Bug#475736: tss: local root exploit
Hi, ok, glob does not segfault so this should be pretty much exploitable. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpckq15rNVOX.pgp Description: PGP signature
Bug#475736: tss: local root exploit
Package: tss Version: 0.8.1-3 Severity: critical Tags: security Justification: root security hole tss has a setuid binary. The source code is src/main.c: sprintf(glob_string, %s/.tss/*, getenv(HOME)); (before dropping setuid, needless to say) Helmut -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.23.14 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash Versions of packages tss depends on: ii libc6 2.7-10 GNU C Library: Shared libraries ii libncurses5 5.6+20080405-1 Shared libraries for terminal hand tss recommends no packages. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#475736: tss: local root exploit
On Sat, Apr 12, 2008 at 05:52:17PM +0200, Helmut Grohne wrote: Package: tss Version: 0.8.1-3 Severity: critical Tags: security Justification: root security hole tss has a setuid binary. The source code is src/main.c: sprintf(glob_string, %s/.tss/*, getenv(HOME)); (before dropping setuid, needless to say) ---end quoted text--- -- أحمد المحمودي (Ahmed El-Mahmoudy) Digital design engineer SySDSoft, Inc. GPG KeyID: 0x9DCA0B27 (@ subkeys.pgp.net) GPG Fingerprint: 087D 3767 8CAC 65B1 8F6C 156E D325 C3C8 9DCA 0B27 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Processed: Re: Bug#475736: tss: local root exploit
Processing commands for [EMAIL PROTECTED]: tags 475736 - security Bug#475736: tss: local root exploit Tags were: security Tags removed: security severity 475736 minor Bug#475736: tss: local root exploit Severity set to `minor' from `critical' thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#475736: tss: local root exploit
tags 475736 - security severity 475736 minor thanks Hi Helmut, * Helmut Grohne [EMAIL PROTECTED] [2008-04-12 18:12]: tss has a setuid binary. The source code is src/main.c: sprintf(glob_string, %s/.tss/*, getenv(HOME)); (before dropping setuid, needless to say) Actually I am pretty sure this one is not exploitable. For sure you are able to corrupt memory here and overwriting EIP but this will likely segfault in glob() one line after the line you quoted. Thus removing the security tag and setting the severity to minor. However your bug report was really useful cause we realized that the privilege dropping is totally broken in tss and it is possible to read abitrary files via tss. Steve opened another bug for this #475747. Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. pgpSzuXL1ouPo.pgp Description: PGP signature
