COMMAND
libedit
SYSTEMS AFFECTED
those using libedit
PROBLEM
Following is based on a FreeBSD Security Advisory. libedit is a
library of routines for providing command editing and history
retrieval for interactive command-oriented programs. Tim
Vanderhoek found this originally.
libedit incorrectly reads an ".editrc" file in the current
directory if it exists, in order to specify configurable program
behaviour. However it does not check for ownership of the file,
so an attacker can cause a libedit application to execute
arbitrary key rebindings and exercise terminal capabilities by
creating an .editrc file in a directory from which another user
executes a libedit binary (e.g. root running ftp(1) from /tmp).
This can be used to fool the user into unknowingly executing
program commands which may compromise system security. For
example, ftp(1) includes the ability to escape to a shell and
execute a command, which can be done under libedit control.
The supplied patch removes this behaviour and causes libedit to
only search for its configuration file in the home directory of
the user, if it exists and the binary is not running with
increased privileges (i.e. setuid or setgid).
An attacker can cause a user to execute arbitrary commands within
a program which is run from a directory to which the attacker has
write access, potentially leading to system compromise if run as
a privileged user (such as root).
SOLUTION
FreeBSD 3.5-RELEASE is not affected by this vulnerability,
although 4.0-RELEASE is affected since the problem was discovered
after it was released.
Do not interactively run utilities which link against libedit from
directories which can be written to by other users. To identify
utilities which link dynamically against libedit, download the
libfind tool and detached PGP signature as follows:
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:24/libfind.sh
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:24/libfind.sh.asc
Verify the detached signature using your PGP utility. Run the
libfind.sh tool as root, as follows:
# sh libfind.sh libedit /
Note that it is not feasible to locate utilities which link
statically against libedit since there are no common strings
embedded in such binaries. However the following is believed to
be a complete list of statically and dynamically linked FreeBSD
system utilities which link against the library:
/bin/sh
/sbin/fsdb
/usr/bin/ftp
/usr/sbin/cdcontrol
/usr/sbin/lpc
/usr/sbin/nslookup
/usr/sbin/pppctl
Because libedit is not a portable library in common use there are
unlikely to be many FreeBSD ports which link statically against
it: no such ports are known at this time.
Solution is one of the following:
1) Upgrade your vulnerable system to a version dated after the
correction date (2000-05-22)
2) Save the advisory into a file or download the patch and
detached PGP signature:
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:24/libedit.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:24/libedit.patch.asc
Verify the detached PGP signature using your PGP utility.
Apply the patch and rebuild as follows:
# cd /usr/src/lib/libedit
# patch -p < /path/to/patch/or/advisory
and rebuild your system as described FreeBSD Handbook.
--- el.c 1999/08/20 01:17:12 1.6
+++ el.c 2000/05/22 05:55:22 1.7
@@ -290,13 +294,10 @@
char *ptr, path[MAXPATHLEN];
if (fname == NULL) {
- fname = &elpath[1];
- if ((fp = fopen(fname, "r")) == NULL) {
- if (issetugid() != 0 || (ptr = getenv("HOME")) == NULL)
- return -1;
- (void)snprintf(path, sizeof(path), "%s%s", ptr, elpath);
- fname = path;
- }
+ if (issetugid() != 0 || (ptr = getenv("HOME")) == NULL)
+ return -1;
+ (void) snprintf(path, sizeof(path), "%s%s", ptr, elpath);
+ fname = path;
}
if ((fp = fopen(fname, "r")) == NULL)