OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 3rd quarter (Jul-Sep) 1998: Re: ncurses 4.1 security bug

Re: ncurses 4.1 security bug

Casper Dik (casperHOLLAND.SUN.COM)
Thu, 9 Jul 1998 21:27:24 +0200 

>ncurses version 4.1 fails to drop priviledges before opening the
>termcap database and you can set any file(s) you like. I am not sure
>any setuid program allows an exploit but this is not good in any case.
>Here is a patch that stops that game. (Using the patch requires
>autoconf because I have not supplied diffs against the configure
>script).

It seems to me that the below fix is broken; what happens if:

    - the program already swapped uids? (using setreuid(euid,ruid)?
            - you introduce a security hole
    - the program swapped using saved uids (using setreuid(-1. ruid))
            - fine with setfsuid
            - but with saved uids, you reset the saved euid to ruid.
              (you throw way the privileges you had for good.)

Juggling with uids in the library is hard; you don't know what the
original uids were and you really have no way to find out.

>+#ifdef HAVE_SETFSUID
>+                               /* drop privs to make sure file allowed */
>+                               fsuid=setfsuid(getuid());
>+                               fsgid=setfsgid(getgid());
>+#else
>+                               fsuid=getuid();
>+                               fsgid=getgid();
>+#ifdef HAVE_SETREUID
>+                               /* Swap real and effective uid */
>+                               setreuid(geteuid(), getuid());
>+                               serregid(getegid(), getgid());
>+#else
>+                               seteuid(getuid()); /* Saved ids or broken */
>+                               setegid(getgid());
>+#endif /* HAVE_SETREUID */