Date: Thu, 22 Oct 1998 15:10:48 -0700 (PDT) From: "Dan Seafeldt, AZ.COM System Administrator" <yankee@az.com> To: Paul Hart <hart@iserver.com> Cc: Deepwell Internet <freebsd@deepwell.com>, freebsd-security@FreeBSD.ORG Subject: Re: FrontPage Server Extensions Message-ID: <Pine.BSF.3.91.981022142612.8131B-100000@gate.az.com> In-Reply-To: <Pine.BSF.3.96.981022132959.5091B-100000@anchovy.orem.iserver.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Regarding your comments about the dangers of using Frontpage 98 extension modified apache server, and the home page you mentioned: http://users.worldgate.com/~marcs/fp Short of user to user content security problems, according to this page the primary root exploit is: 1. discover key file using, among other things, ps because frontpage passes key using environment variables 2. key file allows (like the httpd daemon can) user to invoke fpexe, a SUID 3. with key, you can also tell fpexe to execute a /tmp/nasty as the user bin 4. the bin priveledged program replaces/modifies a well known bin owned prog 5. next time root (cron) runs that well know program ... well you know the rest... The problem that I see with this security flaw theory is: The current source code, at least the source code in the ports collection for apache-fp I looked at reveal that fpexe.c does not SGID or SUID to values lower than specially set defines at the beginning of the code. Thus, user ID #3 (bin) is to low and fpexe would not allow a SUID/SGID to that user. Also, it doesn't appear that after SUID'ing that fpexe will execute anything other than the specific CGI programs in the specially designated directories that it was designed to invoke. I would tend to think those values should be bumped to at least higher than any/all staff accounts on a given machine since non security minded people might setup a cron'd program somewhere or a similar hole without giving thought to what's happening behind the scenes. You would assign common userid's in the upper range only. In addition, the author of that home page mentioned just a few checks that the Frontpage extensions do to enhance security and complained that there were not enough. When I scanned through freebsd ports collection apache-fp fpexe.c, I saw many, many more checks than just the ones he talked about. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.981022142612.8131B-100000>