qcam overflows

Summary
Description:several qcam apps as well as libqcam seem to have rather obvious security holes when installed setuid root.
Author:bst@INAME.COM
Compromise: root (local)
Vulnerable Systems:Thos running qcam, sqcam,xqcam, SANE-0.67. Mostly Linux boxes, perhaps BSD.
Date:20 April 1998
Details


Date: Mon, 20 Apr 1998 14:14:35 -0400
From: bst@INAME.COM
To: BUGTRAQ@NETSPACE.ORG

More Sunsite buggy soft:

   - ftp://sunsite.unc.edu/pub/Linux/apps/video/qcam-0.7c-5.tar.gz
   - ftp://sunsite.unc.edu/pub/Linux/apps/video/sqcam-0.1.tar.gz


We can see their Makefiles:
install:: all
        install -s -m 4755 -o root sqcam $(BINPATH)

and

install:: all
        install -s -m 4755 -o root qcam $(BINPATH)
        install -s -m 4755 -o root xqcam $(BINPATH)

then in the .c's:

     [...]
     sprintf(lockfile,"/tmp/LOCK.qcam.0x%x",q->port);
     if (-1 == (q->fd = open(lockfile, O_WRONLY | O_CREAT, 0666)))
     [...]

 Nothing to say here...

     [...]
     if (f == NULL) {
       sprintf(buf, "Cannot open configuration file %s!", file);
       perror(buf);
       return 1;
  }
  /* Where _file_ is a command line option */

 Nothing to say here neither...

Btw: Nothing to say ;)
Date: Mon, 20 Apr 1998 20:50:06 +0100
From: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
To: BUGTRAQ@NETSPACE.ORG
Subject: Qcam : Actually seems to be generic libqcam bug

> More Sunsite buggy soft:
>
>    - ftp://sunsite.unc.edu/pub/Linux/apps/video/qcam-0.7c-5.tar.gz
>    - ftp://sunsite.unc.edu/pub/Linux/apps/video/sqcam-0.1.tar.gz

This extends throughout every libqcam based application I've looked at
so far including the SANE-0.67 scanner package, which is often installed setuid
for 'safe' setuid targets like generic scsi.

None of them open the lock file safely.

Alan

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault