| Lamont was kind enough to respond to my original message on this list. He
| said it would be a very good idea to wrap all setuid-root binaries, and we
| are evaluating this option right now. He also said not to worry unless you
| system is at an ISP, University, etc. well the one I am worried about is
| in the Computer Science department of a major University and is accessable
| to any undergrad or grad who applies for an account.
Well, I wouldn't say "not to worry", just that you have less to worry
about. The problem is still that your "perimeter" may still be breached
and it may be as easy as one of your users having an external account
broken into and the intruder getting in through a .rhosts file on your
machine. Still, your risk is less than if you've got 3,000 undergrads on
your system, any one of which might be monitoring BUGTRAQ...
And I would *STRONGLY* suggest that people assume that other exploitable
buffer overflows will be found, and that any suid application is "at risk"
and should be wrapped. I know that I'm looking for other buffer overflows
(subject to how much time I've got available) and I'm sure that other
people out there are as well. I am _quite_ sure that if I was unemployed
and had 10 hours/day to hack that I would have already found one or two
other exploitable buffer overflows.
Also, the patch for /usr/bin/mh/inc is at:
ftp://xfer.service.digital.com/to_customer/SSRT0583U.tar.gz
And the MD5 checksum of the file is:
MD5 (SSRT0583U.tar.gz) = bf03f67cf0ec69e335ba9dcc0cf88c13
--
Lamont Granquist lamontg_at_raven.genome.washington.edu
Dept. of Molecular Biotechnology (206)616-5735 fax: (206)685-7344
Box 352145 / University of Washington / Seattle, WA 98195
PGP pubkey: finger lamontg_at_raven.genome.washington.edu | pgp -fka
Received on Thu Feb 04 1999 - 00:48:39 NZDT