From owner-freebsd-security  Thu Oct 22 15:11:05 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id PAA10140
          for freebsd-security-outgoing; Thu, 22 Oct 1998 15:11:05 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from gate.az.com ([206.63.203.18])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA10133
          for <freebsd-security@FreeBSD.ORG>; Thu, 22 Oct 1998 15:11:02 -0700 (PDT)
          (envelope-from yankee@gate.az.com)
Received: (from yankee@localhost)
	by gate.az.com (8.8.5/8.8.5) id PAA15557;
	Thu, 22 Oct 1998 15:10:49 -0700 (PDT)
Date: Thu, 22 Oct 1998 15:10:48 -0700 (PDT)
From: "Dan Seafeldt, AZ.COM System Administrator" <yankee@az.com>
To: Paul Hart <hart@iserver.com>
cc: Deepwell Internet <freebsd@deepwell.com>, freebsd-security@FreeBSD.ORG
Subject: Re: FrontPage Server Extensions
In-Reply-To: <Pine.BSF.3.96.981022132959.5091B-100000@anchovy.orem.iserver.com>
Message-ID: <Pine.BSF.3.91.981022142612.8131B-100000@gate.az.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


Regarding your comments about the dangers of using Frontpage 98 extension 
modified apache server, and the home page you mentioned:


 http://users.worldgate.com/~marcs/fp


Short of user to user content security problems, according to this page
the primary root exploit is: 

1. discover key file using, among other things, ps because frontpage passes 
   key using environment variables
2. key file allows (like the httpd daemon can) user to invoke fpexe, a SUID
3. with key, you can also tell fpexe to execute a /tmp/nasty as the user bin
4. the bin priveledged program replaces/modifies a well known bin owned prog
5. next time root (cron) runs that well know program ... well you know 
   the rest...

The problem that I see with this security flaw theory is:

The current source code, at least the source code in the ports collection
for apache-fp I looked at reveal that fpexe.c does not SGID or SUID to
values lower than specially set defines at the beginning of the code. Thus,
user ID #3 (bin) is to low and fpexe would not allow a SUID/SGID to that
user. Also, it doesn't appear that after SUID'ing that fpexe will execute
anything other than the specific CGI programs in the specially designated
directories that it was designed to invoke. 

I would tend to think those values should be bumped to at least higher
than any/all staff accounts on a given machine since non security minded
people might setup a cron'd program somewhere or a similar hole without
giving thought to what's happening behind the scenes. You would assign
common userid's in the upper range only. 

In addition, the author of that home page mentioned just a few checks that
the Frontpage extensions do to enhance security and complained that there
were not enough. When I scanned through freebsd ports collection apache-fp
fpexe.c, I saw many, many more checks than just the ones he talked about. 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message