OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: KF (dotslashsnosoft.com)
Date: Tue May 28 2002 - 05:37:28 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    There is a new debian based distro called Xandros making its way on to the market.I believe the developers from Corel Linux are on board with Xandros. It has at least one public beta and another on the way and I know of at least one OS that uses it as its backend. I got a chance to play on a couple of Xandros based distros and came up with a few security issues.

    Due to some extremely sketchy wording on disclosure by one of the above mentioned distros I will refrence all distros in general as a "Xandros based flavor of linux". I can not verify that the holes are shared in all flavors.

    The first issue I am going to disclose is in the setuid autorun binary. If this binary is called with the command line argument -c and any file name you are able to read the first line of that file... for example /etc/shadow.

    exploit: autorun -c /etc/shadow

    Here is part of the response from the developer regarding only this issue... I just informed them of 6 others that I am aware of.

    ---------- Author or Developers response ----------------

    I have fixed the bug in autorun. There will be a new package posted
    for Xandros Desktop Beta 2. A fix for Beta 1 will not be provided as we
    are not supporting older beta releases in any way. Lindows.com has been
    notified as well, but we have yet to hear back from them.

    As soon as our QA department gives us the green light, a notice will be
    posted to the beta newsgroups and the new package will be posted on the
    ftp site.
    ---------------------------------------------------------

    http://www.snosoft.com
    -KF