lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <162803300334.20030526192659@SECURITY.NNOV.RU>
Date: Mon, 26 May 2003 19:26:59 +0400
From: 3APA3A <3APA3A@...URITY.NNOV.RU>
To: Ktha <ktha@...hmail.com>
Subject: Re: uml_net bug


Dear Ktha,

The problem is different: uml_net shouldn't be suid.

http://rhn.redhat.com/errata/RHSA-2003-056.html

Details:

An updated kernel-utils package is available that removes the setuid bits
incorrectly assigned to the uml_net binary.



--Saturday, May 24, 2003, 5:10:07 AM, you wrote to bugtraq@...urityfocus.com:



K> There is a vulnerability in uml_net. The latest version is vulnerable too.

K> The problem is the lack of bounds checking in uml_net.c from uml_utilities,

K> A possible attack could lead to root compromise on some systems since for 

K> example uml_net comes suided root in RH 8.0 by default.



K> Let's look over the code:



K> *       int n = 3, v;



K> we observe how "v" is declared, as a signed integer.

K> with a little bit of "luck" will end up here, knowing that "v" will get 

K> the value of the first parameter (an integer) given to the program:



K> *       if(v > CURRENT_VERSION)



K> so... if "v" is smaller than 0, the test will be passed but "v" will not 

K> be between 0 and CURRENT_VERSION as the author would expected to.

K> after some tests on the second parameter of the program... we should 

K> arrive to this code:



K> *       if(handlers[v] != NULL) (*handlers[v])(argc - n, &argv[n]);



K> here it is called the function located at handlers[v]. by suplying a large 

K> negative integer for "v", handlers[v] can point to the stack which can be 

K> controlled by the user. so, the program can be fooled  to call a user 

K> controlled "function". 

K> since the root privileges are not dropped till this point... the user code 

K> will be executed with super-user privileges.







K> Suggested patch: uml_net.c



K>     - if(v > CURRENT_VERSION){

K>     + if ((v > CURRENT_VERSION) || (v < 0)) {



K> Contact: ktha@...hmail.com



-- 
~/ZARAZA
You know my name - look up my number (Beatles)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ