Package: hsolink Version: 1.0.118-3 Severity: critical Tags: security Hi, Following was reported by Christian Jaeger. ---------- hsolink-1.0.118 contains a binary hsolinkcontrol that is setuid root. The binary - neither sets PATH - nor fixes other environment variables - nor checks commandline arguments - but uses system(3) (- and may be overflowing fixed-size buffers as well, I didn't check anymore) and thus is a trivial target to get root, for example: (I've tested from the files in an ar-unpacked .deb instead of installing the deb, to avoid exposing my system. Note: apparently the binary has to be at root-owned paths or the Linux kernel will ignore the setuid bit.) novo:~/chris# l -a total 12 -rwsr-xr-x 1 root root 7072 2010-07-09 22:20 hsolinkcontrol drwxr-x--- 2 root chris 80 2010-07-09 22:55 . drwxr-xr-x 50 root root 4272 2010-07-09 22:55 .. chris@novo:/root/chris$ ./hsolinkcontrol down '; bash' Using resolvconf. root@novo:/root/chris# id uid=0(root) gid=1000(chris) groups=..... The setuid recommendation is coming from the upstream author (http://www.pharscape.org/hsolinkcontrol.html), who apparently is not aware of the implications of the setuid bit, and good security in general as evidenced by the problems I've listed above. I have not informed him of the problem [yet]. I don't know about the right solution; maybe using sudo instead of setuit and adding commandline argument checking and replacing system calls with fork/exec* calls. Or, to be safer, instead rather turn it into a daemon. Iff it needs to be run as ordinary users at all--I'm used to have to run "pon" as root, for example, the charge to enable a normal user to run hsolinkcontrol (or the program that uses it) as root (by setting up sudo, for example) could possibly just be left to the user (I can't say as I haven't used the program yet). ---------- Debian has assigned CVE-2010-1671 to this issue. Cheers, Thijs
Description: This is a digitally signed message part.