BTT Summary #9

BugTraq summary, week of 7 dec 1998.

securid assumes you're root
SecurID is a system where you get a small card that computes pseudo-random key codes to be used to login to a "secure" machine. The key codes change every few seconds. A Princeton student discovered that their SecurID system would, if NIS was down, assume that all users were root. Apparently it wasn't checking the return code from the NIS call and assumed that the user ID of 0 was good.

excel "call" disabled
Microsoft issued a patch to disable the CALL function in Excel when used in worksheets (but it still works in macros). CALL can be used to execute code in a library (DLL under Windows). When a CALL instruction is put into a worksheet in Excel, it can be executed automatically without warning or asking the user, and therefore could be used to make "trojan horse" Excel files.

realsystem real secure
The evaluation copy of RealSystem G2 (I have no idea what that is) makes you select an admin password. Unfortunately it stores that password in plaintext in a file that's world readable.

linux fixes in 2.0.36
Alan Cox posted an interesting list of the bugs fixed in Linux 2.0.36 (the latest "stable" Linux release). Some of these may be repeats from previous BTT issues, but it's cool to have the list summarized:

You could previously mmap() a file (map it into memory space) as "read-only", and then use mprotect() to mark it as "read-write". This could be used to give yourself write access to a file.
When a device driver didn't implement the readv()/writev() calls (used to do a batch of reads and writes at once), the Linux kernel might not notice, and would cause some messy crashes. This may not have had security implications.
An obscure piece of code used when returning from a system call wasn't checking correctly for memory errors. (I didn't get a good feel for what he meant by this, beyond what I just said...)
A drive with a partition that had exactly 65535 cylinders could occasionally cause the kernel to divide by zero and explode. (It was dividing by cylinders+1, which will wrap to zero in 16-bit registers.)
The IP masquerading code was making assumptions about size and offset that weren't always true, and could lead to crashes.

buffer overflows

MacOS 8.5.1 comes with a little web server for "web sharing". Do a GET of a really long filename and it keels over.
SGI says that the fcagent daemon (installed by default on Origin and Onyx2 platforms running IRIX 6.4 and higher) can be exploited via RPC calls to cause the "FibreVault" to crash (horrors!). As usual, SGI didn't give any further information.
Bootpd 2.4.3 (see last week's issue) has another hole: a buffer overflow in the handling of the bootfile parameter from the request packet. Another buffer overflow exists in the logging code. A new version of bootpd should be released soon.