Date: 5 Feb 1997 19:03:33 -0000 From: tqbf@enteract.com To: karl@Mcs.Net, freebsd-security@freebsd.org Subject: Re: 2.1.6+++: crt0.c CRITICAL CHANGE Message-ID: <19970205190333.11804.qmail@char-star.rdist.org> In-Reply-To: <199702051742.LAA05872@Jupiter.Mcs.Net>
next in thread | previous in thread | raw e-mail | index | archive | help
In article <199702051742.LAA05872@Jupiter.Mcs.Net>, you wrote: >The ENTIRE setlocale() code is a HUGE security problem. Among other things, locales in general are an issue. FreeBSD's rewritten locale code, which obviously wasn't written with much thought towards security, is another issue. The main issue, to my mind, is the caller of an SUID program being able to control the path to it's locale information. To my mind, SUID/SGID programs should be ignoring PATH_LOCALE. I don't know that the best way to handle this is from euid/uid checks in libc - that seems like a hack to me. >SETLOCALE MUST BE REMOVED FROM USE UNTIL IT CAN BE FIXED. It is FULL of ... but, Mr. Denninger is right here. Among other things, the idiom for calling setlocale() seems to be to do it first, before argument processing. This means that any program vulnerable to any problem caused by the locale routings is vulnerable regardless of how it's called. I am concerned about privileged code calling non-privileged code and becoming vulnerable. >I have already found setlocale() calls in SEVERAL privileged programs. They're all over the place in 2.2, as a consequence of it not being handled automatically anymore. >Note that Tom Ptaeck WILL be releasing *EXPLOITS AND DETAILS* within one >week. Either this gets fixed or the world knows how to break in. I'm not concerned about the "fix" for the problem in question, since they're already out there (just remove locale processing altogether). I'm concerned that the FreeBSD project is not going to inform their users of this problem. This is, in my opinion, probably the most severe problem with FreeBSD that has been brought to public attention. An advisory for this problem needs to be released immediately. The FreeBSD project needs to come to grips with the fact that there are many, many people who won't act on a problem until CERT releases an advisory. Until that happens, people will remain vulnerable to the problem, regardless of how much effort goes into finding "the right fix". I'll repeat myself, again: everyone that you should be worried about having exploit details to this problem ALREADY DOES. People are being broken into with this as we speak. There's a vast amount of 2.1 systems out there, and those 2.1 systems are on networks with other systems, and their vulnerabilites are going to seed the comprimise of entire networks. This is not good. Please, please, please alert the public (and the incident response teams) about this problem. -- ---------------- Thomas Ptacek at EnterAct, L.L.C., Chicago, IL [tqbf@enteract.com] ---------------- exit(main(kfp->kargc, argv, environ));
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19970205190333.11804.qmail>