Date: Thu, 7 Sep 2000 13:00:10 +0200 (MET DST) From: "Vladimir Mencl, MK, susSED" <mencl@nenya.ms.mff.cuni.cz> To: Kris Kennaway <kris@FreeBSD.ORG> Cc: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>, freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: UNIX locale format string vulnerability (fwd) Message-ID: <Pine.GSO.4.10.10009071250210.25945-100000@nenya.ms.mff.cuni.cz> In-Reply-To: <Pine.BSF.4.21.0009070344560.2137-100000@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 7 Sep 2000, Kris Kennaway wrote: > On Thu, 7 Sep 2000, Kris Kennaway wrote: > > > Thanks for the report. I'll look into it and issue a ports advisory if > > necessary (this seems to be a sudo problem, not a FreeBSD one - > > PATH_LOCALE is ignored if setugid, and at first glance LC_ALL is okay too, > > although I need to check that properly) > > Which is to say, there could possibly be problems with certain vulnerable > *non*-setugid apps launched by sudo, i.e. the user could execute other > arbitrary commands as whatever user they are sudo'ing to. But I need to > check whether this is in fact the case. I did make some tests before posting my initial message. I allowed a user to run '/bin/ls -l /' as root - a simple test. /bin/ls did respond to both LC_ALL and PATH_LOCALE (by providing a localized date/time formatting) even when invoked via sudo. That would be sufficient to use the vulnerability, I suppose. In my opinion, the cause of the vulnerability is in the conjunction of two conditions - 1. the "general misconception of locales", allowing user to tweak the behavior of programs via locales, which has been solved in FreeBSD, and 2. sudo not taking into account the fact, that FreeBSD has decided to propagate custom locales to programs running with upgraded privileges. Vladimir Mencl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.10.10009071250210.25945-100000>