SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   File Alteration Monitor (FAM) Vendors:   SGI (Silicon Graphics)
File Alteration Monitor (FAM) Primary Group Handling Flaw May Disclose the Root User's Monitored File Names to Local Users
SecurityTracker Alert ID:  1005072
SecurityTracker URL:  http://securitytracker.com/id/1005072
CVE Reference:   CVE-2002-0875   (Links to External Site)
Updated:  Jan 5 2005
Original Entry Date:  Aug 17 2002
Impact:   Disclosure of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.6.7 and prior versions
Description:   A vulnerability was reported in the File Alteration Monitor (FAM) utility. The system may disclose some filenames belonging to another user to a local user.

A flaw was reported in the primary group handling. In some cases, a local user could learn the names of files in the 'root' user's group of files being monitored.

A demonstration exploit transcript is provided:

% ./test -d /root
FAMMonitorDirectory("/root")
FAMMonitorDirectory("/root")
DIR /root: /root Exists
DIR /root: .gnome Exists
DIR /root: Desktop Exists
...

For the original bug report, see the following URL:

http://oss.sgi.com/bugzilla/long_list.cgi?buglist=151

Impact:   A local user could learn the names of files being monitored by the 'root' level user.
Solution:   The vendor has released a fixed version (2.6.8), available at:

ftp://oss.sgi.com/www/projects/fam/download/

Vendor URL:  oss.sgi.com/projects/fam/index.html (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Debian Issues Fix) File Alteration Monitor (FAM) Primary Group Handling Flaw May Disclose the Root User's Monitored File Names to Local Users
Debian has released a fix.
Jan 5 2005 (Red Hat Issues Fix) File Alteration Monitor (FAM) Primary Group Handling Flaw May Disclose the Root User's Monitored File Names to Local Users
Red Hat has released a fix.



 Source Message Contents

Subject:  FAM bug


http://oss.sgi.com/bugzilla/long_list.cgi?buglist=151

Full Text Bug Listing
 
flaw in primary group handling - unable to FAM files in some directories
Bug#: 151 Product: fam Version: unspecified Platform: PC
OS/Version: All Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: wardle@adacel.com.au Reported By:
wardle@adacel.com.au QA Contact:
Component: fam
URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=148853
Summary: flaw in primary group handling - unable to FAM files in some
directories
Keywords:
Description:

A problem we noticed recently in IRIX seems to be related to the bug
referenced
at the above URL.

When trying to FAM a directory the user should be able to read because
he/she
belongs to a group that has read and execute permissions on the
directory, the user only gets an Exists and EndExist event because the
user is denied permission.

For instance, on this directory:
drwxr-x--- jim users /users/shared

logged in as "bob" who is a member or group "users".

Bob will only get a Exists and EndExist event, instead of events for
every file inside /users/shared.

If the FAM daemon is running in debug mode, we notice:
fam[xxxx]: can't chdir("/users/shared"): Permission denied



------- Additional Comments From Michael Wardle 2002-06-02 19:55 -------

I've merged the IRIX groups code that we've been working on.  This
should fix
the problem.



------- Additional Comments From Michael Wardle 2002-06-02 21:00 -------

This bug also makes it possible to learn names of files in root's group
in some instances as follows:
----------------------------------------
# ls -ld /root
drwxr-x--- ... root root ... /root
# fam

% groups | grep root

ERRONEOUS BEHAVIOR
% ./test -d /root
FAMMonitorDirectory("/root")
FAMMonitorDirectory("/root")
DIR  /root:   /root Exists
DIR  /root:   .gnome Exists
DIR  /root:   Desktop Exists
...

CORRECT BEHAVIOR
% ./test -d /root
FAMMonitorDirectory("/root")
FAMMonitorDirectory("/root")
DIR  /root:   /root Exists
DIR  /root:   /root EndExist
---------------------------------------- 
(% indicates a command run as an unprivileged user)



------- Additional Comments From Michael Wardle 2002-07-15 16:30 -------

Created an attachment (id=35)
differences between Cred.c++ from 2.6.6 to 2.6.8 - biggest part of the
required fix



------- Additional Comments From Michael Wardle 2002-07-15 16:50 -------

Created an attachment (id=36)
differences between Cred module in 2.6.6 and 2.6.8 - should contain all
required changes


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC