Kris Kennaway <krisat_private> wrote: On Tue, 30 Nov 1999, Brock Tellier wrote: >> All of the vulnerabilities discussed herein are based on my work on >> FreeBSD 3.3-RELEASE. Each of the programs was installed with the >> default permissions given when unpacked with sysinstall. >> These permissions are: >> -rwxr-sr-x 1 bin dialer 88480 Sep 11 00:55 /usr/X11R6/bin/seyon >This one was fixed a month ago after your last advisory. Obviously, if >you're still using the same version of the OS you used in your initial >advisory, it's not going to be fixed :-) No, I mentioned that older hole but I also revealed six more that were equally serious and presumably unpatched. Unless your fix was to remove the suid-bit by default, seyon would still be vulnerable. >> -rwsr-xr-x 1 uucp bin 7780 Sep 11 05:15 /usr/X11R6/bin/xmindpath >This one is a hole in the vendor-provided software, which wants to >install >it setuid uucp by default. With ~2800 third-party apps shipped with >FreeBSD, we can't be held responsible for the security of all of them :-) This is the statement I have a bit of a problem with. Sure there are 2800 ports, but how many of these are suid/sgid? I'm thinking *maybe* 50 that I saw when I did a full install of 3.3-RELEASE. Fifty apps, most of which are small like xmindpath, isn't a ridiculous number to audit. At LEAST auditing them for command-line overflows and setting up a /tmp watcher. You may not be legally responsible, or be able to take responsibility for the quality of the code, but when you allow a third-party to put a *suid* program into your distribution you imply some sort of trust with the end-user regarding it's security integrity. At least to the point that we can assume that someone has taken the time to xmindpath -arg $BUF. Note that this isn't specifically directed at FreeBSD or free OS's. >> -r-xr-sr-x 1 bin games 481794 Sep 11 01:10 /usr/X11R6/bin/angband >This one is our fault (in the sense that installing it setgid games so it >can write a high score file is not something the software does by >default). >Your advisory wasn't clear whether or not you contacted the port >maintainers directly about these, and they were just slow off the mark, >or >if it was just security-officerat_private Assuming the former, one way >of expediting the process would be to send mail to the (new) >auditat_private mailing list which has several people who will be quite >happy to do some butt-kicking to get a response :-) No, I contacted security-officerat_private who responded that HE had contacted the maintainers. That was the last I ever heard of it. Brock Tellier UNIX Systems Administrator Chicago, IL, USA btellierat_private ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:16:22 PDT