Is there a reason anyone competent would follow vendor instructions to install it suid?
This Tweet was deleted by the Tweet author. Learn more
Conversation
Replying to
The vendor software installs it setuid for you. It's not like they give you a choice, you just have to remove it later or be aware they did it.
1
Replying to
But why would you run the vendor installer as root rather than as user or fakeroot?
3
1
Replying to
it prompts for elevated permissions on install, additionally most package managers like ArchLinux yourt include the binary as setuid root. I discovered this bug while hacking on the defcon2018 badge.
1
Worth noting that it's a third party package outside the officially repositories for people that aren't familiar with that. Lots of those unofficial packages make bad decisions, although they're just packaging the results of the installer in this case.
Sure, this is what's happening, but it's irresponsible on the distro's part. A modern distro should have a pretty absolute policy of no suids outside the core packages, or at least not in contrib packages that aren't subject to the level of review main-repo ones are.
1
1
5
It's a completely third party package, not one in a distribution contrib repository. Third party packages can be outright malicious and it doesn't even need to be subtle. It's a bad idea to use AUR helpers like yaourt since they encourage blindly trusting third party code.
2
2
Show replies
exactly, it's the vendor at fault here - though I think strcpy() in argument handling to heap/stack is a crime in itself. It's literally 2018 and this bug class is 44 years old.
1