Hi Paul, > From: Paul Starzetz <paulat_private> > To: "bugtraqat_private" <bugtraqat_private> > Date: Mon, 18 Jun 2001 19:11:20 +0200 > Subject: pmpost - another nice symlink follower > > Hi, > > there is a symlink handling problem in the pcp suite from SGI. The > binary pmpost will follow symlinks, if setuid root this leads to instant > root compromise, as found on SuSE 7.1 (I doubt that this a default SuSE > package, though). > > Attached a simple C source to demonstrate this (gcc pm.c -o pm then > ./pm) If you like, you can send me your phone number and I will call you during the day to privately discuss things like vendor notification. Key for encryption is appended. The pmpost binary is contained in the package "pcp", as shipped with the distributions SuSE-7.0, 7.1 and 7.2. In the distribution 7.0, /usr/share/pcp/bin/pmpost is not installed setuid root. In 7.1 and 7.2, pmpost _is_ setuid root and therefore exploitable. The pcp package is not installed by default in any of the distributions. As a temporary and permanent workaround, remove the setuid bits from the two programs /usr/share/pcp/bin/pmpost and /usr/share/pcp/bin/pmkstat by using the following command (as root): chmod a-s /usr/share/pcp/bin/* A change to /etc/permissions* is not necessary because the two binaries are not listed there. Users of the package might want to change ownerships to make the functionality of the pmpost program available again. Alternatively, users may want to delete the package if it is not used: rpm --nodeps -e pcp There will be update packages on the ftp server shortly that have exactly this "fix" applied. Further details: The source in src/libpcp/src/config.c reads if ((p = getenv(var)) != NULL) val = p; for configuration items from /etc/pcp.conf and therefore trusts user input/environment. The same applies for the environment variable PCP_CONF that specifies the configuration file. This attitude towards treating user input does not qualify for privileged execution. The actual open(2) call in src/pmpost/pmpost.c (near "umask(022); /* is this just paranoid? */) can't be fixed without completely ignoring the user-supplied environment since open(2) can't guarantee that a path segment leading to the file is not a symlink. Thanks, Roman Drahtmüller, SuSE Security. -- - - | Roman Drahtmüller <drahtat_private> // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh 1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7 tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63 Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+ x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0 Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2 saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GZkBogQ6PkmGEQQArE12Iaqt f+wQjaoH5EeZ4ZdyQFXAvb5tZJ43I2jXprLZvtHAsf2zHDWemjaSCPBsOU27pzP2 +DxD10d7Ig1Zvqx2AIuZ28GKsdMThIHmDB6UYlzrWu94Y7I2eafcT5Qo3evUDG0T NRlFK1ZUeMpvsOdLxyNTSkq5Ngs5wF6JaksAoNMBk58wBX14qt3AjMeEQ2FE/jBL A/43uC4QaQw0Qq5/6fgqw3LavuTfbkNZfs0fFGeuzByuhZaAvC199iQszS9K2aIX lZ63LNtP/dmFOW02X8CpB+1xnizjDlNkhhw5iRzNFuuwfN7HxmYhEFkz1pze0vwg 7VZIQTlDYWqaXHtpwW346H8bPS3bF+cLoL7yxtzKeGCWxgP/a4rr9q9Hz8s1D7RD dNmorkNvWV3CWjiPaNcw6pLuYH0N3f7L+mad/2DBHn0kclX569rKN9aScHOWuQoA zrFjJmw0pSLKXrV9Iyo5qSIy8cBzOU9LSdZ5794hW5Jz5Ydqqp0gbUaVSCyzA0v8 gJNnGscYzA9VWkFI0d5KhLIRtKW0IlJvbWFuIERyYWh0bXVlbGxlciA8ZHJhaHRA c3VzZS5kZT6IVwQTEQIAFwUCOj5JhgULBwoDBAMVAwIDFgIBAheAAAoJEJ5A4xAA Cqukv9MAoLVnjtaHIejgC5r473/QNtU3FEysAJ4hz1dxV54icImNEvoZ0dcFJEro 0YhGBBARAgAGBQI6Pk5GAAoJEMZi4eocmHdOZ1UAoK7iTgth6GndgbYQSnu4nUoz 6CUHAJ9+IxOfKT+GoISQ2oRBeTiG9a3Jt4hGBBARAgAGBQI7Hf1VAAoJEMdSqjKw 3/eAcVwAoIAK4ctu9+EsUmBKyb0JTB8I2BR/AJ49sFNK9bZMh4C7rY/AP6P6w1YW UIkBFQMFEDseX7x3suYAPSXT2QEBufkH/3l46NEp/Rd+8wsElBuXdcH6sq6fxrp5 WEnPnZf6WjdmPp/ltdt99jBEvN0Ail3Dj4sbKdMJZoSVRjYop6G72WCc3+N4JK3w 3nuRSD8VGRjZwh9JoqeI2f3y7EEFyAM60FMmOA7DdDm3vzVEy0PAWFn2Y1ozwS4M dPeBoySz3jIyEsFhEqb4SDehbWeHvbWhRHzSM8g4jhByy0VkUt2/PAZSHwwqAgdf 6osKcuypxtPN9K3Yl98rJgMG2Z5i3c/pRf31cBbR/UmMdTBgtCeImdgyLXThygeV FDh5ykAOh/QoAyXVXeez9Q88hKvTojdjM5ayZ2hBkUci2bctqJsUvCKIRgQQEQIA BgUCOx5kdQAKCRB2ijSz6Eh6OTybAJ9oYaORzmV0a3XlBEmqW/d3JU6VrgCfS5hb KEpgyO4Fd30HigVRFboLUUeIRgQQEQIABgUCOx5wsAAKCRD8o9aEVh9DsUScAJ4q 7DFM0xqOP7FMr/LhK0F0/Lz3uwCdFVpr14vXgFcdEBYyBJw2sjCS7s25AQ0EOj5J iRAEAKDOLWP9f3BE1i32IPD0fzFJEEiDA/h5TzBrN1/JG/BCOq4WfATAU2/z0dvq OqRd7Mu0fFEX9VC4ahCJrY881BjMC7hXr9AEJKtLHauRavzLjp80syJ7lyG25Ae8 9ZP9D7x88qaA7LGnnI4IChOI8LPqd66zWB6NzZLYN/JZaB0vAAMHA/9bbtmuy9MM rx4gEi17uWRFsx8SDNgCdZrNWHqbxNY7L3gX0NWLAGcO5gR+80PN+kpqxbM+yu1Z G/oqhNyx73hkxuGXSq5XE/L/bLn0EqQUmtQ3+iDDmVcxYpTM3HL800jIIBkSbCd/ WDymjENnW8zYpqszNocf1HLV/9Po2yr2ZohGBBgRAgAGBQI6PkmJAAoJEJ5A4xAA CqukGAsAn3qRlEIQpNvBLdfa8/joYRy/L8ncAKC1zMtZh5BKBaI/nhhMLVRnjs/h pA== =KuAY -----END PGP PUBLIC KEY BLOCK-----
This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 06:58:29 PDT