Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  NEWS  community  lists  Wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Mon, 16 Nov 2009 17:39:30 -0500 (EST)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Cc: jt@....org
Subject: Re: CVE request: oping allows the disclosure of
  arbitrary file contents

----- "Tomas Hoger" <thoger@...hat.com> wrote:
> On Thu, 15 Oct 2009 15:15:57 +0200 Julien Tinnes <jt@....org> wrote:
> 
> > in case anyone cares, oping also attempts to drop privileges with
> > setuid(getuid()); without checking setuid()'s return value.
> > 
> > It's an obvious vulnerability, because a local attacker can make setuid()
> > fail by setting a resource limit of 0 for RLIMIT_NPROC with setrlimit().
> 
> Does the RLIMIT_NPROC trick work against oping, or any setuid app that calls
> setuid(getuid())?
> 

This should work for everything that calls setuid()

I have a little bit about this here:
http://www.bress.net/blog/archives/34-setuid-madness.html

The short story is that if you call setuid(), you need to check the return
code.

-- 
    JB

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ