Kris Kennaway <[EMAIL PROTECTED]> wrote:
On Tue, 30 Nov 1999, Brock Tellier wrote:
>> All of the vulnerabilities discussed herein are based on my work on
>> FreeBSD 3.3-RELEASE. Each of the programs was installed with the
>> default permissions given when unpacked with sysinstall.
>> These permissions are:
>> -rwxr-sr-x 1 bin dialer 88480 Sep 11 00:55 /usr/X11R6/bin/seyon
>This one was fixed a month ago after your last advisory. Obviously, if
>you're still using the same version of the OS you used in your initial
>advisory, it's not going to be fixed :-)
No, I mentioned that older hole but I also revealed six more that were equally
serious and presumably unpatched. Unless your fix was to remove the suid-bit
by default, seyon would still be vulnerable.
>> -rwsr-xr-x 1 uucp bin 7780 Sep 11 05:15 /usr/X11R6/bin/xmindpath
>This one is a hole in the vendor-provided software, which wants to >install
>it setuid uucp by default. With ~2800 third-party apps shipped with
>FreeBSD, we can't be held responsible for the security of all of them :-)
This is the statement I have a bit of a problem with. Sure there are 2800
ports, but how many of these are suid/sgid? I'm thinking *maybe* 50 that I
saw when I did a full install of 3.3-RELEASE. Fifty apps, most of which are
small like xmindpath, isn't a ridiculous number to audit. At LEAST auditing
them for command-line overflows and setting up a /tmp watcher.
You may not be legally responsible, or be able to take responsibility for the
quality of the code, but when you allow a third-party to put a *suid* program
into your distribution you imply some sort of trust with the end-user
regarding it's security integrity. At least to the point that we can assume
that someone has taken the time to xmindpath -arg $BUF. Note that this isn't
specifically directed at FreeBSD or free OS's.
>> -r-xr-sr-x 1 bin games 481794 Sep 11 01:10 /usr/X11R6/bin/angband
>This one is our fault (in the sense that installing it setgid games so it
>can write a high score file is not something the software does by
>default).
>Your advisory wasn't clear whether or not you contacted the port
>maintainers directly about these, and they were just slow off the mark, >or
>if it was just [EMAIL PROTECTED] Assuming the former, one way
>of expediting the process would be to send mail to the (new)
>[EMAIL PROTECTED] mailing list which has several people who will be quite
>happy to do some butt-kicking to get a response :-)
No, I contacted [EMAIL PROTECTED] who responded that HE had
contacted the maintainers. That was the last I ever heard of it.
Brock Tellier
UNIX Systems Administrator
Chicago, IL, USA
[EMAIL PROTECTED]
____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1
