Hi,
I am bemused.
After some security auditing on RH5.0, I was curious as to what new suid
binaries and daemons shipped with RH5.1. The first one I noticed was
"xosview". God knows why it needs to be SUID; it probably
doesn''t but the
makefile just makes the binary suid by default. Linux has /proc which has
enough information that ferreting around in /dev/kmem using root privs
isn''t required.
Or perhaps it needs to be suid root for the network load? By the way this
didn''t work regardless.
Anyway. I ran the following highly complicated and time-consuming command
on the xosview sources:
grep strcpy *.cc
Tricky one eh? Perhaps vaguely sensible when shipping a new SUID binary,
i.e. REDHAT THINK!!!!!!
Results of grep include, in Xrm.cc
char userrfilename[1024];
strcpy(userrfilename, getenv("HOME"));
Ohhh that''s nice. Hey but wait that can''t be dangerous. The
author clearly
knew what he/she was doing:
char className[256];
strncpy(className, name, 255); // Avoid evil people out there...
Appears later. I found this amusing.
Anyway I hope it''s apparent this is exploitable. xosview
doesn''t appear to
drop privs.
Also, that is _by no means the only vulnerable section of code_, just the
stupidest bit.
Temp. (and probably permanent) solution: "chmod u-s `which xosview`.
Anyway well done RedHat for "blunder of the week".
Still fuming,
Chris
PS. Whilst you''re at it RedHat, fix the X libraries (new security holes
just found) as well as dhcpd (remote root, well documented), glibc env
vars (linux-security documented), and upgrade samba to 1.9.18p7 in an
update rpm.
