From owner-freebsd-bugs Tue Jan 20 00:46:03 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA16497 for freebsd-bugs-outgoing; Tue, 20 Jan 1998 00:46:03 -0800 (PST) (envelope-from owner-freebsd-bugs@FreeBSD.ORG) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA16487 for ; Tue, 20 Jan 1998 00:46:00 -0800 (PST) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.8.8/8.6.10) id AAA31613 for ; Tue, 20 Jan 1998 00:21:56 -0800 (PST) Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by passer.osg.gov.bc.ca, id smtpdaaFhia; Tue Jan 20 00:21:45 1998 Received: (from uucp@localhost) by cwsys.cwsent.com (8.8.8/8.6.10) id AAA02000 for ; Tue, 20 Jan 1998 00:21:38 -0800 (PST) Message-Id: <199801200821.AAA02000@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpda01983; Tue Jan 20 08:20:45 1998 Date: Tue, 20 Jan 1998 00:20:44 -0800 From: Cy Schubert - ITSD Open Systems Group Subject: Re: Security Problem in MH 6.8.4 To: undisclosed-recipients:; Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ------- Blind-Carbon-Copy X-Mailer: exmh version 2.0zeta 7/24/97 Reply-to: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: cy To: Cesar Tascon Alvarez cc: BUGTRAQ@netspace.org, cschuber@uumail.gov.bc.ca Subject: Re: Security Problem in MH 6.8.4 In-reply-to: Your message of "Mon, 19 Jan 1998 16:50:49 +0100." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 20 Jan 1998 00:20:44 -0800 Sender: cy@cwsys > Description: > Due to lack of security checks there is a standard stack smashing probl em. > Local user can execute code as root. > > Let's see. > > [tascon@archivald]$ id > uid=500(tascon) gid=500(tascon) groups=500(tascon),100(users) > [tascon@archivald]$ cat /etc/redhat-release > release 5.0 (Hurricane) > [tascon@archivald]$ ls -l /usr/bin/mh/inc > -rwsr-sr-x 1 root mail 82972 Oct 15 18:06 /usr/bin/mh/inc > [tascon@archivald]$ /usr/bin/mh/inc > inc: no mail to incorporate > [tascon@archivald]$ /usr/bin/mh/inc -host XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXX[...] > XXXXX <---- (2000 X's here) > Segmentation fault > > ^^^^^^^^^^^^^^^^^^ Dangerous isn't it? Under FreeBSD (while using NIS), specifying an argument greater than 1024 bytes causes an infinite loop with the following message being printed; yp_match: clnt_call: RPC: Can't encode arguments Under FreeBSD (while not using NIS) and DEC UNIX (using MH 6.8.4 instead of the MH 6.7 that is supplied with DUNIX), specifying an argument greater than 4600 bytes, the error is handled properly and the the following message is produced; inc: no servers available Without having a chance to recompile MH with -g and testing it under gdb, I suspect that the Linux segmentation violation and the FreeBSD NIS loop are occuring within the gethostbyname() call or some libc call made by gethostbyname(). One may argue that the FreeBSD NIS loop may constitue a DoS attack as it chews up a fair amount of CPU time, however there are probably better ways to bring a system to its knees. I'd characterize the FreeBSD NIS bug as more of an annoyance. The Linux bug is definitely a security issue. I suspect it to be in RedHat's implementation of libc. > > Local exploit exists for that option. Note that MH isn't even configured. > It's as the installation of RedHat 5.0 left it. Note also that MH is intalled > by deffect with RedHat 5.0. > > Solution: Uninstall this package or remove the suid-bit until patch becomes > available. Another solution might be to recompile MH without POP support, however that is just a band-aid solution and doesn't really fix the problem with RedHat's libc. > > MH also installs another suid-program: msgchk. It's also posible to get a > Segmentation fault whith the same option, but I haven't been able to exploit > it. I have worked on it quite a few. Could someone probe it a little deeper?? > > Greetings > > > ----o-------------------------------o-------------------------------------o-- - -- > Space reserved to describe / Cesar Tascon Alvarez > my job when I got one. / University of Valladolid (SPAIN) > Yes, I'm just a student ;) / tascon@gui.uva.es > ----o-----------------------o---------------------------------------------o-- - -- > Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 UNIX Support OV/VM: BCSC02(CSCHUBER) ITSD BITNET: CSCHUBER@BCSC02.BITNET Government of BC Internet: cschuber@uumail.gov.bc.ca Cy.Schubert@gems8.gov.bc.ca "Quit spooling around, JES do it." ------- End of Blind-Carbon-Copy