Re: Vulnerability in ccdconfig

Warner Losh (imp@VILLAGE.ORG)
Tue, 30 Dec 1997 21:28:24 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Ranaur the Elven Warlock: "Re: StackGuard: Automatic Protection From Stack-smashing Attacks"
Previous message: Niall Smart: "Vulnerability in ccdconfig"
Maybe in reply to: Niall Smart: "Vulnerability in ccdconfig"

-----BEGIN PGP SIGNED MESSAGE-----

In message <19971231020231.1448.qmail@ginseng.indigo.ie> Niall Smart writes:
: * FreeBSD and NetBSD have been notified of the problem and have fixed
: it in their source tree's as of yesterday (FreeBSD-current,
: FreeBSD-stable, NetBSD-current) Retrieve the patched ccdconfig.c
: and compile yourself a new ccdconfig.

I want to publically thank Niall for the responsibility he showed with
this information by privately corresponding with the FreeBSD and
(presumably) NetBSD teams on this issue. This gave us a chance to
work up a fix, test it and make sure that the users of our systems
were covered when he released his information.

Warner

P.S. Here are the changes that I applied to FreeBSD. They are taken
from the OpenBSD source base, possibly with minor formatting tweaks,
and seem to represent the work of Theo de Raadt and
oliver@secnet.com.

Index: ccdconfig.c
===================================================================
RCS file: /home/imp/FreeBSD/CVS/src/sbin/ccdconfig/ccdconfig.c,v
retrieving revision 1.7
diff -u -r1.7 ccdconfig.c
- --- ccdconfig.c 1997/06/10 11:04:50 1.7
+++ ccdconfig.c 1997/12/30 05:08:24
@@ -161,6 +161,15 @@
if (options > 1)
usage();

+ /*
+ * Discard setgid privileges if not the running kernel so that bad
+ * guys can't print interesting stuff from kernel memory.
+ */
+ if (core != NULL || kernel != NULL || action != CCD_DUMP) {
+ setegid(getgid());
+ setgid(getgid());
+ }
+
switch (action) {
case CCD_CONFIG:
case CCD_UNCONFIG:
@@ -307,11 +316,16 @@
char line[_POSIX2_LINE_MAX];
char *cp, **argv;
int argc, rval;
+ gid_t egid;

+ egid = getegid();
+ setegid(getgid());
if ((f = fopen(ccdconf, "r")) == NULL) {
+ setegid(egid);
warn("fopen: %s", ccdconf);
return (1);
}
+ setegid(egid);

while (fgets(line, sizeof(line), f) != NULL) {
argc = 0;

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQCVAwUBNKnJ59xynu/2qPVhAQG4OgP/Tg4p+NPEwxH2pxIRCUYsnDABqTaJEpgq
2LxYiaRGaoCsF/QnHb/vSTehUcSh8OJ/AERY5fPRKC2b/LiIpX9bKp0yMHBTqZ1Z
cfCT30K0lW9ODz1eUHw2fol2tieqaIszAFrMNuVeUY+N8JwhJ5GTVTfuqleZ2TKL
71goCAxTvQc=
=mdrd
-----END PGP SIGNATURE-----

Next message: Ranaur the Elven Warlock: "Re: StackGuard: Automatic Protection From Stack-smashing Attacks"
Previous message: Niall Smart: "Vulnerability in ccdconfig"
Maybe in reply to: Niall Smart: "Vulnerability in ccdconfig"