The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #277 [Hole in Usenet] (1 message, 799 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/277.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

From: iuvax!ames.arc.nasa.gov!vsi1!lmb (Larry Blair)
To: phage
Date: Fri 16:13:56 18/11/1988 EST
Subject: Hole in Usenet
References: [Thread Prev: 276] [Thread Next: 278] [Message Prev: 275] [Message Next: 278]

The hole I have discovered in _many_ systems is the use a script for the
automatic unsharing of maps.  It would be trivially easy to forge a map
entry which contained commands to wreak damage to your system.  There is
some danger even if you a running "uuhosts".

If your script does not do a "chroot" (uuhosts does), you and your network
are wide open for anything that can be done by the effective user running
the script.  You run it as "news"?  Can you say "rm -f -r /usr/spool/news"?

Uuhosts is only slightly more protected.  The mapsh program does a chroot
to limit any damage to the directory tree containing the unpacked maps.
All of the commands in the effective /bin allow the creation and overwrite
of file.  The danger here is that, besides overwriting everything in the
directory tree including the programs in the /bin, you can run the filesystem
out of space or out of inodes.  And since mapsh runs as root, out of space
means REALLY out of space.  Planting Trojan Horses is also possible.

Solution:

Do not execute the map script.  Write your own script to unpack it.

--
Larry Blair   ames!vsi1!lmb   lmb%vsi1.uucp@ames.arc.nasa.gov

END OF DOCUMENT