The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

KSR[T] #3: Insecure cronjobs

To: ewt@redhat.com, bs@suse.de, security@caldera.com, adam@yggdrasil.com, mark@wgs.com, security@debian.org
Subject: KSR[T] #3: Insecure cronjobs
From: "Dave G." <dhg@dec.net>
Date: Mon, 28 Jul 1997 08:20:57 -0700 (PDT)
Cc: rf@lst.de, heiko@unifix.de, florian@knorke.saar.de
Delivered-to: bruce-lists--debian-private@lists.debian.org
Delivered-to: security@debian.org
Resent-cc: recipient list not shown: ;
Resent-date: 28 Jul 1997 16:20:34 -0000
Resent-from: debian-private@lists.debian.org
Resent-message-id: <"H4FFo3.0.Hm7.IRCtp"@debian>
Resent-sender: debian-private-request@lists.debian.org

Here is another heads up about an advisory.  This one wont go out until
later in the week.  We would like feedback from maintainers on the current
status of these potential problems.  

The updatedb one can be more dangerous than you think.  If there is a
world writable directory that updatedb scans, a user can create a file
like so:

touch '
+ +
'
and then symlink /tmp/sort??????????? and use rsh to become other users.

** SuSE **

The worst thing about the SuSE cron scripts is this part from cron.daily:

    for i in /tmp/log_mg.* /var/log/mgetty.* ; do
        check_log_file $i +1024k 644 root.root

then check_log_file does:

    test -f $1 && \
    find $1 -size $2 \
        -exec echo "$1 was $2" \; \
        -exec cp $1 $1.o \; \
        -exec cp /dev/null $1 \; \
        -exec chmod $3 $1 \; \
        -exec chown $4 $1 \; 
 
imagine a new copy of /etc/passwd in /tmp/log_mg.gotcha
followed by:
ln -s /etc/passwd /tmp/log_mg.gotcha.o

There is also a lot of blind writing to /tmp in cron.daily which 
is quite dangerous.

I would appreciate any comments any of you might have on this.

Dave


-----
                                                            KSR[T] Advisory #003
                                                            Date:  
                                                            ID #:   

Operating System(s): Redhat linux 4.1, SuSE Linux 4.4.1, Slackware 3.2

Affected Program:    Default crontabs

Problem Description: There are numerous problems in the default root crontabs
                     for several flavor of UNIX.  This advisory will contain
                     a brief description of several vulnerabilities that we 
                     have discovered.

                     Redhat Linux 4.1:  updatedb contains several security
                     holes.   Updatedb will send the results of a find 
                     command string to sort.  Sort will use /tmp to store
                     temp files, and it will follow symbolic links.  A
                     creative attacker can create files in a world writable
                     directory that allows them to control what data will
                     be written to the symbolic link. 
                     
                     SuSE Linux 4.4.1:  makewhatis uses /tmp, this allows
                     attackers to overwrite files as root.  They cannot
                     control the data being written.  It also uses updatedb.
                     check_log_file() contains a SERIOUS securiy hole that
                     will allow an intruder to write over any file on the
                     system, with whatever he/she wants.  There are numerous
                     other /tmp file problems with the default crontab,
                     it is highly recommended that it be removed until a
                     secure version is written.
                    
                     Slackware 3.2 also comes with a vulnerable version
                     of updatedb.

Compromise:          On Redhat, a user could potentially use the attack to
                     become another user, possibly even root.  Under SuSE
                     root is practically garanteed.  Both have definite 
                     denial of service attacks.
                     
Patch/Fix:           See the maintainers.





---                                                                ---
David Goldsmith                                            dhg@dec.net
DEC Consulting                                      http://www.dec.net
Software Development/Internet Security         http://www.dec.net/~dhg


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Prev by Date: Re: Exim standard mailer?
Next by Date: Re: next approach: new non-free/contrib policy
Previous by thread: Re: Exim standard mailer?
Next by thread: open hardware program
Index(es):
- Date
- Thread