Bugtraq archives for 1st quarter (Jan-Mar) 1999: Re: [HERT] Advisory #002 Buffer overflow in lsof
Re: [HERT] Advisory #002 Buffer overflow in lsof
Vic Abell (
abe
purdue.edu)
Thu, 18 Feb 1999 07:10:47 -0500
I would have appreciated the courtesy of an advance notice
that this problem had been discovered. 5 minutes after I
learned of it *third-hand* via DejaNews this patch was
available and announced to the lsof-l mailing list:
ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/patches/4.40/arg.c.patch
Vic Abell <abepurdue.edu>, lsof author
> -----Original Message-----
> From: Bugtraq List [mailto:BUGTRAQnetspace.org]On Behalf Of Anthony C .
> Zboralski
> Sent: Wednesday, February 17, 1999 7:31 PM
> To: BUGTRAQnetspace.org
> Subject: [HERT] Advisory #002 Buffer overflow in lsof
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> - --------------------------------------------------------------
> HERT - Hacker Emergency Response Team
> alerthert.org - http://www.hert.org
>
> Advisory: #00002
> Title: lsof
> Date: 17 February 1999
> Summary: Buffer overflow in lsof version 4.40 and prior
> IMPACT: Local users may obtain root priviledge.
>
> Author: Mariusz Tmoggie Marcinkiewicz <tmoggiehert.org>
> Test Exploit: kil3rhert.org
> - ---------------------------------------------------------------
>
> Copyright (C) 1999 Hacker Emergency Response Team
>
> Permission is granted to reproduce and distribute HERT advisories in their
> entirety, provided the HERT PGP signature is included and provided the alert is used for noncommercial purposes and with
> the intent of increasing the aware-
> ness of the Internet community.
>
> This advisory is distributed in the hope that it will be useful,
> but WITHOUT ANY WARRANTY; without even the implied warranty of
> MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
>
> 1. Background:
>
> lsof - list open files
> Lsof lists information about files opened by processes for most
> UNIX dialects.
>
> When lsof is setuid-root or setgid kmem, it is vulnerable to a buffer
> overflow that will lead to direct root compromise or root compromise
> thru live kernel patching.
>
> The paradox is that lsof is a great security tool for administrators and
> we encourage its uses as long as it is NOT setuid-root or setgid.
>
> Test exploit code for this vulnerability was developped by kil3rhert.org
> and will be made available to lsof author, HERT collaborators, sponsors
> and partners.
>
> 2. Distributions known to be affected.
>
> OpenBSD 2.4's ports facility retrieves and builds lsof package setgid kmem.
> FreeBSD's ports facility retrieves and builds lsof package setgid kmem.
> SuSe Linux ships lsof setgid kmem.
> Debian GNU/Linux 2.0 ships lsof setgid kmem.
> Redhat Linux 5.2 ships lsof setgid kmem.
>
> 3. Recommendations
>
> Fix:
>
> chmod 0755 lsof
>
> To subscribe to the HERT Alert mailing list, email alerthert.org
> with subscribe in the body of the message.
>
> Contact herthert.org for more information.
> The HERT PGP public key is available at ftp://ftp.hert.org/pub/HERT_PGP.key
>
> To report a vulnerability: http://www.hert.org/vul_reporting_form
>
> We would like to thank the individuals who donates some of their time to HERT.
>
> HERT is a non-profit international organisation based in France.
> If you wish to join the HERT effort please send a note to herthert.org.
> - --
> Please respect the privacy of this mailing list.
> To UNSUBSCRIBE, email to hert-private-requesthert.org
> with "unsubscribe" in the body. Trouble? Contact listmasterhert.org
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3ia
> Charset: latin1
>
> iQCVAwUBNss8D7iV3oeHg1NdAQGHZwP+L76JOU2iHtvl2i3AHP3VDdEJ6W8M5zjf
> vVWDpQY7z4qmW4Ai/D5mnzeRwUey8W9imkoY4J4cF3/O+s/70+rsbwAKsmVgztBm
> DjhdWfMl/yz0ZT8zATJV+YVGtPQsmzvPbZR7YWOQh7oQQyPwzQXkswHkTB24Fsdg
> ehmkQnF1N9c=
> =Ohr4
> -----END PGP SIGNATURE-----
>
