misc/108020: Comsat does not verify return values of getpwnam and setuid

Bjoern Voigt bjoern at cs.tu-berlin.de
Tue Jan 16 21:50:24 UTC 2007 

>Number:         108020
>Category:       misc
>Synopsis:       Comsat does not verify return values of getpwnam and setuid
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jan 16 21:50:21 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Bjoern Voigt
>Release:        6.2-PRERELEASE
>Organization:
>Environment:
FreeBSD mybox 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #2: Sun Nov 26 21:50:02 CET 2006     root at mybox:/usr/obj/lx/suse/var/ctm/src/sys/GENERIC.bv  i386
>Description:
I reviewed the code of comsat (/usr/src/libexec/comsat/comsat.c).

There are two potential problems in function jkfprintf():

[...]
        /* Set effective uid to user in case mail drop is on nfs */
        if ((p = getpwnam(user)) != NULL)
                (void) setuid(p->pw_uid);
[...]

1) If getpwnam() fails the function is continued without dropping privileges.
2) The return value of setuid() is not checked. The manual page says that setuid() could only fail for non-root. Anyway, it's no good style to ignore the result of setuid().
>How-To-Repeat:
Faked comsat requests could be generated with "nc" (netcat). A "bad" user could send non-existing user names (getpwnam() will fail and setuid() will not be called). He could also send file names which should not be readable by the user with receives the biff messages. 

netcat could be used this way (tested with netcat from ports collection):

$ /usr/local/bin/nc -u localhost 512
user at 0:/some/file
Control-c
(Mail for "user", offset byte 0, mailbox "/some/file")
>Fix:
getpwnam problem:
I suggest to return function jkfprintf() if getpwnam() fails.

setuid problem:
I suggest to return function jkfprintf() if getpwnam() fails and if getuid() returns 0 (root). The check for user root may not be necessary since normal users can not really switch the uid with setuid() if the program is not installed with set-uid (as far as I know).

I could help with a patch and with testing.
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list