OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 3rd quarter (Jul-Sep) 1998: Re: ncurses 4.1 security bug

Re: ncurses 4.1 security bug

Alan Cox (alanLXORGUK.UKUU.ORG.UK)
Wed, 8 Jul 1998 13:45:58 +0100 

> Duncan Simpson writes:
> > ncurses version 4.1 fails to drop priviledges before opening the
> > termcap database and you can set any file(s) you like.
>
> This is not a bug. ncurses is a *library*, not a *program*. It is up
> to suid programs to drop privileges, not every call that invokes them --
> or are you going to declare the fact that fopen() doesn't drop
> privileges a "bug"?

Depends how you care to look at it. I can agree with your reasoning.

In which case there is a bug in
        screen   (as root so very bad)
        dosemu
        mutt
        several bsd-games packages

and almost every other setuid/setgid binary that uses ncurses,termcap or slang
anywhere on the planet today. Also of course any setuid/setgid applications
using NLS or TZ. The latter is far nastier because

1.      The libraries will use message catalogs and may open them before
        you do

2.      If you are using C++ your constructors can't call libc in this case
        as the order of constructors isnt defined

3.      Is anyones ld.so internationalised ? Which OS's have C libraries
        that load TZ or NLS data at library initialisation time before
        the app starts.

4.      Dropping TZ or NLS when setuid is really obnoxious - Japanese users
        will love having mutt, screen, and things like su in English.

And of course your comment is inconsistent with LD_PRELOAD handling on
every OS so far - ld.so is a shared object too.

Alan