From owner-freebsd-security  Thu Sep  7  9:18: 9 2000
Delivered-To: freebsd-security@freebsd.org
Received: from rover.village.org (rover.village.org [204.144.255.49])
	by hub.freebsd.org (Postfix) with ESMTP
	id E6C6337B422; Thu,  7 Sep 2000 09:18:04 -0700 (PDT)
Received: from billy-club.village.org (billy-club.village.org [10.0.0.3])
	by rover.village.org (8.9.3/8.9.3) with ESMTP id KAA37265;
	Thu, 7 Sep 2000 10:17:57 -0600 (MDT)
	(envelope-from imp@billy-club.village.org)
Received: from billy-club.village.org (localhost [127.0.0.1]) by billy-club.village.org (8.11.0/8.8.3) with ESMTP id e87GIOG16223; Thu, 7 Sep 2000 10:18:24 -0600 (MDT)
Message-Id: <200009071618.e87GIOG16223@billy-club.village.org>
To: "Vladimir Mencl, MK, susSED" <mencl@nenya.ms.mff.cuni.cz>
Subject: Re: UNIX locale format string vulnerability (fwd) 
Cc: Kris Kennaway <kris@FreeBSD.ORG>,
	Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>,
	freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG,
	millert@openbsd.org
In-reply-to: Your message of "Thu, 07 Sep 2000 13:00:10 +0200."
		<Pine.GSO.4.10.10009071250210.25945-100000@nenya.ms.mff.cuni.cz> 
References: <Pine.GSO.4.10.10009071250210.25945-100000@nenya.ms.mff.cuni.cz>  
Date: Thu, 07 Sep 2000 10:18:24 -0600
From: Warner Losh <imp@village.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In message <Pine.GSO.4.10.10009071250210.25945-100000@nenya.ms.mff.cuni.cz> "Vladimir Mencl, MK, susSED" writes:
: I allowed a user to run '/bin/ls -l /' as root - a simple test.
: 
: /bin/ls did respond to both LC_ALL and PATH_LOCALE (by providing a
: localized date/time formatting) even when invoked via
: sudo. That would be sufficient to use the vulnerability, I suppose.

Did it allow you to read a file in PATH_LOCALE that otherwise it
wouldn't have?  Are there buffer overflows that this could exploit?
Are there infomation leaks that you could force with this?  What,
specifically, is the problem here?

: In my opinion, the cause of the vulnerability is in the conjunction of
: two conditions - 
: 
:   1. the "general misconception of locales", allowing user to tweak the
: behavior of programs via locales, which has been solved in FreeBSD, and
:   2. sudo not taking into account the fact, that FreeBSD has decided to
: propagate custom locales to programs running with upgraded privileges.

sudo was designed to be fairly permissive in many ways.  The authors
of sudo explicitly realized that there maybe loopholes in the command
set that you give users and that you must trust honest users to stay
honest with it.

Warner


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message