COMMAND

    seyon

SYSTEMS AFFECTED

    FreeBSD 3.3

PROBLEM

    Brock  Tellier  found  following.    It  was  tested  on   FreeBSD
    3.3-RELEASE.   The program  was installed  with the  default perms
    given when unpacked with sysinstall:

        -rwxr-sr-x 1 bin dialer 88480 Sep 11 00:55 /usr/X11R6/bin/seyon

    To  summarize:  Seyon  was  supposedly  not  meant  to  run   with
    additional privileges.  There are numerous problems with seyon and
    Brock probably not found all of them.  They are:

    Buffer Overflows
    ================
    1. $HOME
    2. seyon -emulator $BUF
    3. seyon -modems $BUF
    4. many long text box input string overflows while in program

    Input Validation:
    =================
    1. seyon will  search $PATH for  "xterm" and "seyon-emu"  and exec
       with fullprivs (as noted in previous advisory)
    2. seyon -emulator /program/to/execute/with/full/privs

    These privileges might be upgradable to root if you are able to a)
    trojan  a  dialer-writable  file  or  b)  use  a symlink attack to
    clobber .rhosts or similar c. snoop device i/o.

    Brock did not written buffer overflow exploits for Seyon since  an
    equivalent-yield program execution vulnerability exists, but it is
    certianly possible.  The latter exploit is:

        seyon -emulator /program/to/execute

    Note that you'll  have to execute  a program that  will ignore the
    args that seyon passes to it automatically as shown:

        bash-2.03$ echo 'void main() { system("/usr/bin/id"); }' > id.c
        bash-2.03$ gcc -o id id.c
        bash-2.03$ seyon -emulator ./id
        uid=1000(xnec) gid=1000(xnec) egid=68(dialer) groups=68(dialer), 1000(xnec)

SOLUTION

    Remove suid bit...  Latest seyon should fix that.