Wireshark-bugs: [Wireshark-bugs] [Bug 3523] New: Inconsistent results of started_with_special_pr
Date: Wed, 10 Jun 2009 02:54:53 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3523

           Summary: Inconsistent results of started_with_special_privs(),
                    potential security hole
           Product: Wireshark
           Version: 1.0.7
          Platform: x86
        OS/Version: All
            Status: NEW
          Severity: Major
          Priority: Medium
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: mkes@xxxxxxxxxxxxxxx


Created an attachment (id=3101)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=3101)
Test C++ source code

Build Information:
Not applicable.
--
The alternative implementations of the started_with_special_privs() function in
privileges.c give different results in some situations. 
If I compile the attached test on FreeBSD (7.0-RELEASE) that supports the
issetugid() call and run it in different scenarios the results given by the
issetugid() are not the same as those given by the getuid() geteuid() ... based
test.

Nonprivileged user (uid=1000, gid=100):
> /tmp/uidtest
Real user ID = 1000
Effective user ID = 1000
Real group ID = 100
Effective group ID = 100
Running with special privileges (issetugid): no
Running with special privileges (get_X_id): no

The same user using sudo:
> sudo /tmp/uidtest
Password:
Real user ID = 0
Effective user ID = 0
Real group ID = 0
Effective group ID = 0
Running with special privileges (issetugid): no
Running with special privileges (get_X_id): yes

The same user with user/group 's' bits set:
> ls -l /tmp/uidtest
-rwsr-sr-x  1 root  wheel  8920 Jun  9 17:22 /tmp/uidtest
> /tmp/uidtest
Real user ID = 1000
Effective user ID = 0
Real group ID = 100
Effective group ID = 0
Running with special privileges (issetugid): yes
Running with special privileges (get_X_id): yes

Runing as root:
# /tmp/uidtest
Real user ID = 0
Effective user ID = 0
Real group ID = 0
Effective group ID = 0
Running with special privileges (issetugid): no
Running with special privileges (get_X_id): yes

The results should be the same for both implementations.

Moreover, the result of the issetugid() based test is a security hole in
combination with the implementation of the init_plugin_dir() function in
epan/filesystem.c when runing using sudo. 
If the sudo configuration gives a nonprivileged user the right to run only
wireshark executable as root, the user can override the built in plugin
directory path using the WIRESHARK_PLUGIN_DIR system variable and run arbitrary
plugin code with root privileges.


-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.