Re: [Tiger-devel] Tiger-3.1 Buffer Overflow bug

[Javier Fernández-Sanguino Peña]

On Tue, Apr 22, 2003 at 02:59:02PM -0700, Steve G wrote:
> Hello,
> 
> Thanks for your fast responses!
> 
> >>Recently I ran across a bug in the 3.1 version of 
> >>Tiger.
> >
> >I fixed both issues in CVS.
> 
> Good. Since Tiger is used by admins & may have it on a cron
> job, it probably runs with root priv. I have not researched
> whether or not its possible to create shellcode that could
> be picked up by realpath, but if it were possible...imagine
> the consequences. This bug appears to go wayback in time,
> so older versions are vulnerable, too. (Other derivative
> programs like TARA have the same bug.) I'd give some
> thought to a 3.1.1 release with maybe just that file
> patched.

Will do. I will send a mail to the TARA team too with the fix and will 
talk with the Debian Security Team to see if a tiger 2.2.4 update should be 
considered with this fix too.

> 
> >>I also see all kinds of shell script errors in
> >>check_accounts, has anyone else reported this?
> >
> >this seems to be a problem with not using an up-to-date
> >tigerrc. 
> 
> What I did was use tiggerc-all, and customized it to my
> tastes. Maybe that file is out of sync? Did you update all
> the other tigerrc-* files?

Yes. It's out of sync, my mistake I should have updated all of them. The
documentation was not up-to-date either since the provided tigerrc includes
all (most?)  of the checks.

> 
> >I have fixed it, however, in CVS so that it introduces
> >proper defaults for tigerrc values if it does not find
> any.
> 
> I downloaded a new one from cvs and now have different
> issues. It cannot find awk or realpath. :( Changing back to
> my old tigerrc it knows awk & realpath, but has these other
> problems. Maybe awk & realpath are just the next problem
> after solving the default values.

Strange, that's not defined by tigerrc but by the Linux config file. Maybe 
I messed up something, will check.

> 
> >Just off-topic, could you provide some more info on 
> >your RH9 testing?
> 
> Actually, I think this is on topic for a devel list. :)
> 
> *Checking for indications of break-in...
> /bin/cat: ./run/pass.list.9176: No such file or directory
> /bin/cat: ./run/pass.list.9176: No such file or directory
> /bin/cat: ./run/pass.list.9176: No such file or directory

That's because run/  is not created. Probably a problem in the Makefile or 
in the tar.gz.

> 
> *Security report completed for name:
>  Error [post001e] file ./log/security.report.name.tmp.940
> not removed

Ditto for log/

> 
> * pass006w is given even though pwck -r | wc -l == 0
> * All of the ownership checks are off by 1 field as
> reported by ls -l. e.g. ls -l /bin/mail produces:
> 
> -rwxr-xr-x   1 root   mail   69276 Jan 25 00:06 /bin/mail
> 
> The scripts report the above as being owned by mail. It is
> clearly owned by root. I see some messages saying that a
> file is writeable by group '647'. The size is 647, the
> group was root.

Strange. That's supposed to be fixed (I clearly remember a Debian bug 
referring to this behaviour but got fixed in 3.1)

> *perm001w /etc/pam.d/sudo is world readable. There's alot
> more in the directory that is world readable. Besides,
> pam.d/sudo has to be world readable since its used to grant
> special access under different accounts. Why pick on that
> one file?

Will check.

> *misc010w complains about an old sendmail. Mine is brand
> new.

Funny, will check.

> *dev002 World writeable devices are reported. Line 149 in
> tigerrc says that they are never reported. (??) Since I
> have alot of devices, the output is huge.

Yes, that's a typo, fixed in CVS already.

> 
> 
> Wish List:
> * Check if ssh protocol 1 enabled /etc/ssh/sshd_config

Will do.

> * sysctl -a  Look for net.ipv4.icmp_echo_ignore_broadcasts,
> net.ipv4.icmp_echo_ignore_broadcasts,
> net.ipv4.conf.all.accept_source_route, and
> net.ipv4.conf.all.accept_redirects

That's done in systems/Linux/2/check_networkconfig already. 

> * if /etc/mtab has /var & /tmp partitions, warn if noexec
> isn't given.

Yes, I do have to make a proper partition check.

> */etc/hosts.deny check for ALL:ALL

Why? Shouldn't it be hosts.allow the one giving the warning?

> * warn if any .rpmnew or .rpmsave files are found. Signs of
> an upgrade trying to replace a config. Admin needs to
> handle the merge & delete them.

Sorry, I don't do RH, if you can provide a simple check I can turn it into 
a module (see README.writemodules)

> */sbin/nologin is used by all accounts that are disabled
> under Red Hat for their shell. It is not in /etc/shells.
> tiger complains about each of these accounts. It would be
> good if it suggested putting /sbin/nologin into the shells
> and suppress the messages for that shell. /sbin/nologin
> deserves special treatment if it exists, is executable, is
> owned by root, & writeable only by root.
> 

I was considering doing something for 'noshell' too (provided in Titan and 
used extensively). I will take a look.


> Hope this helps...

Helps a lot. Will need to squash some bugs tomorrow.
One of the nice things about 3.2, however, is that one could provide a 
baseline of checks that are not relevant for a given OS (but are for 
others). It would be nice if you could provide me with a vanilla report on 
a RH install, or you'll have to wait until I have time to install one. A 
sample baseline for Debian is now in the 3.2 version.

Best regards

Javi

pgpcmkGbEZbAr.pgp
Description: PGP signature