qcam overflows
| Description: | several qcam apps as well as libqcam seem to have rather obvious security holes when installed setuid root. |
| Author: | bst@INAME.COM |
| Compromise: | root (local) |
| Vulnerable Systems: | Thos running qcam, sqcam,xqcam, SANE-0.67. Mostly Linux boxes, perhaps BSD. |
| Date: | 20 April 1998 |
Date: Mon, 20 Apr 1998 14:14:35 -0400
From: bst@INAME.COM
To: BUGTRAQ@NETSPACE.ORG
More Sunsite buggy soft:
- ftp://sunsite.unc.edu/pub/Linux/apps/video/qcam-0.7c-5.tar.gz
- ftp://sunsite.unc.edu/pub/Linux/apps/video/sqcam-0.1.tar.gz
We can see their Makefiles:
install:: all
install -s -m 4755 -o root sqcam $(BINPATH)
and
install:: all
install -s -m 4755 -o root qcam $(BINPATH)
install -s -m 4755 -o root xqcam $(BINPATH)
then in the .c's:
[...]
sprintf(lockfile,"/tmp/LOCK.qcam.0x%x",q->port);
if (-1 == (q->fd = open(lockfile, O_WRONLY | O_CREAT, 0666)))
[...]
Nothing to say here...
[...]
if (f == NULL) {
sprintf(buf, "Cannot open configuration file %s!", file);
perror(buf);
return 1;
}
/* Where _file_ is a command line option */
Nothing to say here neither...
Btw: Nothing to say ;)
Date: Mon, 20 Apr 1998 20:50:06 +0100
From: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
To: BUGTRAQ@NETSPACE.ORG
Subject: Qcam : Actually seems to be generic libqcam bug
> More Sunsite buggy soft:
>
> - ftp://sunsite.unc.edu/pub/Linux/apps/video/qcam-0.7c-5.tar.gz
> - ftp://sunsite.unc.edu/pub/Linux/apps/video/sqcam-0.1.tar.gz
This extends throughout every libqcam based application I've looked at
so far including the SANE-0.67 scanner package, which is often installed setuid
for 'safe' setuid targets like generic scsi.
None of them open the lock file safely.
Alan
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources:
