old solaris bug comes to light
A lively (but pointless) discussion on the list turned into a description
of an old Solaris bug (unpatched 2.5.1 or below) that I hadn't heard
described before. On these systems, when a suid-root program drops
its privileges (by changing its uid to the current user's uid), it also
becomes susceptible to being traced in a debugger. At this point,
the user can load the suid-root program into a debugger, step through it,
analyze any variables, etc. This is fatal for many programs, since
they count on the suid-root bit keeping them from being readable or tracable
by a non-priveleged user.
iomega one-step backup is two steps backward
Iomega's drives come with a backup utility called "One-Step Backup".
One of the features of One-Step Backup is that you can password-protect
your backup. Sadly, this password is stored inside the backup file,
using XOR [non]encryption. Nothing else in the backup is encrypted
at all, so the password is not only trivially recoverable from the backup
file, but useless, to boot.
suidperl may subvert linux mount options
Linux has a mount option that turns off suid-root behavior for a filesystem.
The suid-script version of perl is able to subvert that by "simulating"
suid-root without actually doing suid-root. Perl doesn't check
to see how the filesystem was mounted.
sendmail bugs
Sendmail (including the most recent 8.9.2) has a few bugs which could
allow excessive CPU time to be consumed, or could allow relaying.
If a lot of header lines are given, or header lines are excessively long,
sendmail will spend a very long time parsing them. Also, if it receives
an address of the form <user@host@thishost>, where "thishost" is the
local host, it will inadvertantly relay the message. The header bug
can be fixed with a patch that was posted, while the relay bug can be fixed
with a modification to the sendmail.cf file, and can also be fixed if you
turn off all relaying.
debian ftpwatch has strange hole
Debian didn't give any further info, but they have reason to believe
that ftpwatch will let a user get root access, so if you're running Debian,
turn it off.
windows pathnames make my brain hurt
Certain versions of PWS (Personal Web Server) or IIS (ditto) on
Windows 95/98 but possibly not on NT are able to let users read
any file due to a bizarre naming convention involving multiple dots.
Basically, a pathname component of "..." (3 dots) is sometimes (but
not always!) treated as if it were "../..", and adding dots adds levels.
The behavior changes if you add a backslash to the end. NT has this
weirdness too, but it behaves differently in some brain-throbbing
way so that PWS/IIS isn't vulnerable. Apparently the only sane thing
app developers can do under Windows is throw out any pathname with multiple
dots in it.
buffer overflows