From owner-freebsd-security  Thu Feb 15 12:23:48 2001
Delivered-To: freebsd-security@freebsd.org
Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2])
	by hub.freebsd.org (Postfix) with ESMTP id 82AF637B491
	for <freebsd-security@FreeBSD.org>; Thu, 15 Feb 2001 12:23:45 -0800 (PST)
Received: from bsdie.rwsystems.net([209.197.223.2]) (2089 bytes) by bsdie.rwsystems.net
	via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp
	(sender: <jwyatt@rwsystems.net>) 
	id <m14TUw5-000CBxC@bsdie.rwsystems.net>
	for <freebsd-security@FreeBSD.org>; Thu, 15 Feb 2001 14:23:29 -0600 (CST)
	(Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25)
Date: Thu, 15 Feb 2001 14:23:25 -0600 (CST)
From: James Wyatt <jwyatt@rwsystems.net>
To: Chris <admin@redshells.net>
Cc: freebsd-security@FreeBSD.org
Subject: Re: zmodem protocol?
In-Reply-To: <3A8C2CC0.1DDC4857@redshells.net>
Message-ID: <Pine.BSF.4.10.10102151410570.18543-100000@bsdie.rwsystems.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, 15 Feb 2001, Chris wrote:
> Has anybody heard anything about possible security flaws in "lrzsz" ?
> Heres a short desciption from the website: "lrzsz is a unix
> communication package providing the XMODEM, YMODEM ZMODEM file transfer
> protocols." And the website: http://www.ohse.de/uwe/software/lrzsz.html

I still have to support X/Y/Z-modem for EDI dialin customers and several
other misc uses. The thing that comes to mind immediately is that Z-modem
allows running of a remote program unless you neuter the source code. The
code was not even expert friendly, IIRC, and was hell to pipe-fit to code
that did processing I needed performed on the files and managed the modem
ports. While I do not know of any specific buffer overflow bugs, given the
quality of what I saw, I think it would be pretty "chewy" to audit it.

The code runs non-suid, so you would only be risky if the user running the
{r,s}{x,b,z} commands wasn't who was on the other end of the communicaions
flow - not a problem with shell accounts using them on the command line. I
had to worry about it because my EDI users had no shell accounts.

FWIW, there isn't much in the X-modem stuff to break, but Z-modem allowed
pushing of the filename, the aforementioned remote command, and some other
stuff that would be ripe for buffer bugs.

It was definately quicker than building X/Y/Z-modem support from scratch
and from the various conflicting specs and I really appreciated that the
code *worked*, it was just hard to turn into an API and maintain. - Jy@



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message