hert.0002.lsof.4-40
357f196aeafa985917c80f440fee72f7701107924999e647b113d2b33b7e955d
From acz@HERT.ORG Wed Feb 17 19:36:23 1999
From: "Anthony C. Zboralski" <acz@HERT.ORG>
To: alert-outgoing@plan9.hert.org
Date: Thu, 18 Feb 1999 01:41:26 +0100 (CET)
>From acz@plan9.hert.org Thu Feb 18 01:12:38 1999
Received: from localhost (acz@localhost)
by plan9.hert.org (8.9.1a/8.9.1) with ESMTP id BAA06236
for <alert-outgoing@hert.org>; Thu, 18 Feb 1999 01:12:38 +0100 (CET)
Date: Thu, 18 Feb 1999 01:12:38 +0100 (CET)
From: "Anthony C. Zboralski" <acz@hert.org>
To: alert-outgoing@hert.org
Subject: [HERT] Advisory #002 Buffer overflow in lsof 4.40
Message-ID: <Pine.BSF.4.03.9902180107440.11533-100000@plan9.hert.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
-----BEGIN PGP SIGNED MESSAGE-----
- --------------------------------------------------------------
HERT - Hacker Emergency Response Team
alert@hert.org - http://www.hert.org
Advisory: #00002
Title: lsof
Date: 17 February 1999
Summary: Buffer overflow in lsof version 4.40 and prior
IMPACT: Local users may obtain root priviledge.
Author: Mariusz Tmoggie Marcinkiewicz <tmoggie@hert.org>
Test Exploit: kil3r@hert.org
- ---------------------------------------------------------------
Copyright (C) 1999 Hacker Emergency Response Team
Permission is granted to reproduce and distribute HERT advisories in their
entirety, provided the HERT PGP signature is included and provided the alert is used for noncommercial purposes and with the intent of increasing the aware-
ness of the Internet community.
This advisory is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
1. Background:
lsof - list open files
Lsof lists information about files opened by processes for most
UNIX dialects.
When lsof is setuid-root or setgid kmem, it is vulnerable to a buffer
overflow that will lead to direct root compromise or root compromise
thru live kernel patching.
The paradox is that lsof is a great security tool for administrators and
we encourage its uses as long as it is NOT setuid-root or setgid.
Test exploit code for this vulnerability was developped by kil3r@hert.org
and will be made available to lsof author, HERT collaborators, sponsors
and partners.
2. Distributions known to be affected.
OpenBSD 2.4's ports facility retrieves and builds lsof package setgid kmem.
FreeBSD's ports facility retrieves and builds lsof package setgid kmem.
SuSe Linux ships lsof setgid kmem.
Debian GNU/Linux 2.0 ships lsof setgid kmem.
Redhat Linux 5.2 ships lsof setgid kmem.
3. Recommendations
Fix:
chmod 0755 lsof
To subscribe to the HERT Alert mailing list, email alert@hert.org
with subscribe in the body of the message.
Contact hert@hert.org for more information.
The HERT PGP public key is available at ftp://ftp.hert.org/pub/HERT_PGP.key
To report a vulnerability: http://www.hert.org/vul_reporting_form
We would like to thank the individuals who donates some of their time to HERT.
HERT is a non-profit international organisation based in France.
If you wish to join the HERT effort please send a note to hert@hert.org.
- --
Please respect the privacy of this mailing list.
To UNSUBSCRIBE, email to hert-private-request@hert.org
with "unsubscribe" in the body. Trouble? Contact listmaster@hert.org
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
iQCVAwUBNss8D7iV3oeHg1NdAQGHZwP+L76JOU2iHtvl2i3AHP3VDdEJ6W8M5zjf
vVWDpQY7z4qmW4Ai/D5mnzeRwUey8W9imkoY4J4cF3/O+s/70+rsbwAKsmVgztBm
DjhdWfMl/yz0ZT8zATJV+YVGtPQsmzvPbZR7YWOQh7oQQyPwzQXkswHkTB24Fsdg
ehmkQnF1N9c=
=Ohr4
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to alert-request@hert.org
with "unsubscribe" in the body. Trouble? Contact listmaster@hert.org