Another (unrelated?) query. Login re-writes, or writes, a utmp entry.
Should not it remove that entry on exit? I do not think telnetd does
anything with utmp.
Thanks,
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Syd
I wrote:
> ... we can cause one left-over entry with [xterm] ... except xterm
> reuses ptys and re-writes utmp entries ...
We can arrange to hog the pty but release the PID with
run xterm, and within that xterm use
bash -c 'trap "" 11; sleep 600 &'; kill -11 $PPID
Then waste a few PIDs with
Hmm... could we use Samba for a DoS against login? On a PC log in to
Samba, then "kill -9 PID-of-my-smbd" to leave one utmp entry behind.
Samba will automatically re-spawn a new smbd, then kill that... I do
not yet know how large is the ut_id space used by samba (whether this
could exhaust a signif
We had discussed whether login fails often due to left-over utmp
entries. I guess that depends on how likely it is that processes die
without cleanup; and how important it is that login should "work".
I now see that there is the possibility for a DoS attack, by filling
up utmp with left-over entri
On Mon, Dec 08, 2008 at 11:22:34AM +0100, Nicolas François wrote:
> On Mon, Dec 08, 2008 at 09:37:42AM +1100, [EMAIL PROTECTED] wrote:
> > > The bug should affect ubuntu and probably gentoo (4.1.2.2 already
> > > packaged). Not RedHat / Mandrake.
> >
> > A quick peek into shadow-utils-4.1.2-8.fc10
On Mon, Dec 08, 2008 at 09:37:42AM +1100, [EMAIL PROTECTED] wrote:
> > The bug should affect ubuntu and probably gentoo (4.1.2.2 already
> > packaged). Not RedHat / Mandrake.
>
> A quick peek into shadow-utils-4.1.2-8.fc10.src.rpm suggests Fedora is
> also affected. I do not know about RHEL.
shad
I wrote a little while ago:
> A quick peek into shadow-utils-4.1.2-8.fc10.src.rpm suggests Fedora is
> also affected. I do not know about RHEL.
A quick peek into shadow-utils-4.0.17-14.el5.src.rpm suggests RHEL is
just as bad.
Cheers, Paul
Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.
> The bug should affect ubuntu and probably gentoo (4.1.2.2 already
> packaged). Not RedHat / Mandrake.
A quick peek into shadow-utils-4.1.2-8.fc10.src.rpm suggests Fedora is
also affected. I do not know about RHEL.
Ubuntu now notified directly:
https://bugs.launchpad.net/ubuntu/+source/shadow/+b
On Mon, Dec 08, 2008 at 08:20:36AM +1100, [EMAIL PROTECTED] wrote:
> Dear Nicolas,
>
> On 23 Nov you wrote:
>
> >> - alert other Linux distros,
> > A new upstream version was released this weekend.
>
> Have not seen any distros make announcements. What distros use that?
> (Am surprised that ev
Dear Nicolas,
On 23 Nov you wrote:
>> - alert other Linux distros,
> A new upstream version was released this weekend.
Have not seen any distros make announcements. What distros use that?
(Am surprised that even Ubuntu has not updated, though normally they
seem responsive.)
Cheers, Paul
Paul
On Sun, Nov 23, 2008 at 10:29:55PM +0100, [EMAIL PROTECTED] wrote:
> On Sun, Nov 23, 2008 at 10:24:26PM +0100, Nicolas François wrote:
> >
> > I made an upload for Etch (-7etch1, also to fix #505271)
> > Moritz, if you can't see it, maybe I did it wrong.
>
> I don't see any trace of it on klecker
On Sun, Nov 23, 2008 at 10:24:26PM +0100, Nicolas François wrote:
> Hello,
>
> On Mon, Nov 24, 2008 at 08:01:42AM +1100, [EMAIL PROTECTED] wrote:
> >
> > Seems your message relates to "old" things, Nicolas has fixed this for
> > lenny already.
>
> I've made an upload to fix #505271, but not this
Hello,
On Mon, Nov 24, 2008 at 08:01:42AM +1100, [EMAIL PROTECTED] wrote:
>
> Seems your message relates to "old" things, Nicolas has fixed this for
> lenny already.
I've made an upload to fix #505271, but not this bug (#505071).
The answer on debian-release was not enough for me to also fix #50
Dear Moritz,
Seems your message relates to "old" things, Nicolas has fixed this for
lenny already.
Please also:
- fix for etch,
- alert other Linux distros,
- issue DSA.
Thanks,
Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics Univer
On Sat, Nov 22, 2008 at 10:03:39PM +1100, Paul Szabo wrote:
> Dear Moritz,
>
> Yes, Nicolas's patch does fix the problem. But please note:
> (1) It is my patch, not Nicolas's, was first proposed in
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505071#15
> (2) There is no such patch, nobod
Dear Moritz,
Yes, Nicolas's patch does fix the problem. But please note:
(1) It is my patch, not Nicolas's, was first proposed in
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505071#15
(2) There is no such patch, nobody has made a "diff" file,
much less a compiled/built package to try.
On Fri, Nov 14, 2008 at 08:33:43PM +1100, Paul Szabo wrote:
> Dear Nekral,
>
> Long ago you wrote:
>
> >> ... Should I attempt to write an exploit/demo?
> > That would be nice to check if it would be possible to chown
> > /etc/shadow by cheating utmp.
>
> Done, I now have a working PoC/demo/expl
Dear Nekral,
Long ago you wrote:
>> ... Should I attempt to write an exploit/demo?
> That would be nice to check if it would be possible to chown
> /etc/shadow by cheating utmp.
Done, I now have a working PoC/demo/exploit ... am not yet releasing
it publicly.
Cheers,
Paul Szabo [EMAIL PROTEC
Dear Nekral,
> Proposed fix: Changing chown (tty, ...) to fchown (0, ...) in chowntty()
Surely you meant to change chmod to fchmod also. (I know this is
nit-picking, but best to be sure...)
Thanks, Paul
Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/
School of Mathematics a
clone 505071 -1
retitle -1 symlink attack in login leading to arbitrary file ownership
tags -1 security
severity -1 serious
tags -1 patch
thanks
Somebody with write access to the utmp database can create the conditions
for a symlink attack in login, leading to gaining ownership of an
arbitrary fil
Dear Nekral,
> Often is arguable.
Are not computers meant to be infallible and perfect?
---
Privileged programs should be strict on what they accept.
Paths are un-safe unless you verify that all directories above are
root-owned and not group or world writeable.
---
How you count bugs, how yo
On Tue, Nov 11, 2008 at 07:36:18AM +1100, [EMAIL PROTECTED] wrote:
>
> Curious way of counting bugs. What do you mean exploitable: to do what?
> (Surely is_my_tty cannot protect, being buggy itself.)
>
> As I see things, the following bugs are present:
>
> - bad selection of utmp entry [often ch
Dear Nekral,
Sorry, I missed your comment:
> ... should be fixed for Lenny ...
No. Should be fixed now, for etch. Needs a DSA.
Cheers,
Paul Szabo [EMAIL PROTECTED] http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of SydneyAustralia
--
To UNSUBSC
Dear Nekral,
Curious way of counting bugs. What do you mean exploitable: to do what?
(Surely is_my_tty cannot protect, being buggy itself.)
As I see things, the following bugs are present:
- bad selection of utmp entry [often choosing wrong]
- is_my_tty uses stat [should be lstat]
- is_my_tty co
Hello,
I think there are two different bugs:
* one is that login relies on the utmp entry with the current PID
In my opinion, this cannot be exploited because is_my_tty will detect
it.
* The other one is that between is_my_tty and chown, there is a race
condition.
Changing chown (t
Dear Nekral,
I have not yet written an exploit/PoC/demo, but think it should be
rather easy to do. Looking at the recent DSA-1500 also, I ask you to
change the severity of this bug to "critical - root security hole",
and of course to fix things quickly. (I would change the severity
myself, but I t
Dear Nekral,
>> Seems to me that as things stand, writing a suitable utmp entry, would
>> trick login into chowning an arbitrary file. Should I attempt to write
>> an exploit/demo?
>
> That would be nice to check if it would be possible to chown /etc/shadow
> by cheating utmp.
>
> A fake demo woul
Hi,
Thanks for your answer.
The culprit is now confirmed.
On Mon, Nov 10, 2008 at 08:51:53AM +1100, [EMAIL PROTECTED] wrote:
> Dear Nicolas (Nekral?),
>
> > First of all, this issue was already discussed, and the main problem was
> > that we were not able to reproduce it.
>
> Yes, I am aware of
Dear Nicolas (Nekral?),
> First of all, this issue was already discussed, and the main problem was
> that we were not able to reproduce it.
Yes, I am aware of bug #332198.
> Are you currently able to reproduce it?
Have not yet attempted to actively reproduce, have observed one
occurrence of "sp
Hello,
First of all, this issue was already discussed, and the main problem was
that we were not able to reproduce it.
Are you currently able to reproduce it?
That would help us a lot, since this would allow testing instrumentation
of login to find the root cause.
Would you agree testing some pa
Package: login
Version: 1:4.0.18.1-7
Severity: normal
(I wanted to send this to [EMAIL PROTECTED] but that was not
accepted, surely because that is closed/archived.)
I found in my logs (I think first occurrence of such mis-behaviour):
Nov 8 05:50:09 rome in.telnetd[21060]: connect from [EMAIL
31 matches
Mail list logo