Steve Kemp's Blog: So cunning you could brush your teeth with it.

So cunning you could brush your teeth with it.

8th October 2008

Lets take a look at a new tool available to Lenny & Sid:

apt-get source acon

int main(int argc,char **argv)
{
        int i,tty,useunicode=0;
        char *fontf=0,*translationf=0,*keymapf=0;

        get_ids();
        set_user_id();

        /*Read configure file if no input options*/
        if(argc<2)
        {
                char *env;
                FILE *fp;
                char font[300],translation[300],keymap[300];
                char tmp[300];

                font[0]=translation[0]=keymap[0]=0;
                if((env=getenv("HOME")))
                        sprintf(tmp,"%s/.acon.conf",env);
                else
                        strcpy(tmp,"/etc/acon.conf");

Hmmm. Nice use of the environment there. I wonder what permissions the binary has:

skx@gold:~$ ls -l /usr/bin/acon
-rwsr-xr-x 1 root root 48672 2008-06-09 10:50 /usr/bin/acon

setuid(0) - just say no.

ObTitle: Blackadder II

Tags: acon, random, setuid. | 13 comments.

Comments On This Entry

Florian Weimer Submitted at 22:53:51 on 6 October 2008
It's #475733 and supposedly fixed. I haven't looked at the package, though.
Des Submitted at 22:56:03 on 6 October 2008
I don't get it, is this really the way to report this? I didn't find any bug#, and disclosing things like this... am I missing something?
Joe Buck Submitted at 22:56:53 on 6 October 2008
Hope there's an RC bug for that one.
Steve Submitted at 23:20:53 on 6 October 2008

I saw the bug, but I'm scared of the code. e.g. the my_system call.

Still it does look like permissions are dropped prior to that being invoked.
brian m. carlson Submitted at 04:12:43 on 7 October 2008
There was a call for an audit on debian-audit, and I audited the code. My recommendation to Moritz was that this code not be released due to the use of fixed-size buffers, magic constants, and unsafe functions (strcpy and sprintf). Apparently nobody listened. See #476603.
Helmut Grohne Submitted at 06:59:30 on 7 October 2008
Have you seen http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=475733 or did it happen again?
Helmut
nion Submitted at 12:58:56 on 7 October 2008
C'mon Steve, this blog post is really not fair, there is a) a bug for that and b) you didn't see debian/patches/05-CVE-2008-1994.diff did you? :)
Steve Kemp Submitted at 14:05:02 on 7 October 2008
Nion you're probably right.

I was updating my list of Setuid/setgid binaries in the archive and this package contained one near the top of the list. (Full list on gluck in ~skx/).

I started being shocked at the code. Then I saw the CVE assignment and rememembered we'd had a discussion.

I personally believe this package:
- SHouldn't have ever been accepted into the archive.
- Shouldn't be in Lenny.
I know that there were patches, but the application as a whole is not written in a secure fashion - and to require setuid(0) privileges just makes me scared.
rjc Submitted at 12:34:50 on 8 October 2008
Seeing this and the last OpenSSL-related problems, one thing comes to my mind - OpenBSD-style code audit.
Jon Submitted at 17:45:15 on 8 October 2008
rjc: well, in this case, the code *was* audited, sufficiently enough for the auditor to decide the code was not suitable for the OS. What is needed is perhaps for existing audits to be paid attention to?
Thomas Submitted at 20:38:02 on 8 October 2008
The package has been removed by the request of the maintainer by now. Mind you: This package did provide a unique feature to Debian even if it is too bad to have in Debian. Luckily, a better-designed alternative seems to be available but it still needs some work.
James Submitted at 05:34:57 on 9 October 2008
Why does this post keep going to the top of Planet Debian?
Steve Kemp Submitted at 06:34:46 on 9 October 2008

I failed to add a date to this entry, so each time I rebuilt the blog (to add the comments), it was marked as "new".

Thanks for pointing it out to me, I've fixed it now.