Re: uml_net bug

From: 3APA3A (3APA3A_at_SECURITY.NNOV.RU)
Date: 05/26/03

  • Next message: bugzilla_at_redhat.com: "[RHSA-2003:171-01] Updated CUPS packages fix denial of service attack" 
    Date: Mon, 26 May 2003 19:26:59 +0400
To: Ktha <ktha@hushmail.com>

    Dear Ktha,

    The problem is different: uml_net shouldn't be suid.

    http://rhn.redhat.com/errata/RHSA-2003-056.html

    Details:

    An updated kernel-utils package is available that removes the setuid bits
    incorrectly assigned to the uml_net binary.

    --Saturday, May 24, 2003, 5:10:07 AM, you wrote to bugtraq@securityfocus.com:

    K> There is a vulnerability in uml_net. The latest version is vulnerable too.

    K> The problem is the lack of bounds checking in uml_net.c from uml_utilities,

    K> A possible attack could lead to root compromise on some systems since for

    K> example uml_net comes suided root in RH 8.0 by default.

    K> Let's look over the code:

    K> * int n = 3, v;

    K> we observe how "v" is declared, as a signed integer.

    K> with a little bit of "luck" will end up here, knowing that "v" will get

    K> the value of the first parameter (an integer) given to the program:

    K> * if(v > CURRENT_VERSION)

    K> so... if "v" is smaller than 0, the test will be passed but "v" will not

    K> be between 0 and CURRENT_VERSION as the author would expected to.

    K> after some tests on the second parameter of the program... we should

    K> arrive to this code:

    K> * if(handlers[v] != NULL) (*handlers[v])(argc - n, &argv[n]);

    K> here it is called the function located at handlers[v]. by suplying a large

    K> negative integer for "v", handlers[v] can point to the stack which can be

    K> controlled by the user. so, the program can be fooled to call a user

    K> controlled "function".

    K> since the root privileges are not dropped till this point... the user code

    K> will be executed with super-user privileges.

    K> Suggested patch: uml_net.c

    K> - if(v > CURRENT_VERSION){

    K> + if ((v > CURRENT_VERSION) || (v < 0)) {

    K> Contact: ktha@hushmail.com 

    -- 
~/ZARAZA
You know my name - look up my number (Beatles)
  • Next message: bugzilla_at_redhat.com: "[RHSA-2003:171-01] Updated CUPS packages fix denial of service attack"

    Relevant Pages

    • uml_net bug
      ... There is a vulnerability in uml_net. ... example uml_net comes suided root in RH 8.0 by default. ... the value of the first parameter given to the program: ... since the root privileges are not dropped till this point... ...
      (Bugtraq)
    • Re: What does it all mean?
      ... And I know it is not a good for Mysql to run as root ... It will start your real mysqld ... > for example needs root privileges to bind to port 80, ...
      (Fedora)
    • Re: What does it all mean?
      ... And I know it is not a good for Mysql to run as root so I was ... This script is run as root. ... This is the 'real' mysqld, safe_mysqld is a shell script - look at it: ... process starts and runs with root privileges - all communication with the ...
      (Fedora)
    • Re: [opensuse] Re: k3bsetup
      ... It is highly recommended to configure cdrecord to run with root ... If cdrecord needs to run with root privileges, ... I know I used to set those permissions the SuSE way, ...
      (SuSE)
    • Re: local user FQDN or domain rewrite on outgoing mail
      ... To preserve "traditional functionality" requiring root privileges ... because when comparing sendmail to postfix, ... what you are saying is that the initial sendmail daemon that probably ...
      (comp.mail.sendmail)