From owner-freebsd-security  Thu Oct 22 18:27:37 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id SAA04191
          for freebsd-security-outgoing; Thu, 22 Oct 1998 18:27:37 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA04185
          for <freebsd-security@FreeBSD.ORG>; Thu, 22 Oct 1998 18:27:36 -0700 (PDT)
          (envelope-from marcs@znep.com)
Received: from znep.com (uucp@localhost)
	by scanner.worldgate.com (8.9.1a/8.9.1) with UUCP id TAA07326;
	Thu, 22 Oct 1998 19:25:35 -0600 (MDT)
Received: from localhost (marcs@localhost) by alive.znep.com (8.7.5/8.7.3) with ESMTP id SAA11804; Thu, 22 Oct 1998 18:25:50 -0700 (PDT)
Date: Thu, 22 Oct 1998 18:25:50 -0700 (PDT)
From: Marc Slemko <marcs@znep.com>
To: "Dan Seafeldt, AZ.COM System Administrator" <yankee@az.com>
cc: Paul Hart <hart@iserver.com>, Deepwell Internet <freebsd@deepwell.com>,
        freebsd-security@FreeBSD.ORG
Subject: Re: FrontPage Server Extensions
In-Reply-To: <Pine.BSF.3.91.981022142612.8131B-100000@gate.az.com>
Message-ID: <Pine.BSF.4.03.9810221821210.20832-100000@alive.znep.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, 22 Oct 1998, Dan Seafeldt, AZ.COM System Administrator wrote:

> 
> Regarding your comments about the dangers of using Frontpage 98 extension 
> modified apache server, and the home page you mentioned:
> 
> 
>  http://users.worldgate.com/~marcs/fp
> 
> 
> Short of user to user content security problems, according to this page
> the primary root exploit is: 
> 
> 1. discover key file using, among other things, ps because frontpage passes 
>    key using environment variables
> 2. key file allows (like the httpd daemon can) user to invoke fpexe, a SUID
> 3. with key, you can also tell fpexe to execute a /tmp/nasty as the user bin
> 4. the bin priveledged program replaces/modifies a well known bin owned prog
> 5. next time root (cron) runs that well know program ... well you know 
>    the rest...
> 
> The problem that I see with this security flaw theory is:

Read the page a bit more closely, and look at MS's release dates.  The
reason the security checks are in the current version is due to my
complaints.  They essentially went through and added the things I
complained they didn't have, plus it looks like they copied the checking
that Apache's suexec does.

This is no "security flaw theory".  It is hard evidence of how braindead
and boneheaded the extensions were when that page was written.

The current version does not have the flaws described on that page, but
does have the ones (some of them somewhat fundamental to what it is trying
to do, some implementation messups) that I briefly described earlier to
the list.

Regardless, I certainly am not overly willing to put much trust in
programs written by the same people that wrote the horrible monstrosity
that the original fpexe.c was.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message