two security bugs

Just found two security bugs in 6.2 NC.

  1. phshutdown . It writes default shutdown type to ~/.ph/phshutdown.cfg,
    but doesn’t check it’s permissions (phshutdown is setuid root). If
    phshutdown.cfg is a symbolic link to any file on system, this file will
    be overwritten. If it doesn’t exist, it will be created (with write
    access to user).

  2. packager. Using this (setuid root too) utility, any user could read
    protected files (like /etc/shadow). Try to create a qpr from /etc
    directory and you will get package with all protected configuration
    files.

Dmitry.

Those two utils are on my audit list. I’ll be forwarding this to the owners
of these utilities. Thank you for the report.

cheers,

Kris

“Dmitry Alexeyev” <dmi@qnx.org.ru> wrote in message
news:3D7921D1.9090806@qnx.org.ru

Just found two security bugs in 6.2 NC.

  1. phshutdown . It writes default shutdown type to ~/.ph/phshutdown.cfg,
    but doesn’t check it’s permissions (phshutdown is setuid root). If
    phshutdown.cfg is a symbolic link to any file on system, this file will
    be overwritten. If it doesn’t exist, it will be created (with write
    access to user).

  2. packager. Using this (setuid root too) utility, any user could read
    protected files (like /etc/shadow). Try to create a qpr from /etc
    directory and you will get package with all protected configuration
    files.

Dmitry.

Dmitry Alexeyev <dmi@qnx.org.ru> wrote:

Just found two security bugs in 6.2 NC.

  1. phshutdown . It writes default shutdown type to ~/.ph/phshutdown.cfg,
    but doesn’t check it’s permissions (phshutdown is setuid root). If
    phshutdown.cfg is a symbolic link to any file on system, this file will
    be overwritten. If it doesn’t exist, it will be created (with write
    access to user).

Fixed internally. Changes the euid and egid to the uid and gid for
the duration of this operation. Since I don’t think we’ve made our release plans
public I can’t answer as to when it will be available for the public, but it’s
in the cvs branch of our currently planned next release.

I’ll see what I can do about getting it up on the developer/experimental page though so
those that care can get a more secure version of phshutdown.

Dave Rempel