From owner-freebsd-security Thu Sep 7 15:13:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from nenya.ms.mff.cuni.cz (nenya.ms.mff.cuni.cz [195.113.17.179]) by hub.freebsd.org (Postfix) with ESMTP id 3872C37B422; Thu, 7 Sep 2000 15:13:43 -0700 (PDT) Received: from localhost (mencl@localhost) by nenya.ms.mff.cuni.cz (8.9.3+Sun/8.9.1) with ESMTP id AAA01306; Fri, 8 Sep 2000 00:13:22 +0200 (MET DST) Date: Fri, 8 Sep 2000 00:13:21 +0200 (MET DST) From: "Vladimir Mencl, MK, susSED" To: "Andrey A. Chernov" Cc: "Todd C. Miller" , Warner Losh , Kris Kennaway , freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: UNIX locale format string vulnerability (fwd) In-Reply-To: <20000908014646.A19231@nagual.pp.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 8 Sep 2000, Andrey A. Chernov wrote: > On Thu, Sep 07, 2000 at 03:40:03PM -0600, Todd C. Miller wrote: > > In message <20000908013556.A19114@nagual.pp.ru> > > so spake "Andrey A. Chernov" (ache): > > > > > 'sudo' port *must* strip NLSPATH and PATH_LOCALE variables. No other > > > actions required. > > > > That seems pretty reasonable. I'll strip those out of the environment > > in sudo 1.6.4. > > Speaking outside of locale/nls area, 'sudo' *must* internally > setenv TERMCAP /usr/share/misc/termcap > too, for the same reasons. Grep 'issetugid' through libraries is your > friend. Yeah, that was a really interesting search: vlada@dual:/ftp/pub/FreeBSD/branches/-current/src/lib$find . -name \*.c | xargs grep issetugid ./libc/db/btree/bt_open.c: if (issetugid() == 0) ./libc/gen/glob.c: issetugid() != 0 || ./libc/locale/setlocale.c: && !issetugid() ./libc/locale/setrunelocale.c: && !issetugid() ./libc/net/res_init.c: if (issetugid() == 0 && (cp = getenv("LOCALDOMAIN")) != NULL) { ./libc/net/res_init.c: if (issetugid()) ./libc/net/res_query.c: if (issetugid()) ./libc/nls/msgcat.c: || issetugid() ./libc/stdio/tempnam.c: if (issetugid() == 0 && (f = getenv("TMPDIR"))) { ./libc/stdtime/localtime.c: if (name != NULL && issetugid() != 0) ./libedit/el.c: if (issetugid() == 0 && (tty = getenv("DEBUGTTY")) != NULL) { ./libedit/el.c: if (issetugid() != 0 || (ptr = getenv("HOME")) == NULL) ./libncurses/termcap.c: if (issetugid()) What I see immediately: locales, and message catalogs, we already know about them. file globbing ... HOME is ignored, home from the passwd entry is used the resolver - env vars LOCALDOMAIN, RES_OPTIONS, HOSTALIASES tempnam.c : ? even the TMPDIR ? DEBUGTTY ? termcap the btree code is also concerned about the TMPDIR - when setugid, ignore it, and use /tmp Yeah, it looks like that sudo & friends should be discarding all environment discarded anywhere after a issetugid. Looks like this is all - for the base system. Maybe, there should be a system-wide list of env vars not to be passed to programs running with elevated privileges.... The problem is rather generic, the cause is that a setugid program executes another program at the elevated privilege level, but does not transfer the "issetugid" flag. IMHO. Vladimir Mencl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message