Toujours pris de [EMAIL PROTECTED]
G�n�ralit�s:
- un article int�ressant sur les `ext2fs extended attributes'
http://www.securityfocus.com/focus/linux/articles/ext2attr.html
Probl�mes de s�curit�:
Linux modprobe Arbitrary Command Execution Vulnerability
BugTraq ID: 1936
Remote: No
Date Published: 2000-11-12
Relevant URL:
http://www.securityfocus.com/bid/1936
Summary:
Modutils is a component of many linux systems that includes tools for
using loadable kernel modules. One of these tools, modprobe, loads a set
of modules that correspond to a provided "name" (passed at the command
line) automatically. Modprobe version 2.3.9 and possibly others around it
contain a vulnerability (present since March 12, 1999) that can lead to a
local root compromise.
The problem has to do with modprobe using popen() to execute the "echo"
program argumented with user input. Because popen() relies on /bin/sh to
parse the command string and execute "echo", unescaped shell
metacharacters can be included in user input to execute other commands.
Though modprobe is not installed setuid root, this vulnerability can be
exploited to gain root access provided the target system is using kmod.
Kmod is a kernel facility that automatically executes the program
'modprobe' when a module is requested via request_module().
[ ... ]
VULNERABLES: probablement toutes les distributions Linux;
SuSE, Red Hat et Debian ont des nouveaux packages
disponibles.
Midnight Commander cons.saver Arbitrary File Write Vulnerability
BugTraq ID: 1945
Remote: No
Date Published: 2000-11-13
Relevant URL:
http://www.securityfocus.com/bid/1945
Summary:
Midnight Commander is a file management tool for unix systems. Versions
4.5.42 (and likely earlier versions) ship with a tool called cons.saver
installed setuid root that is used by Midnight Commander when it is being
run from a unix console. The cons.saver program contains a vulnerability
that may allow local users to corrupt arbitrary files on the filesystem.
[ ... ]
OpenSSH Client Unauthorized Remote Forwarding Vulnerability
BugTraq ID: 1949
Remote: Yes
Date Published: 2000-11-13
Relevant URL:
http://www.securityfocus.com/bid/1949
Summary:
OpenSSH is a free implementation of the SSH protocol. The OpenSSH software
package is maintained primarily by OpenBSD Project. A vulnerability exists
which can allow an attacker unauthorized access to restricted resources.
The problem occurs in the OpenSSH Client. The client does not sufficiently
check for the ssh-agent and X11 forwarding options after an SSH session
has been negotiated. This allows the server end of the SSH session to gain
access to either of these two resources on the client side. This could
result in a malicious server gaining access to the X11 display and
remotely watching the desktop and keystokes. This problem can also allow a
malicious server access to the local ssh-agent.
Multiple Vendor UNIX adduser/useradd Vulnerability
BugTraq ID: 1950
Remote: No
Date Published: 2000-11-10
Relevant URL:
http://www.securityfocus.com/bid/1950
Summary:
In some UNIX environments, there may exist a problem which could allow a
user to gain elevated priviledges. This problem manifests in UNIX systems
with userless groups.
The problem exists in UNIX User Management Utilities driven by a secondary
interface that operates with priviledge sufficient to add users. In UNIX
implementations that add users with groups of their own, it is possible
for a poorly designed secondary interface to use a program, such as
useradd or adduser, and place the user in a elevated priviledge group that
doesn't have a user in the passwd file.
Such a scenario could include a web management interface that allows users
to add their own accounts, and provide the user intentional access via
shell or unintentional access by another means such as web or ftp. The
user would then have to select a username for which a corresponding group
exists (but no user), such as 'kmem'. When useradd or adduser adds the
user, they will be assigned the groupid for the corresponding group if it
exists (such as kmem for example). This is only possible if user 'k mem'
does not exist beforehand and the adduser/useradd tools set groupid to
that of the group with the same name of the new user.
This problem could lead to an elevation of priviledges by a malicious
user.
[ Plut�t un probl�me de filtrage que de r�elle s�curit� dans useradd ]
joe Text Editor Symbolic Link Vulnerability
BugTraq ID: 1959
Remote: No
Date Published: 2000-11-16
Relevant URL:
http://www.securityfocus.com/bid/1959
Summary:
joe is a text editor by Joseph Allen, which features familar functions to
users of both Microsoft text editors and vi users. A problem occurs with
the editor when a session abnormally exits.
Upon abnormal exit, the text editor saves any changes made to the file
being edited into a new file in the current working directory labeled
DEADJOE. When saving this file, the text editor does not check for the
file type. A user editing a file in a directory writable by others could
be subject to having other files written to if a malicious user were to
symbollically link the DEADJOE file to one of owner/group write access of
the user. This would result in the contents of the joe session being
appended to the symbolically linked file, potentially corrupting the
linked file.
Vixie Cron /var/spool/cron Temporary Crontab File Vulnerability
BugTraq ID: 1960
Remote: No
Date Published: 2000-11-17
Relevant URL:
http://www.securityfocus.com/bid/1960
Summary:
Vixie cron is a scheduling daemon written by Paul Vixie, and distributed
with many free UNIX Operating Systems. A problem exists that could allow a
user to execute commands with priviledge of another user.
The problem occurs in the /var/spool/cron directory and the handling of
the temporary files created when one edits crontab. This vulnerability
affects systems with permission of 0755 set on the /var/spool/cron
directory. Files created in the /var/spool/cron directory by crontab
inherit root ownership and group, and UMASK of the user executing crontab.
The files created are uniform in name, with the file extension ending in
the PID of the crontab process being executed. Crontab also does not check
for the existance of a file before it opens a session and begins. It is
possible for a malicious user to generate multiple temporary files in
/var/spool/cron with world write permission. A user executing crontab -e
would have their state stored in a file that could be written to by the
malicious user. The attacker could then write a malicious cron entry into
the temporary file, which would be saved. This would result arbitrary
commands in the malicious crontab being executed with the priviledges of
the target user.
--
Pour poster une annonce: [EMAIL PROTECTED]
