8OJ/AERY5fPRKC2b/LiIpX9bKp0yMHBTqZ1Z
cfCT30K0lW9ODz1eUHw2fol2tieqaIszAFrMNuVeUY+N8JwhJ5GTVTfuqleZ2TKL
71goCAxTvQc=
=mdrd
-----END PGP SIGNATURE-----

Next message: Ranaur the Elven Warlock: "Re: StackGuard: Automatic Protection From Stack-smashing Attacks"
Previous message: Niall Smart: "Vulnerability in ccdconfig"
Maybe in reply to: Niall Smart: "Vulnerability in ccdconfig"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:38:00 PDT