Re: RedHat 5.2 lrzsz-0.12.14-5 have serious security hole

From: Yuri Kuzmenko (yuriat_private)
Date: Tue Dec 01 1998 - 11:15:34 PST

Next message: Solar Designer: "John the Ripper v1.6"

Previous message: Gurjeet Clair: "Re: Security bugs in Excite for Web Servers 1.1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In article <19981201084554.A18101@csl-gmbh.net> you wrote:

Sorry. Yes, lrz is not buggy.

But "cu" program from uucp-1.06.1 (uucp.1.06.1-16 in rpm) contain this
security leak. I use "cu" as my modem terminal. "cu" set umask to zero at
self-init. I call "rz" from "cu" by ~+ command.

[3:20:45] yuri@killer:yuri$ rpm -qa|grep uucp
uucp-1.06.1-16
[3:20:45] yuri@killer:yuri$ cu -l ttyS1 -s 115200
Connected.
~+umask
000

src/uucp*/unix/init.c:

  /* We always set our file modes to exactly what we want.  */
  umask (0);

Solution is saving old umask before setting it to zero and restore after each
fork+exec.

And something about "lrz". I think that simple fopen() is not correct.
It's dangerous when other side, for example, set file mode to 0600. It's means
that _any_ user (if umask is set to world-readable), even if "sz" sending file
with user-only-access permission, can read this file while downloading.

p.s. ALL programs from this UUCP package set umask to zero. Maybe some of
parts of UUCP call another programs from itself. And all of this programs have
umask = 0. It's very bad.

>On Mon, Nov 30, 1998 at 10:16:21PM +0200, Yuri Kuzmenko wrote:

>> lrz (Linux ZMODEM file receiver) from lrzsz package have a security hole
>> with file permission.
>>
>> lrz create file with 0666 mode (world writable)

>No, it doesn't. fopen() is not that buggy.

>> File mode set to normal (specifed by other side) only after downloading.

>correct.

>> my umask is 022

>I don't see a code path which doesn't honor your umask, and testing
>shows that the files get created with (0666 & ~(umask)).

>So what did you do? Can you tell me how to reproduce the behaviour
>you have seen?

>btw: I really like waking up and finding the name of software packages
>i maintain (especially those i only maintain because nobody else did)
>on bugtraq. It's going to be a beautiful day.
>Next time just sent me an email some time before you send it to bugtraq.
>Thank you.

>Regards, Uwe

--
// Yuri Kuzmenko at home
// http://www.cracksoft.kiev.ua

Next message: Solar Designer: "John the Ripper v1.6"
Previous message: Gurjeet Clair: "Re: Security bugs in Excite for Web Servers 1.1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:24:27 PDT