Date: 12 May 2000
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2000.090 -- FreeBSD-SA-00:17
Buffer overflow in libmytinfo may yield increased
privileges with third-party software.
12 May 2000
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: libmytinfo
Vendor: FreeBSD
Operating System: FreeBSD 3.x
Platform: N/A
Impact: Root Compromise
Access Required: Local
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-00:17 Security Advisory
FreeBSD, Inc.
Topic: Buffer overflow in libmytinfo may yield increased
privileges with third-party software.
Category: core
Module: libmytinfo
Announced: 2000-05-09
Affects: FreeBSD 3.x before the correction date.
Corrected: 2000-04-25
FreeBSD only: Yes
Patches: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:17/libmytinfo.patch
I. Background
libmytinfo is part of ncurses, a text-mode display library.
II. Problem Description
libmytinfo allows users to specify an alternate termcap file or entry
via the TERMCAP environment variable, however this is not handled
securely and contains a overflowable buffer inside the library.
This is a security vulnerability for binaries which are linked against
libmytinfo and which are setuid or setgid (i.e. run with elevated
privileges). It may also be a vulnerability in other more obscure
situations where a user can exert control over the environment with
which an ncurses binary is run by another user.
FreeBSD 3.x and earlier versions use a very old, customized version of
ncurses which is difficult to update without breaking
backwards-compatibility. The update was made for FreeBSD 4.0, but it
is unlikely that 3.x will be updated. However, the ncurses source is
currently being audited for further vulnerabilities.
III. Impact
Certain setuid/setgid third-party software (including FreeBSD
ports/packages) may be vulnerable to a local exploit yielding
privileged resources, such as network sockets, privileged filesystem
access, or outright privileged shell access (including root access).
No program in the FreeBSD base system is believed to be vulnerable to
the bug.
FreeBSD 4.0 and above are NOT vulnerable to this problem.
IV. Workaround
Remove any setuid or setgid binary which is linked against libmytinfo
(including statically linked), or remove set[ug]id privileges from the
file as appropriate.
The following instructions will identify the binaries installed on the
system which are candidates for removal or removal of file
permissions. Since there may be other as yet undiscovered
vulnerabilities in libmytinfo it may be wise to perform this audit
regardless of whether or not you upgrade your system as described in
section V below. In particular, see the note regarding static linking
in section V.
Of course, it is possible that some of the identified files may be
required for the correct operation of your local system, in which case
there is no clear workaround except for limiting the set of users who
may run the binaries, by an appropriate use of user groups and
removing the "o+x" file permission bit.
1) Download the 'libfind.sh' script from
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:17/libfind.sh
e.g. with the fetch(1) command:
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:17/libfind.sh
Receiving libfind.sh (460 bytes): 100%
460 bytes transferred in 0.0 seconds (394.69 Kbytes/s)
#
2) Verify the md5 checksum and compare to the value below:
# /sbin/md5 libfind.sh
MD5 (libfind.sh) = 59dceaa76d6440c58471354a10a8fb0b
3) Run the libfind script against your system:
# sh libfind.sh /
This will scan your entire system for setuid or setgid binaries which
are linked against libmytinfo. Each returned binary should be examined
(e.g. with 'ls -l' and/or other tools) to determine what security risk
it poses to your local environment, e.g. whether it can be run by
arbitrary local users who may be able to exploit it to gain
privileges.
4) Remove the binaries, or reduce their file permissions, as appropriate.
V. Solution
Upgrade your FreeBSD 3.x system to 3.4-STABLE after the correction
date, or patch your present system source code and rebuild. Then run
the libfind script as instructed in section IV and identify any
statically-linked binaries (those reported as "STATIC" by the
libfind script). These should either be removed, recompiled, or have
privileges restricted to secure them against this vulnerability (since
statically-linked binaries will not be affected by recompiling the
shared libmytinfo library).
To patch your present system: save the patch below into a file, and
execute the following commands as root:
cd /usr/src/lib/libmytinfo
patch < /path/to/patch/file
make all
make install
Patches for 3.x systems before the resolution date:
Index: findterm.c
===================================================================
RCS file: /usr/cvs/src/lib/libmytinfo/Attic/findterm.c,v
retrieving revision 1.3
diff -u -r1.3 findterm.c
--- findterm.c 1997/08/13 01:21:36 1.3
+++ findterm.c 2000/04/25 16:58:19
@@ -242,7 +242,7 @@
} else {
s = path->file;
d = buf;
- while(*s != '�' && *s != ':')
+ while(*s != '�' && *s != ':' && d - buf < MAX_LINE - 1)
*d++ = *s++;
*d = '�';
if (_tmatch(buf, name)) {
@@ -259,7 +259,7 @@
} else {
s = path->file;
d = buf;
- while(*s != '�' && *s != ',')
+ while(*s != '�' && *s != ',' && d - buf < MAX_LINE - 1)
*d++ = *s++;
*d = '�';
if (_tmatch(buf, name)) {
- -----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBORc3NFUuHi5z0oilAQGcaAP6Ar4+mNTHR/qXUJ+MFIVy+AQHFDwpYq5f
KgBpCRzgKVZs/zfsQ+LwC1vCHzusftTK0lEd//2pfGZHt3ln0eD1s6qt+Q6+ZJBE
MYYiXvqoBL1ob2Ahts6uEUs/vbMb4bCbEmMCn4ad2iU+neKH9a81Lk3frIaJjAVK
8/6vW7wH9W4=
=NDsR
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBOXXSfCh9+71yA2DNAQFYGgP/bAhxfU7P6v+0xp//IUc8hEmjn4/luXN6
0Vc8yQ8b+SYAGwlPt37gExUCWKjNg/GDZfxrp5YrMG/bE68fA5zcJPDwc6wdt8an
Kd3imu5/X3M7IaszSHeyuLS4nPjxiiixDQAOCCoDm4qwHmgxJ1MBU/weOXnPO8Pg
TwMN3dR22sE=
=etII
-----END PGP SIGNATURE-----
|