FreeBSD Security Advisory: Module: libmytinfo

Date: Tue, 9 May 2000 12:20:49 -0700
From: FreeBSD Security Officer security-officer@freebsd.org

To: BUGTRAQ@SECURITYFOCUS.COM
Subject: FreeBSD Security Advisory: FreeBSD-SA-00:17.libmytinfo

---

FreeBSD-SA-00:17                                            Security Advisory
                                                                FreeBSD, Inc.

Topic:          Buffer overflow in libmytinfo may yield increased
                privileges with third-party software.

Category:       core
Module:         libmytinfo
Announced:      2000-05-09
Affects:        FreeBSD 3.x before the correction date.
Corrected:      2000-04-25
FreeBSD only:   Yes

Patches:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:17/libmytinfo.patch

I. Background

libmytinfo is part of ncurses, a text-mode display library.

II. Problem Description

libmytinfo allows users to specify an alternate termcap file or
entry via the TERMCAP environment variable, however this is not
handled securely and contains a overflowable buffer inside the
library.

This is a security vulnerability for binaries which are linked
against libmytinfo and which are setuid or setgid (i.e. run with
elevated
privileges). It may also be a vulnerability in other more obscure
situations where a user can exert control over the environment with
which an ncurses binary is run by another user.

FreeBSD 3.x and earlier versions use a very old, customized
version of ncurses which is difficult to update without breaking
backwards-compatibility. The update was made for FreeBSD 4.0, but
it is unlikely that 3.x will be updated. However, the ncurses
source is currently being audited for further vulnerabilities.

III. Impact

Certain setuid/setgid third-party software (including
FreeBSD
ports/packages) may be vulnerable to a local exploit yielding
privileged resources, such as network sockets, privileged
filesystem access, or outright privileged shell access (including
root access).

No program in the FreeBSD base system is believed to be
vulnerable to the bug.

FreeBSD 4.0 and above are NOT vulnerable to this problem.

IV. Workaround

Remove any setuid or setgid binary which is linked against
libmytinfo (including statically linked), or remove set[ug]id
privileges from the file as appropriate.

The following instructions will identify the binaries installed
on the system which are candidates for removal or removal of file
permissions. Since there may be other as yet undiscovered
vulnerabilities in libmytinfo it may be wise to perform this audit
regardless of whether or not you upgrade your system as described
in section V below. In particular, see the note regarding static
linking in section V.

Of course, it is possible that some of the identified files may
be required for the correct operation of your local system, in
which case there is no clear workaround except for limiting the set
of users who may run the binaries, by an appropriate use of user
groups and removing the “o+x” file permission bit.

1) Download the ‘libfind.sh’ script from

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:17/libfind.sh

e.g. with the fetch(1) command:

# fetch
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:17/libfind.sh

Receiving libfind.sh (460 bytes): 100%
460 bytes transferred in 0.0 seconds (394.69 Kbytes/s) #

2) Verify the md5 checksum and compare to the value below:

# /sbin/md5 libfind.sh
MD5 (libfind.sh) = 59dceaa76d6440c58471354a10a8fb0b

3) Run the libfind script against your system:

# sh libfind.sh /

This will scan your entire system for setuid or setgid binaries
which are linked against libmytinfo. Each returned binary should be
examined (e.g. with ‘ls -l’ and/or other tools) to determine what
security risk it poses to your local environment, e.g. whether it
can be run by arbitrary local users who may be able to exploit it
to gain privileges.

4) Remove the binaries, or reduce their file permissions, as
appropriate.

V. Solution

Upgrade your FreeBSD 3.x system to 3.4-STABLE after the
correction date, or patch your present system source code and
rebuild. Then run the libfind script as instructed in section IV
and identify any statically-linked binaries (those reported as
“STATIC” by the libfind script). These should either be removed,
recompiled, or have privileges restricted to secure them against
this vulnerability (since statically-linked binaries will not be
affected by recompiling the shared libmytinfo library).

To patch your present system: save the patch below into a file,
and execute the following commands as root:

cd /usr/src/lib/libmytinfo
patch < /path/to/patch/file
make all
make install

Patches for 3.x systems before the resolution date:

  Index: findterm.c
  ===================================================================
  RCS file: /usr/cvs/src/lib/libmytinfo/Attic/findterm.c,v
  retrieving revision 1.3
  diff -u -r1.3 findterm.c
  --- findterm.c        1997/08/13 01:21:36     1.3
  +++ findterm.c        2000/04/25 16:58:19
  @@ -242,7 +242,7 @@
                        } else {
                                s = path->file;
                                d = buf;
  -                             while(*s != '' && *s != ':')
  +                             while(*s != '' && *s != ':' && d - buf < MAX_LINE - 1)
                                        *d++ = *s++;
                                *d = '';
                                if (_tmatch(buf, name)) {
  @@ -259,7 +259,7 @@
                        } else {
                                s = path->file;
                                d = buf;
  -                             while(*s != '' && *s != ',')
  +                             while(*s != '' && *s != ',' && d - buf < MAX_LINE - 1)
                                        *d++ = *s++;
                                *d = '';
                                if (_tmatch(buf, name)) {