(Message /3/bishop/Mail/inbox:47) Return-Path: owner-BUGTRAQ@NETSPACE.ORG Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143]) by nob.cs.ucdavis.edu (8.8.8/8.8.7) with ESMTP id VAA12641 for ; Tue, 7 Jul 1998 21:05:53 -0700 (PDT) (envelope-from owner-BUGTRAQ@NETSPACE.ORG) Received: from unknown@netspace.org (port 32352 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <81156-20228>; Wed, 8 Jul 1998 00:07:13 -0400 Date: Wed, 8 Jul 1998 00:04:55 -0400 Reply-To: Bugtraq List Sender: Bugtraq List From: Automatic digest processor Subject: BUGTRAQ Digest - 6 Jul 1998 to 7 Jul 1998 To: Recipients of BUGTRAQ digests Message-Id: <19980708040713Z81156-20228+14@brimstone.netspace.org> There are 3 messages totalling 312 lines in this issue. Topics of the day: 1. ANNOUNCE: WinAudlog, centralized logfile checking 2. ncurses 4.1 security bug (2) ---------------------------------------------------------------------- Date: Tue, 7 Jul 1998 17:45:58 -0300 From: Ivan Arce Subject: ANNOUNCE: WinAudlog, centralized logfile checking -----BEGIN PGP SIGNED MESSAGE----- DO YOU TRUST YOUR SYSTEM'S LOGS? AudLog For Windows Secure System Log Auditing ** FREE ** AUDLOG for Windows can be used to centralize the auditing of distributed system logs in a network and certify that intruders did not modify these logs. When combined with SECURE SYSLOG, AudLog for Windows makes the perfect package for SECURE LOGGING and AUDITING: + Easy to use graphical interface + AUDLOG downloads the logs generated by SECURE SYSLOG and verifies its integrity + Allows for centralized auditing of an unlimited number of computers in a network + PEO-1 cryptographic protocol for authenticate log-files integrity + 128-bits symmetric cryptography and a challenge-response protocol for mutual authentication and confidentiality. + Iconized Security flags for log-files, hosts and groups of hosts. SECURE SYSLOG (ssyslog) is available for UNIX systems. Designed to replace the syslog daemon, ssyslog implements a cryptographic protocol called PEO-1 that allows the remote auditing of system logs. Auditing remains possible even if an intruder gains superuser privileges in the system, the protocol guarantees that the information logged before and during the intrusion process cannot be modified without the auditor (on a remote, trusted host) noticing. What is AudLog for Windows? ~~~~~~~~~~~~~~~~~~~~~~~~~~ Audlog is a Win95/WinNT program that lets you manipulate logfiles from a centralized point in your network. It works in conjuction with Secure Syslog, a replacement for the UNIX syslogd that provides cryptographic mechanisms to verify the integrity of the log files. Secure Syslog provides a way auditing the log files remotely, from a trusted auditing host using the provided UNIX utility called 'audlog'. WinAudlog is the equivalent program for MS Windows, it features an easy to use interface, the required crypto algorithms for authentication, data transfer and integrity checking. AUDLOG was developed in CORELABS, the research labs of CORE SDI S.A., and is now being distributed freely. AUDLOG and SECURE SYSLOG are FREE. To get the binary for Windows 95/NT go to: - ------------------------------------------- To get the source code and/or more information regarding ssyslog go to: - ----------------------------------------------------------------------- To get more information about CORELABS, SECURE LOGGING or PEO go to: - -------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBNaKG8vnO/LnPTgz1AQEt1AP+LBAKZlvNcPxBlTkYm3RxGzW/zPFAlHdg bMlPfgT5gU17C+xuBsfkrNJ/cQ92QDaUmFu7YM1/g3fgg9I8qzHEUv55asxdD86F JTUzhKSM1E3/iu2ZbksX6kAFwUyG05csw8xCm1sz9Rlauu4wnjmVHvyQ4erZha3Z CKX+PKfxVOc= =Bpl9 -----END PGP SIGNATURE----- -- ==============================[ CORE Seguridad de la Informacion S.A. ]======= Ivan Arce Gerencia de Tecnologia Email : ivan@core-sdi.com Av. Santa Fe 2861 5to C TE : +54-1-821-1030 CP 1425 FAX : +54-1-821-1030 Buenos Aires, Argentina Mensajeria: +54-1-317-4157 ============================================================================== ------------------------------ Date: Tue, 7 Jul 1998 20:06:11 +0100 From: Duncan Simpson Subject: ncurses 4.1 security bug ncurses version 4.1 fails to drop priviledges before opening the termcap database and you can set any file(s) you like. I am not sure any setuid program allows an exploit but this is not good in any case. Here is a patch that stops that game. (Using the patch requires autoconf because I have not supplied diffs against the configure script). Terminfo information can be put anywhere by an environment variable and it will follow symlinks. This seems less dangerous but also wants plugging. There are 3 version of each plug supplied: setfsuid, setreuid and seteuid plus saved ids. You can define KEEP_PRIVS if you still wish to take the risk. Duncan (-: --- ncurses/read_termcap.c.dist Tue Jul 7 18:40:52 1998 +++ ncurses/read_termcap.c Tue Jul 7 19:23:34 1998 @@ -43,6 +43,14 @@ #include #include #include +#include + +#ifdef HAVE_FSUID_H +#include +#endif /* HAVE_FSUID_H */ +#ifdef HAVE_SYS_TYPES_H +#include +#endif /* HAVE_SYS_TYPES_H */ #if HAVE_FCNTL_H #include @@ -397,6 +405,10 @@ int tc_not_resolved; int current; int lineno; +#ifndef KEEP_PRIVS + uid_t fsuid; + gid_t fsgid; +#endif /* KEEP_PRIVS */ /* * Return with ``loop detected'' error if we've recurred more than @@ -442,7 +454,43 @@ if (fd >= 0) { (void)lseek(fd, (off_t)0, SEEK_SET); } else { +#ifndef KEEP_PRIVS +#ifdef HAVE_SETFSUID + /* drop privs to make sure file allowed */ + fsuid=setfsuid(getuid()); + fsgid=setfsgid(getgid()); +#else + fsuid=getuid(); + fsgid=getgid(); +#ifdef HAVE_SETREUID + /* Swap real and effective uid */ + setreuid(geteuid(), getuid()); + serregid(getegid(), getgid()); +#else + seteuid(getuid()); /* Saved ids or broken */ + setegid(getgid()); +#endif /* HAVE_SETREUID */ +#endif /* HACE_SETFSUID */ +#endif /* KEEP PRIVS */ fd = open(db_array[current], O_RDONLY, 0); +#ifndef KEEP_PRIVS +#ifdef HAVE_SETFSUID + /* Safe to restore them now */ + uid=setfsuid(fsuid); + gid=setfsgid(fsgid); +#else +#ifdef HAVE_SETREUID + /* Swap real and effective uid */ + setreuid(geteuid(), getuid()); + serregid(getegid(), getgid()); +#else + seteuid(fsuid); /* Saved ids or broken */ + setegid(fsgid); +#endif /* HAVE_SETREUID */ +#endif /* HACE_SETFSUID */ + +#endif /* KEEP PRIVS */ + if (fd < 0) { /* No error on unfound file. */ if (errno == ENOENT) --- configure.in.old Tue Jul 7 18:52:52 1998 +++ configure.in Tue Jul 7 19:15:12 1998 @@ -396,6 +396,9 @@ ttyent.h \ unistd.h \ values.h \ +sys/types.h \ +sys/fsuid.h \ +errno.h \ ) # check for HPUX's ANSI compiler @@ -460,6 +463,12 @@ usleep \ vfscanf \ vsscanf \ +setfsuid \ +setfsgid \ +setreuid \ +setregid \ +seteuid \ +setuid \ ) if test $ac_cv_func_sigaction = yes; then --- ncurses/read_entry.c.dist Tue Jul 7 19:48:08 1998 +++ ncurses/read_entry.c Tue Jul 7 19:52:03 1998 @@ -31,6 +31,12 @@ #if HAVE_FCNTL_H #include #endif +#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_SYS_FSUID_H +#include +#endif #include #include @@ -83,8 +89,49 @@ int name_size, bool_count, num_count, str_count, str_size; int i, fd, numread; char buf[MAX_ENTRY_SIZE]; - - if ((fd = open(filename, O_RDONLY)) < 0) +#ifndef KEEP_PRIVS + uid_t fsuid; + gid_t fsgid; +#endif /* KEEP_PRIVS */ + +#ifndef KEEP_PRIVS +#ifdef HAVE_SETFSUID + /* drop privs to make sure file allowed */ + fsuid=setfsuid(getuid()); + fsgid=setfsgid(getgid()); +#else + fsuid=getuid(); + fsgid=getgid(); +#ifdef HAVE_SETREUID + /* Swap real and effective uid */ + setreuid(geteuid(), getuid()); + serregid(getegid(), getgid()); +#else + seteuid(getuid()); /* Saved ids or broken */ + setegid(getgid()); +#endif /* HAVE_SETREUID */ +#endif /* HACE_SETFSUID */ +#endif /* KEEP PRIVS */ + fd=open(filename, O_RDONLY); +#ifndef KEEP_PRIVS +#ifdef HAVE_SETFSUID + /* drop privs to make sure file allowed */ + fsuid=setfsuid(getuid()); + fsgid=setfsgid(getgid()); +#else + fsuid=getuid(); + fsgid=getgid(); +#ifdef HAVE_SETREUID + /* Swap real and effective uid */ + setreuid(geteuid(), getuid()); + serregid(getegid(), getgid()); +#else + seteuid(getuid()); /* Saved ids or broken */ + setegid(getgid()); +#endif /* HAVE_SETREUID */ +#endif /* HACE_SETFSUID */ +#endif /* KEEP PRIVS */ + if (fd<0) return(0); T(("read terminfo %s", filename)); ------------------------------ Date: Tue, 7 Jul 1998 19:28:28 -0400 From: "Perry E. Metzger" Subject: Re: ncurses 4.1 security bug Duncan Simpson writes: > ncurses version 4.1 fails to drop priviledges before opening the > termcap database and you can set any file(s) you like. This is not a bug. ncurses is a *library*, not a *program*. It is up to suid programs to drop privileges, not every call that invokes them -- or are you going to declare the fact that fopen() doesn't drop privileges a "bug"? .pm ------------------------------ End of BUGTRAQ Digest - 6 Jul 1998 to 7 Jul 1998 ************************************************