Bug 11723
| Summary: | Buffer overflows in kermit could allow elevated privilages | ||
|---|---|---|---|
| Product: | [Retired] Red Hat Powertools | Reporter: | SB <satan> |
| Component: | C-Kermit | Assignee: | Nalin Dahyabhai <nalin> |
| Status: | CLOSED RAWHIDE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.2 | Keywords: | Security |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2000-05-29 00:37:18 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Removing the setgid bit in C-Kermit-1.97-3, at least until I can sit down and sift through it, if I ever do. |
I've briefly tried out the C-Kermit package from the powertools and noticed it has several buffer overflows including in (apparently) in all code dealing with hostname handling. As kermit is installed as setgid uucp it could be possible to use the overflows to execute code under the the group uucp. I tried to track the bugs down, but the code to C-Kermit is old and trying to figure it out is like trying to do brain-surgery with a toothpick. Here is are a couple of examples of overflows: [root@king cku197]# ls -al /usr/bin/kermit -rwxr-sr-x 1 root uucp 1513808 Mar 29 13:03 /usr/bin/kermit [root@king cku197]# gdb kermit GNU gdb 5.0 Copyright 2000 Free Software Foundation, Inc. ... This GDB was configured as "i386-redhat-linux"...(no debugging symbols found)... (gdb) run Starting program: /usr/bin/kermit C-Kermit 7.0.197, 8 Feb 2000, for Linux Copyright (C) 1985, 2000, Trustees of Columbia University in the City of New York. Type ? or HELP for help. (/usr/src/redhat/BUILD/cku197/) C-Kermit>lookup <1500 A's> (no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) info registers eax 0x0 0 ecx 0x4831ca9b 1211222683 edx 0x0 0 ebx 0x1 1 esp 0xbfffdee4 0xbfffdee4 ebp 0x41414141 0x41414141 esi 0x825ef50 136703824 edi 0x825f3cd 136704973 eip 0x41414141 0x41414141 And another example: [root@king cku197]# gdb kermit GNU gdb 5.0 ... This GDB was configured as "i386-redhat-linux"...(no debugging symbols found)... (gdb) run Starting program: /usr/bin/kermit C-Kermit 7.0.197, 8 Feb 2000, for Linux Copyright (C) 1985, 2000, Trustees of Columbia University in the City of New York. Type ? or HELP for help. (/usr/src/redhat/BUILD/cku197/) C-Kermit>set host AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA DNS Lookup... Can't get address for AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAA Can't open connection to AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) info registers eax 0x0 0 ecx 0xc85a6 820646 edx 0x8112402 135341058 ebx 0x2c 44 esp 0xbfffdeb4 0xbfffdeb4 ebp 0x41414141 0x41414141 esi 0x0 0 edi 0x401ab020 1075490848 eip 0x41414141 0x41414141 And there appear to be several more unchecked buffers. For emphasis look at these word counted greps of the sourcecode: [root@king cku197]# grep strcpy *.c | wc -l 476 [root@king cku197]# grep strncpy *.c | wc -l 613 [root@king cku197]# grep strncat *.c | wc -l 31 [root@king cku197]# grep strcat *.c | wc -l 301 [root@king cku197]# grep sprintf *.c | wc -l 881 [root@king cku197]# grep snprintf *.c | wc -l 0 [root@king cku197]# grep sscanf *.c | wc -l 1 [root@king cku197]# grep fscanf *.c | wc -l 0 [root@king cku197]# grep fgets *.c | wc -l 17 [root@king cku197]# grep fputs *.c | wc -l 4 [root@king cku197]# grep puts *.c | wc -l 54 [root@king cku197]# grep gets *.c | wc -l 182 [root@king cku197]# grep "gets(" *.c | wc -l 14 [root@king cku197]# grep "puts(" *.c | wc -l 15 [root@king cku197]# grep "vsprintf" *.c | wc -l 5 [root@king cku197]# grep "execl" *.c | wc -l 8 [root@king cku197]# grep "execv" *.c | wc -l 3 [root@king cku197]# grep "exec" *.c | wc -l 190 [root@king cku197]# grep "popen" *.c | wc -l 9 Things that stand out are: 801 sprintfs 0 snprintfs 476 strcpys 301 strcats There seems to be loads of unchecked buffers which would require endless hours to track down in such poorly organized and outdated code. My suggestion is to recommend users to remove the setgid bit from the program, notify the authors and let them the fix code if they deem it necessary. Though I'd still be concerned with the number of unchecked buffers that somebody could easily find someway to exploit one in remotely on a kermit running in server mode to get remote access to the machine. I haven't checked for this kind of attack but there is potential. Either way, safest bet is to remove the setgid flag for now, it's more of a risk than a useful feature. -Stan Bubrouski