[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Tiger-devel] Tiger-3.1 Buffer Overflow bug

From: Steve G
Subject: Re: [Tiger-devel] Tiger-3.1 Buffer Overflow bug
Date: Tue, 22 Apr 2003 14:59:02 -0700 (PDT)


Thanks for your fast responses!

>>Recently I ran across a bug in the 3.1 version of 
>I fixed both issues in CVS.

Good. Since Tiger is used by admins & may have it on a cron
job, it probably runs with root priv. I have not researched
whether or not its possible to create shellcode that could
be picked up by realpath, but if it were possible...imagine
the consequences. This bug appears to go wayback in time,
so older versions are vulnerable, too. (Other derivative
programs like TARA have the same bug.) I'd give some
thought to a 3.1.1 release with maybe just that file

>>I also see all kinds of shell script errors in
>>check_accounts, has anyone else reported this?
>this seems to be a problem with not using an up-to-date

What I did was use tiggerc-all, and customized it to my
tastes. Maybe that file is out of sync? Did you update all
the other tigerrc-* files?

>I have fixed it, however, in CVS so that it introduces
>proper defaults for tigerrc values if it does not find

I downloaded a new one from cvs and now have different
issues. It cannot find awk or realpath. :( Changing back to
my old tigerrc it knows awk & realpath, but has these other
problems. Maybe awk & realpath are just the next problem
after solving the default values.

>Just off-topic, could you provide some more info on 
>your RH9 testing?

Actually, I think this is on topic for a devel list. :)

*Checking for indications of break-in...
/bin/cat: ./run/pass.list.9176: No such file or directory
/bin/cat: ./run/pass.list.9176: No such file or directory
/bin/cat: ./run/pass.list.9176: No such file or directory

*Security report completed for name:
 Error [post001e] file ./log/security.report.name.tmp.940
not removed

* pass006w is given even though pwck -r | wc -l == 0
* All of the ownership checks are off by 1 field as
reported by ls -l. e.g. ls -l /bin/mail produces:

-rwxr-xr-x   1 root   mail   69276 Jan 25 00:06 /bin/mail

The scripts report the above as being owned by mail. It is
clearly owned by root. I see some messages saying that a
file is writeable by group '647'. The size is 647, the
group was root.
*perm001w /etc/pam.d/sudo is world readable. There's alot
more in the directory that is world readable. Besides,
pam.d/sudo has to be world readable since its used to grant
special access under different accounts. Why pick on that
one file?
*misc010w complains about an old sendmail. Mine is brand
*dev002 World writeable devices are reported. Line 149 in
tigerrc says that they are never reported. (??) Since I
have alot of devices, the output is huge.

Wish List:
* Check if ssh protocol 1 enabled /etc/ssh/sshd_config
* sysctl -a  Look for net.ipv4.icmp_echo_ignore_broadcasts,
net.ipv4.conf.all.accept_source_route, and
* if /etc/mtab has /var & /tmp partitions, warn if noexec
isn't given.
*/etc/hosts.deny check for ALL:ALL
* warn if any .rpmnew or .rpmsave files are found. Signs of
an upgrade trying to replace a config. Admin needs to
handle the merge & delete them.
*/sbin/nologin is used by all accounts that are disabled
under Red Hat for their shell. It is not in /etc/shells.
tiger complains about each of these accounts. It would be
good if it suggested putting /sbin/nologin into the shells
and suppress the messages for that shell. /sbin/nologin
deserves special treatment if it exists, is executable, is
owned by root, & writeable only by root.

Hope this helps...

-Steve Grubb

Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo

reply via email to

[Prev in Thread] Current Thread [Next in Thread]