|
|
Log in / Subscribe / Register

Security

On the importance of return codes

By Jake Edge
December 2, 2009

Just days after FreeBSD 8.0 was released, the FreeBSD developers were undoubtedly unhappy to see a "zero day" exploit posted on the Bugtraq mailing list. The exploit is for a local privilege escalation vulnerability in the runtime loader (rtld) that allows unprivileged users to become root. The vulnerability and patch highlight the need for code—particularly security enforcing code—to check the return values of functions that get called.

The exploit essentially creates a broken environment, such that unsetenv() cannot delete variables from that environment. Because unsetenv() is unable to remove variables like LD_PRELOAD from the environment, rtld fails to do so when running a setuid(0) binary such as ping. But, as the patch shows, rtld could have recognized the situation by checking the return value from unsetenv(). By not doing so, a security feature can easily be circumvented.

LD_PRELOAD allows users to specify libraries they want loaded before the executable. This is typically used to load previous versions, debugging aids (like malloc()/free() tracking), and things of that sort. Clearly setuid() binaries should not be linked to arbitrary, user-controlled libraries at runtime. In the case of the exploit, the shared library used simply spawns a shell from the _init() call. That shell has the effective user id of root because the loader kernel has already called setuid() for the ping binary.

It is common for programmers to ignore return values for functions that "can't fail", but that is a dangerous practice. It is worse when it happens in code that runs with privileges. Something similar occurred with the (badly named) "sendmail capabilities bug", which was really a problem with the Linux kernel capabilities implementation. But, had sendmail been more defensive and checked the return code from setuid() when it was dropping privileges—something that "can't fail"—a much bigger problem would have been averted.

If the person writing the system or library call believed that the call can't fail, they would presumably have made it a void function. That's not to say that those programmers—or committees like POSIX—are immune from bugs or bad decisions, but callers should heed their intent. It's a difficult problem, though, as it is sometimes unclear what the program should do if something that can't fail does fail. Worse yet, without some kind of comprehensive fault-injection framework, those error paths are difficult to test. But, at least for privileged code, the problem can't be ignored.

This particular problem has existed in FreeBSD since version 7.0, released in February 2008. A pre-advisory with the patch was released by FreeBSD within a few hours of the Bugtraq posting. A full advisory and update is expected soon. In the meantime, this should serve as something of an object lesson for others; hopefully that will lead to developers scrutinizing existing code for similar issues, while also helping to remind programmers not to make that kind of mistake in any future code they write.

Comments (32 posted)

Brief items

How to vote anonymously under ubiquitous surveillance (Light Blue Touchpaper)

Light Blue Touchpaper previews a paper [PDF] describing the Open Vote Network protocol that would allow anonymous voting under a system of total communications surveillance. "In the Open Vote Network protocol, all communication data is open, and publicly verifiable. The protocol provides the maximum protection of the voter's privacy; only a full collusion can break the privacy. In addition, the protocol is exceptionally efficient. It compares favorably to past solutions in terms of the round efficiency, computation load and bandwidth usage, and has been close to the best possible in each of these aspects."

Comments (41 posted)

New vulnerabilities

awstats: missing security key

Package(s):awstats CVE #(s):
Created:December 1, 2009 Updated:December 2, 2009
Description: From the Red Hat bugzilla:

Advanced Web Statistics (awstat) upstream has released new (6.95) version, addressing two security related issues. Quoting from awstats Changelog:

  • Fix security in awredir.pl script by adding a security key required by default.
  • Enhance security of parameter sanitizing function.
Alerts:
Fedora FEDORA-2009-12370 awstats 2009-12-01
Fedora FEDORA-2009-12457 awstats 2009-12-01
Fedora FEDORA-2009-12444 awstats 2009-12-01

Comments (none posted)

bind: DNS cache poisoning

Package(s):bind CVE #(s):CVE-2009-4022
Created:November 27, 2009 Updated:June 28, 2010
Description: From the Mandriva advisory: Unspecified vulnerability in ISC BIND 9.4 before 9.4.3-P4, 9.5 before 9.5.2-P1, 9.6 before 9.6.1-P2, 9.7 beta before 9.7.0b3, and 9.0.x through 9.3.x with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks via additional sections in a response sent for resolution of a recursive client query, which is not properly handled when the response is processed at the same time as requesting DNSSEC records (DO).
Alerts:
Slackware SSA:2010-176-01 bind 2010-06-28
Gentoo 201006-11 bind 2010-06-01
rPath rPSA-2010-0018-1 bind 2010-03-15
Mandriva MDVSA-2010:021 bind 2010-01-20
Fedora FEDORA-2010-0868 bind 2010-01-20
Fedora FEDORA-2010-0861 bind 2010-01-20
Ubuntu USN-888-1 bind9 2010-01-20
CentOS CESA-2010:0062 bind 2010-01-20
Red Hat RHSA-2010:0062-02 bind 2010-01-20
Debian DSA-1961-1 bind9 2009-12-23
CentOS CESA-2009:1620 bind 2009-12-17
Ubuntu USN-865-1 bind9 2009-12-07
Mandriva MDVSA-2009:313-1 bind 2009-12-03
Slackware SSA:2009-336-01 bind 2009-12-03
SuSE SUSE-SA:2009:059 bind 2009-12-02
Fedora FEDORA-2009-12233 bind 2009-11-27
Fedora FEDORA-2009-12218 bind 2009-11-27
Mandriva MDVSA-2009:304 bind 2009-11-26
Red Hat RHSA-2009:1620-01 bind 2009-11-30

Comments (none posted)

dovecot: authentication bypass

Package(s):dovecot CVE #(s):CVE-2009-3897
Created:November 30, 2009 Updated:January 19, 2010
Description:

From the Mandriva advisory:

Dovecot 1.2.x before 1.2.8 sets 0777 permissions during creation of certain directories at installation time, which allows local users to access arbitrary user accounts by replacing the auth socket, related to the parent directories of the base_dir directory, and possibly the base_dir directory itself (CVE-2009-3897).

Alerts:
Gentoo 201110-04 dovecot 2011-10-10
SuSE SUSE-SR:2010:001 expat, postfix, phpMyAdmin, postgresql, dovecot12, msmtp 2010-01-19
Mandriva MDVSA-2009:306 dovecot 2009-11-29

Comments (none posted)

dstat: arbitrary code execution

Package(s):dstat CVE #(s):CVE-2009-3894
Created:November 25, 2009 Updated:December 28, 2009
Description:

From the Gentoo advisory:

Robert Buchholz of the Gentoo Security Team reported that dstat includes the current working directory and subdirectories in the Python module search path (sys.path) before calling "import".

A local attacker could entice a user to run "dstat" from a directory containing a specially crafted Python module, resulting in the execution of arbitrary code with the privileges of the user running the application.

Alerts:
Mandriva MDVSA-2009:341 dstat 2009-12-26
CentOS CESA-2009:1619 dstat 2009-12-17
Fedora FEDORA-2009-12674 dstat 2009-12-04
Fedora FEDORA-2009-12663 dstat 2009-12-04
Gentoo 200911-04 dstat 2009-11-25
Red Hat RHSA-2009:1619-01 dstat 2009-11-30

Comments (none posted)

kdelibs: arbitrary code execution

Package(s):kdelibs CVE #(s):CVE-2009-0689
Created:November 25, 2009 Updated:January 14, 2016
Description:

From the Red Hat advisory:

A buffer overflow flaw was found in the kdelibs string to floating point conversion routines. A web page containing malicious JavaScript could crash Konqueror or, potentially, execute arbitrary code with the privileges of the user running Konqueror. (CVE-2009-0689)

Alerts:
Mageia MGASA-2016-0013 mono 2016-01-14
Fedora FEDORA-2015-6dec4e6d5f mono 2015-12-29
Debian-LTS DLA-376-1 mono 2015-12-30
Scientific Linux SLSA-2014:0311-1 php 2014-03-19
Oracle ELSA-2014-0311 php 2014-03-18
CentOS CESA-2014:0311 php 2014-03-19
Red Hat RHSA-2014:0312-01 php 2014-03-18
Red Hat RHSA-2014:0311-01 php 2014-03-18
SUSE SUSE-SU-2013:1828-1 ruby 2013-12-05
Mandriva MDVSA-2010:071 mozilla-thunderbird 2010-04-23
Fedora FEDORA-2010-7100 seamonkey 2010-04-21
SuSE SUSE-SR:2010:013 apache2-mod_php5/php5, bytefx-data-mysql/mono, flash-player, fuse, java-1_4_2-ibm, krb5, libcmpiutil/libvirt, libmozhelper-1_0-0/mozilla-xulrunner190, libopenssl-devel, libpng12-0, libpython2_6-1_0, libtheora, memcached, ncpfs, pango, puppet, python, seamonkey, te_ams, texlive 2010-06-14
CentOS CESA-2010:0153 thunderbird 2010-03-26
Ubuntu USN-915-1 thunderbird 2010-03-18
CentOS CESA-2010:0154 thunderbird 2010-03-17
Red Hat RHSA-2010:0153-02 thunderbird 2010-03-17
Red Hat RHSA-2010:0154-02 thunderbird 2010-03-17
Mandriva MDVSA-2010:027 kdelibs4 2010-01-27
Mandriva MDVSA-2010:028 kdelibs4 2010-01-27
Debian DSA-1998-1 kdelibs 2010-02-17
SuSE SUSE-SR:2009:020 apache2-mod_jk, cacti, cups, expat, finch/pidgin, htmldoc, kdelibs3/kdelibs4, libpoppler/poppler, lighttpd, opera, perl-HTML-Parser, pyxml, seamonkey, wireshark/ethereal, xntp, zope/zope3 2010-01-12
Mandriva MDVSA-2009:346 kde 2009-12-29
Ubuntu USN-871-2 kde4libs 2009-12-11
Ubuntu USN-871-1 kdelibs 2009-12-11
Mandriva MDVSA-2009:330 kdelibs 2009-12-10
CentOS CESA-2009:1601 kdelibs 2009-11-27
CentOS CESA-2009:1601 kdelibs 2009-11-25
Red Hat RHSA-2009:1601-01 kdelibs 2009-11-24

Comments (none posted)

libtool: privilege escalation

Package(s):libtool CVE #(s):CVE-2009-3736
Created:November 30, 2009 Updated:November 19, 2013
Description:

From the Mandriva advisory:

All versions of libtool prior to 2.2.6b suffers from a local privilege escalation vulnerability that could be exploited under certain conditions to load arbitrary code (CVE-2009-3736).

Alerts:
Gentoo 201412-08 insight, perl-tk, sourcenav, tk, partimage, bitdefender-console, mlmmj, acl, xinit, gzip, ncompress, liblzw, splashutils, m4, kdm, gtk+, kget, dvipng, beanstalkd, pmount, pam_krb5, gv, lftp, uzbl, slim, iputils, dvbstreamer 2014-12-11
Gentoo 201311-10 graphicsmagick 2013-11-18
Fedora FEDORA-2011-1967 q 2011-02-22
Fedora FEDORA-2011-1958 q 2011-02-22
Fedora FEDORA-2010-8756 libprelude 2010-05-19
Mandriva MDVSA-2010:105 openoffice.org 2010-05-21
Mandriva MDVSA-2010:075 openoffice.org 2010-04-15
Fedora FEDORA-2010-4392 gnu-smalltalk 2010-03-13
Fedora FEDORA-2010-4339 gnu-smalltalk 2010-03-13
Fedora FEDORA-2010-3314 esorex 2010-03-02
Fedora FEDORA-2010-3216 esorex 2010-03-02
Fedora FEDORA-2010-1924 gambas 2010-02-16
Fedora FEDORA-2009-12562 libtool 2009-12-03
Debian DSA-1958-1 libtool 2009-12-29
Fedora FEDORA-2009-12725 libtool 2009-12-04
CentOS CESA-2009:1646 libtool 2009-12-08
CentOS CESA-2009:1646 libtool 2009-12-08
Red Hat RHSA-2009:1646-01 libtool 2009-12-08
Mandriva MDVSA-2009:307-1 libtool 2009-12-06
Mandriva MDVSA-2009:318 xmlsec1 2009-12-05
Fedora FEDORA-2010-1872 gambas 2010-02-16
Fedora FEDORA-2010-1820 gnash 2010-02-13
Fedora FEDORA-2010-1833 gnash 2010-02-13
Mandriva MDVSA-2009:307 libtool 2009-11-30

Comments (none posted)

php: denial of service, arbitrary code execution

Package(s):php5 CVE #(s):CVE-2009-4017 CVE-2009-4018
Created:November 27, 2009 Updated:February 23, 2010
Description: From the Ubuntu advisory:

Bogdan Calin discovered that PHP did not limit the number of temporary files created when handling multipart/form-data POST requests. A remote attacker could exploit this flaw and cause the PHP server to consume all available resources, resulting in a denial of service.

It was discovered that PHP did not properly enforce restrictions in the proc_open function. An attacker could exploit this issue to bypass safe_mode_protected_env_vars restrictions and possibly execute arbitrary code with application privileges.

Alerts:
Slackware SSA:2010-024-02 php 2010-01-25
CentOS CESA-2010:0040 php 2010-01-15
Red Hat RHSA-2010:0040-01 php 2010-01-13
CentOS CESA-2010:0040 php 2010-01-13
SuSE SUSE-SR:2010:005 fetchmail, krb5, rubygem-actionpack-2_1, libexpat0, unbound, apache2-mod_php5/php5 2010-02-23
Gentoo 201001-03 php 2010-01-05
Fedora FEDORA-2010-0495 maniadrive 2010-01-14
Fedora FEDORA-2010-0495 php 2010-01-14
Mandriva MDVSA-2009:324 php 2009-12-07
Mandriva MDVSA-2009:304 php 2009-11-29
Mandriva MDVSA-2009:303 php 2009-11-28
Ubuntu USN-862-1 php5 2009-11-26
Mandriva MDVSA-2009:305 php 2009-11-29

Comments (none posted)

php: information disclosure

Package(s):php5 CVE #(s):CVE-2009-2626
Created:December 1, 2009 Updated:February 23, 2010
Description: From the Debian advisory: A flaw in the ini_restore() function could lead to a memory disclosure, possibly leading to the disclosure of sensitive data.
Alerts:
SuSE SUSE-SR:2010:005 fetchmail, krb5, rubygem-actionpack-2_1, libexpat0, unbound, apache2-mod_php5/php5 2010-02-23
Mandriva MDVSA-2010:008 php 2010-01-15
Mandriva MDVSA-2010:007 php 2010-01-15
Ubuntu USN-882-1 php5 2010-01-13
Gentoo 201001-03 php 2010-01-05
Debian DSA-1940-1 php5 2009-11-25

Comments (none posted)

php-pear-Mail: information disclosure

Package(s):php-pear-Mail CVE #(s):CVE-2009-4023 CVE-2009-4111
Created:December 1, 2009 Updated:November 3, 2010
Description: From the Fedora advisory:

PEAR's Mail class did not properly escape content of mail header fields, when using the sendmail backend. A remote attacker could send an email message, with specially-crafted headers to a local user, leading to disclosure of content and potentially, to modification of arbitrary system file, once the email message was processed by the PEAR's Mail class.

Alerts:
Gentoo 201412-09 racer-bin, fmod, PEAR-Mail, lvm2, gnucash, xine-lib, lastfmplayer, webkit-gtk, shadow, PEAR-PEAR, unixODBC, resource-agents, mrouted, rsync, xmlsec, xrdb, vino, oprofile, syslog-ng, sflowtool, gdm, libsoup, ca-certificates, gitolite, qt-creator 2014-12-11
SUSE SUSE-SR:2010:020 NetworkManager, bind, clamav, dovecot12, festival, gpg2, libfreebl3, php5-pear-mail, postgresql 2010-11-03
openSUSE openSUSE-SU-2010:0909-1 php5-pear-mail 2010-10-28
Mandriva MDVSA-2010:025 php-pear-Mail 2010-01-25
Fedora FEDORA-2009-12395 php-pear-Mail 2009-12-01
Fedora FEDORA-2009-12348 php-pear-Mail 2009-12-01
Fedora FEDORA-2009-12439 php-pear-Mail 2009-12-01

Comments (none posted)

php-pear-Net-Ping: arbitrary code execution

Package(s):php-pear-Net-Ping CVE #(s):CVE-2009-4024
Created:November 25, 2009 Updated:December 14, 2009
Description:

From the PHP-PEAR advisory:

Multiple remote arbitrary command injections have been found in the Net_Ping and Net_Traceroute.

Alerts:
Debian DSA-1949-1 php-net-ping 2009-12-12
Fedora FEDORA-2009-12156 php-pear-Net-Ping 2009-11-25
Fedora FEDORA-2009-11523 php-pear-Net-Ping 2009-11-16
Fedora FEDORA-2009-11613 php-pear-Net-Ping 2009-11-16

Comments (none posted)

php-pear-Net-Traceroute: arbitrary code execution

Package(s):php-pear-Net-Traceroute CVE #(s):CVE-2009-4025
Created:November 25, 2009 Updated:December 2, 2009
Description:

From the PHP-PEAR advisory:

Multiple remote arbitrary command injections have been found in the Net_Ping and Net_Traceroute.

Alerts:
Fedora FEDORA-2009-11551 php-pear-Net-Traceroute 2009-11-16
Fedora FEDORA-2009-11617 php-pear-Net-Traceroute 2009-11-16
Fedora FEDORA-2009-12083 php-pear-Net-Traceroute 2009-11-25
Gentoo 200911-06 pear-net_traceroute 2009-11-26

Comments (none posted)

poppler: multiple vulnerabilities

Package(s):poppler CVE #(s):CVE-2009-3903 CVE-2009-3904 CVE-2009-3905 CVE-2009-3906 CVE-2009-3907 CVE-2009-3908 CVE-2009-3909 CVE-2009-3938
Created:December 1, 2009 Updated:August 20, 2012
Description: From the Debian advisory:

Several integer overflows, buffer overflows and memory allocation errors were discovered in the Poppler PDF rendering library, which may lead to denial of service or the execution of arbitrary code if a user is tricked into opening a malformed PDF document.

Alerts:
Gentoo 201310-03 poppler 2013-10-06
Mandriva MDVSA-2011:175 poppler 2011-11-15
Mandriva MDVSA-2009:332-1 gimp 2010-04-28
SuSE SUSE-SR:2010:009 viewvc, krb5, pango, gimp, kdebase3, kde4-kdm 2010-04-14
Mandriva MDVSA-2010:055 poppler 2010-03-04
SuSE SUSE-SR:2009:020 apache2-mod_jk, cacti, cups, expat, finch/pidgin, htmldoc, kdelibs3/kdelibs4, libpoppler/poppler, lighttpd, opera, perl-HTML-Parser, pyxml, seamonkey, wireshark/ethereal, xntp, zope/zope3 2010-01-12
Ubuntu USN-880-1 gimp 2010-01-07
Slackware SSA:2009-345-01 gimp 2009-12-14
Mandriva MDVSA-2009:332 gimp 2009-12-11
Debian DSA-1941-1 poppler 2009-11-25

Comments (none posted)

roundcube: cross-site request forgery

Package(s):roundcubemail CVE #(s):CVE-2009-4076 CVE-2009-4077
Created:December 2, 2009 Updated:January 19, 2010
Description: Roundcube suffers from two cross-site request forgery vulnerabilities which enable attackers to hijack authentication credentials from users.
Alerts:
Mandriva MDVSA-2010:015 roundcubemail 2010-01-19
Fedora FEDORA-2009-12481 roundcubemail 2009-12-02

Comments (none posted)

wireshark: multiple arbitrary code execution vulnerabilities

Package(s):wireshark CVE #(s):CVE-2009-3243 CVE-2009-3549 CVE-2009-3551
Created:November 25, 2009 Updated:January 12, 2010
Description:

Dissector problems in TLS (CVE-2009-3243), Paltalk (CVE-2009-3549), and SMB (CVE-2009-3551).

From the Gentoo advisory:

A remote attacker could entice a user to open a specially crafted "erf" file using Wireshark, possibly resulting in the execution of arbitrary code with the privileges of the user running the application. A remote attacker could furthermore send specially crafted packets on a network being monitored by Wireshark or entice a user to open a malformed packet trace file using Wireshark, possibly resulting in a Denial of Service.

Alerts:
SuSE SUSE-SR:2009:020 apache2-mod_jk, cacti, cups, expat, finch/pidgin, htmldoc, kdelibs3/kdelibs4, libpoppler/poppler, lighttpd, opera, perl-HTML-Parser, pyxml, seamonkey, wireshark/ethereal, xntp, zope/zope3 2010-01-12
Gentoo 200911-05 wireshark 2009-11-25

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds