OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Advisory: mgetty local compromise
From: Gert Doering (gertGREENIE.MUC.DE)
Date: Sat Aug 26 2000 - 04:02:09 CDT


Hi,

aren't there things you *REALLY* hate? This is one of them.

On Sat, Aug 26, 2000 at 02:23:05AM -0400, Stan Bubrouski wrote:
> Author : Stan Bubrouski
> Date : August 26, 2000
> Package : mgetty
> Versions affected : 1.1.22, 1.1.21 and prior (at least back to 1994)
> Severity : faxrunqd follows symbolic links when creating
> certain files. The default location for the files is /var/spool/fax/outgoing,
> which is a world-writable directory. Local users can destroy the contents
> of any file on a mounted filesystem because faxrunqd is usually run by root.
>
> Problem : mgetty comes with a program named faxrunqd, which is
> a daemon to send fax jobs queued by faxspool(1). Upon successful execution,
> a file named .last_run is created in the /var/spool/fax/outgoing/
> directory which is world-writable. The problem lies in the fact faxrunqd
> will follow symlinks created by any user, allowing file creation anywhere
> and allowing existing files to be overwritten/destroyed.

First of all, this hole does NOT exist anymore in 1.1.22. It has been
reported to me by the FreeBSD people, and closed on August 14, 2000.

1.1.22 has been released on August 17, 2000, and can be found on the usual
places (http://alpha.greenie.net/mgetty/).

So, please, get your facts right before posting.

Second, I am really annoyed to find this on bugtraq, with false data,
without any prior contact. The fact that I just released 1.1.22 should
give you enough hint that I am still maintaining mgetty, and sending me a
quick mal "hey, is this bug still open?" would have been in order.

Also, it would have saved *you* the embarrassment to report something to
bugtraq that is already fixed.

Vendor releases might still be vulnerable (shipping old versions), but as
faxrunqd(8) isn't usually run by default, a "standard system" should NOT
be vulnerable. *If* you run faxrunqd, though, upgrade to 1.1.22 (but
those of you that do, you know who you are...)

gert

--
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gertgreenie.muc.de
fax: +49-89-35655025                        gert.doeringphysik.tu-muenchen.de