GNU userv Service Program Environment Corruption Vulnerability
BID:1516
Info
GNU userv Service Program Environment Corruption Vulnerability
| Bugtraq ID: | 1516 |
| Class: | Boundary Condition Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Jul 27 2000 12:00AM |
| Updated: | Jul 27 2000 12:00AM |
| Credit: | Discussed in a message posted to bugtraq by Ian Jackson <[email protected]> |
| Vulnerable: |
GNU userv 1.0 .0 |
| Not Vulnerable: | |
Discussion
GNU userv Service Program Environment Corruption Vulnerability
userv is a facility that allows one program to invoke another (the Service Program) where only limited trust exists between the two.
Under certain conditions, a malicious user could corrupt the USERV_GIDS and USERV_GROUPS environment variables passed to a userv child process.
Before a Service Program is exec'd by a userv child process, these variables are used to make access control decisions. If USERV_GIDS and USERV_GROUPS are corrupted, the Service Program could be made to carry out otherwise unauthorized actions.
userv is a facility that allows one program to invoke another (the Service Program) where only limited trust exists between the two.
Under certain conditions, a malicious user could corrupt the USERV_GIDS and USERV_GROUPS environment variables passed to a userv child process.
Before a Service Program is exec'd by a userv child process, these variables are used to make access control decisions. If USERV_GIDS and USERV_GROUPS are corrupted, the Service Program could be made to carry out otherwise unauthorized actions.
Exploit / POC
GNU userv Service Program Environment Corruption Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution / Fix
GNU userv Service Program Environment Corruption Vulnerability
Solution:
The userv maintainer suggests upgrading to userv 1.0.1. If the upgrade is not available, a patch can be applied.
(From the Bugtraq message):
Index: servexec.c
===================================================================
RCS file: /usr/src/CVS/userv/servexec.c,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- servexec.c 2000/03/06 18:14:46 1.13
+++ servexec.c 2000/07/27 00:08:34 1.14
@@ -266,7 +266,8 @@
fdarray[fd].holdfd= -1;
}
for (fd=0; fd<fdarrayused; fd++) {
- if (fdarray[fd].realfd < fdarrayused) fdarray[fdarray[fd].realfd].holdfd= fd;
+ if (fdarray[fd].realfd < fdarrayused && fdarray[fd].realfd >= 0)
+ fdarray[fdarray[fd].realfd].holdfd= fd;
}
for (fd=0; fd<fdarrayused; fd++) {
realfd= fdarray[fd].realfd;
Additionally, updates are available for Debian Linux.
(From the Debian advisory):
Debian 2.1:
Source archives:
http://security.debian.org/dists/stable/updates/source/userv_1.0.1.0slink.dsc
MD5 checksum: 473a8fe477d20614aad97f538896969a
http://security.debian.org/dists/stable/updates/source/userv_1.0.1.0slink.tar.gz
MD5 checksum: 40b052547e2ea9fa69a12ee24dfe2af7
Alpha architecture:
http://security.debian.org/dists/stable/updates/binary-alpha/userv_1.0.1.0slink_alpha.deb
MD5 checksum: 4934d1163e2e5fbb2d74d5a949089aa7
Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/binary-i386/userv_1.0.1.0slink_i386.deb
MD5 checksum: ebf8d6cd431e94b6e731636d1d61440e
Motorola 680x0 architecture:
http://security.debian.org/dists/stable/updates/binary-m68k/userv_1.0.1.0slink_m68k.deb
MD5 checksum: b59d78066362bce1f91005891958c362
Sun Sparc architecture:
http://security.debian.org/dists/stable/updates/binary-sparc/userv_1.0.1.0slink_sparc.deb
MD5 checksum: ab880dac8965d99ca64044c0ef438975
Debian 2.2pre Potato:
Source archives:
http://security.debian.org/dists/potato/updates/main/source/userv_1.0.1.1potato.dsc
MD5 checksum: 1a92258cecdb878ddd2f58cd03bd59b1
http://security.debian.org/dists/potato/updates/main/source/userv_1.0.1.1potato.tar.gz
MD5 checksum: ddf8df51026a1b880dc95f9ca04a6deb
Alpha architecture:
http://security.debian.org/dists/potato/updates/main/binary-alpha/userv_1.0.1.1potato_alpha.deb
MD5 checksum: 81d800fb0b29ef48f8b8bbc20e2b2ec1
Intel ia32 architecture:
http://security.debian.org/dists/potato/updates/main/binary-i386/userv_1.0.1.1potato_i386.deb
MD5 checksum: 82752bd8dcc7ec1e187b6d9cfe7403d0
Sun Sparc architecture:
http://security.debian.org/dists/potato/updates/main/binary-sparc/userv_1.0.1.1potato_sparc.deb
MD5 checksum: 019430e9ffdff374a87e0003da16b97b
GNU userv 1.0 .0
Solution:
The userv maintainer suggests upgrading to userv 1.0.1. If the upgrade is not available, a patch can be applied.
(From the Bugtraq message):
Index: servexec.c
===================================================================
RCS file: /usr/src/CVS/userv/servexec.c,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- servexec.c 2000/03/06 18:14:46 1.13
+++ servexec.c 2000/07/27 00:08:34 1.14
@@ -266,7 +266,8 @@
fdarray[fd].holdfd= -1;
}
for (fd=0; fd<fdarrayused; fd++) {
- if (fdarray[fd].realfd < fdarrayused) fdarray[fdarray[fd].realfd].holdfd= fd;
+ if (fdarray[fd].realfd < fdarrayused && fdarray[fd].realfd >= 0)
+ fdarray[fdarray[fd].realfd].holdfd= fd;
}
for (fd=0; fd<fdarrayused; fd++) {
realfd= fdarray[fd].realfd;
Additionally, updates are available for Debian Linux.
(From the Debian advisory):
Debian 2.1:
Source archives:
http://security.debian.org/dists/stable/updates/source/userv_1.0.1.0slink.dsc
MD5 checksum: 473a8fe477d20614aad97f538896969a
http://security.debian.org/dists/stable/updates/source/userv_1.0.1.0slink.tar.gz
MD5 checksum: 40b052547e2ea9fa69a12ee24dfe2af7
Alpha architecture:
http://security.debian.org/dists/stable/updates/binary-alpha/userv_1.0.1.0slink_alpha.deb
MD5 checksum: 4934d1163e2e5fbb2d74d5a949089aa7
Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/binary-i386/userv_1.0.1.0slink_i386.deb
MD5 checksum: ebf8d6cd431e94b6e731636d1d61440e
Motorola 680x0 architecture:
http://security.debian.org/dists/stable/updates/binary-m68k/userv_1.0.1.0slink_m68k.deb
MD5 checksum: b59d78066362bce1f91005891958c362
Sun Sparc architecture:
http://security.debian.org/dists/stable/updates/binary-sparc/userv_1.0.1.0slink_sparc.deb
MD5 checksum: ab880dac8965d99ca64044c0ef438975
Debian 2.2pre Potato:
Source archives:
http://security.debian.org/dists/potato/updates/main/source/userv_1.0.1.1potato.dsc
MD5 checksum: 1a92258cecdb878ddd2f58cd03bd59b1
http://security.debian.org/dists/potato/updates/main/source/userv_1.0.1.1potato.tar.gz
MD5 checksum: ddf8df51026a1b880dc95f9ca04a6deb
Alpha architecture:
http://security.debian.org/dists/potato/updates/main/binary-alpha/userv_1.0.1.1potato_alpha.deb
MD5 checksum: 81d800fb0b29ef48f8b8bbc20e2b2ec1
Intel ia32 architecture:
http://security.debian.org/dists/potato/updates/main/binary-i386/userv_1.0.1.1potato_i386.deb
MD5 checksum: 82752bd8dcc7ec1e187b6d9cfe7403d0
Sun Sparc architecture:
http://security.debian.org/dists/potato/updates/main/binary-sparc/userv_1.0.1.1potato_sparc.deb
MD5 checksum: 019430e9ffdff374a87e0003da16b97b
GNU userv 1.0 .0
References
GNU userv Service Program Environment Corruption Vulnerability
References:
References: