Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 09 Oct 2001 17:22:24 -0400
From:      Daniel Frazier <dfrazier@magpage.com>
To:        questions@freebsd.org
Subject:   [Fwd: FreeBSD Security Advisory FreeBSD-SA-01:62.uucp]
Message-ID:  <3BC36A90.6030801@magpage.com>

next in thread | raw e-mail | index | archive | help
I'm having a problem with this.  I applied the patch and got the message
saying that a rversed or previously applied patch was detected and asked
if it should assume "-R".  I answered yes for each time it asked me that.
Applied the patch again and it went fine.  Then I did "make depend &&
make all install" and got the following after 5-8 minutes...

===> libexec/uucpd
install -c -s -o root -g wheel -m 555   uucpd /usr/libexec
install -c -o root -g wheel -m 444 uucpd.8.gz  /usr/share/man/man8
===> libexec/rtld-elf
install -c -s -o root -g wheel -m 555  -fschg -C -b ld-elf.so.1 /usr/libexec
install: illegal option -- b
usage: install [-CcDpsv] [-f flags] [-g group] [-m mode] [-o owner] file1 file2
        install [-CcDpsv] [-f flags] [-g group] [-m mode] [-o owner] file1 ...
              fileN directory
        install -d [-v] [-g group] [-m mode] [-o owner] directory ...
*** Error code 64

Stop in /usr/src/libexec/rtld-elf.
*** Error code 1

Stop in /usr/src/libexec.
*** Error code 1

Stop in /usr/src.
*** Error code 1

Stop in /usr/src.

Any input as to how I can safely recover from this?  Thanks.


-- 
----------------------------------------------------------------------
Daniel Frazier  <dfrazier@magpage.com>   Tel:  302-239-5900 Ext. 231
Systems Administrator                    Fax:  302-239-3909
MAGPAGE, We Power the Internet           WWW:  http://www.magpage.com/

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
          - Benjamin Franklin, Historical Review of Pennsylvania, 1759.


-------- Original Message --------
Subject: FreeBSD Security Advisory FreeBSD-SA-01:62.uucp
Date: Mon, 8 Oct 2001 14:08:41 -0700 (PDT)
From: FreeBSD Security Advisories <security-advisories@FreeBSD.ORG>
Reply-To: security-advisories@FreeBSD.ORG
To: FreeBSD Security Advisories <security-advisories@FreeBSD.ORG>

-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-01:62                                           Security Advisory
                                                                  FreeBSD, Inc.

Topic:          UUCP allows local root exploit

Category:       core
Module:         uucp
Announced:      2001-10-08
Credits:        zen-parse@gmx.net
Affects:        All released versions of FreeBSD 4.x prior to 4.4.
                  FreeBSD 4.3-STABLE prior to the correction date.
Corrected:      2001-09-10 20:22:57 UTC (FreeBSD 4.3-STABLE)
                  2001-09-10 22:30:28 UTC (RELENG_4_3)
FreeBSD only:   NO

I.   Background

Taylor UUCP is an implementation of the Unix-to-Unix Copy Protocol, a
protocol sometimes used for mail delivery on systems where permanent
IP connectivity to the internet is not available.

II.  Problem Description

The UUCP suite of utilities allow a user-specified configuration file
to be given on the command-line.  This configuration file is
incorrectly processed by the setuid uucp and/or setgid dialer UUCP
utilities while running as the uucp user and/or dialer group, and
allows unprivileged local users to execute arbitrary commands as the
uucp user and/or dialer group.

Since the uucp user owns most of the UUCP binaries (this is required
for UUCP to be able to write to its spool directory during normal
operation, by virtue of being setuid) the attacker can replace these
binaries with trojaned versions which execute arbitrary commands as
the user which runs them.  The uustat binary is run as root by default
during the daily maintenance scripts.

All versions of FreeBSD 4.x prior to the correction date including
4.3-RELEASE are vulnerable to this problem, but it was corrected prior
to the release of FreeBSD 4.4-RELEASE.

III. Impact

Unprivileged local users can overwrite the uustat binary, which is
executed as root by the daily system maintenance scripts.  This allows
them to execute arbitrary commands as root the next time the daily
maintenance scripts are run.

IV.  Workaround

One or more of the following:

1) Set the noschg flag on all binaries owned by the uucp user:

# chflags schg /usr/bin/cu /usr/bin/uucp /usr/bin/uuname \
/usr/bin/uustat /usr/bin/uux /usr/bin/tip /usr/libexec/uucp/uucico \
/usr/libexec/uucp/uuxqt

2) Remove the above binaries from the system, if UUCP is not in use.

3) Disable the daily UUCP maintenance tasks by adding the following
lines to /etc/periodic.conf:

# 340.uucp
daily_uuclean_enable="NO"                              # Run uuclean.daily

# 410.status-uucp
daily_status_uucp_enable="NO"                          # Check uucp status

# 300.uucp
weekly_uucp_enable="NO"                                # Clean uucp weekly

V.   Solution

We recommend that UUCP be removed entirely from systems containing
untrusted users: to remove UUCP, refer to the directions in section IV
above.  Compiling the UUCP binaries when rebuilding the FreeBSD system
can be prevented by adding the following line to /etc/make.conf:

NOUUCP=true

1) Upgrade your vulnerable FreeBSD system to 4.4-RELEASE, 4.4-STABLE
or the RELENG_4_3 security branch dated after the respective
correction dates.

2) To patch your present system: download the relevant patch from the
below location, and execute the following commands as root:

[FreeBSD 4.3]

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:62/uucp.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:62/uucp.patch.asc

Verify the detached PGP signature using your PGP utility.

# cd /usr/src
# patch -p < /path/to/patch
# make depend && make all install

3) FreeBSD 4.3-RELEASE systems:

An experimental upgrade package is available for users who wish to
provide testing and feedback on the binary upgrade process.  This
package may be installed on FreeBSD 4.3-RELEASE systems only, and is
intended for use on systems for which source patching is not practical
or convenient.

If you use the upgrade package, feedback (positive or negative) to
security-officer@FreeBSD.org is requested so we can improve the
process for future advisories.

During the installation procedure, backup copies are made of the files
which are replaced by the package.  These backup copies will be
reinstalled if the package is removed, reverting the system to a
pre-patched state.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:62/security-patch-uucp-01.62.tgz
# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:62/security-patch-uucp-01.62.tgz.asc

Verify the detached PGP signature using your PGP utility.

# pkg_add security-patch-uucp-01.62.tgz

VI.   Correction details

The following is the $FreeBSD$ revision number of the file that was
corrected for the supported branches of FreeBSD.  The $FreeBSD$
revision number of the installed source can be examined using the
ident(1) command.  The patch provided above does not cause these
revision numbers to be updated.

[FreeBSD 4.3-STABLE]
    Revision       Path

[RELENG_4_3]
    Revision     Path
    1.8.4.1      src/gnu/libexec/uucp/cu/Makefile
    1.6.4.1      src/gnu/libexec/uucp/uucp/Makefile
    1.5.4.1      src/gnu/libexec/uucp/uuname/Makefile
    1.5.4.1      src/gnu/libexec/uucp/uustat/Makefile
    1.6.4.1      src/gnu/libexec/uucp/uux/Makefile
    1.10.8.1     src/usr.bin/tip/tip/Makefile
    1.3.2.2.2.1  src/etc/periodic/daily/410.status-uucp

VII.  References

<URL: http://www.securityfocus.com/bid/3312>;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBO8IU0FUuHi5z0oilAQFE4gP/dqLwzjAk3M5fhtfsENFy0OAlzQA70SG3
IJibpH19KdjcQX53CrLI/wI34JXqCVfiGpw2kLSysL6yfbBI+3Z2YUxPRaxrtoGF
9R4ZcCuuLuE14pCmAtWnLEdXFHVRThJzsLzk2xEZkhYU5hufW3+IqfIMcMNayQbf
BSI5/zAjPG4=
=TBLy
-----END PGP SIGNATURE-----

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3BC36A90.6030801>