From owner-freebsd-security Sat Sep 8 12:35: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by hub.freebsd.org (Postfix) with ESMTP id AFC7437B401 for ; Sat, 8 Sep 2001 12:34:52 -0700 (PDT) Received: from chimp.sentex.net (fcage [192.168.0.2]) by cage.simianscience.com (8.11.6/8.11.6) with ESMTP id f88JYn907130 for ; Sat, 8 Sep 2001 15:34:51 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> X-Sender: mdtancsa@192.168.0.12 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sat, 08 Sep 2001 15:34:48 -0400 To: security@freebsd.org From: Mike Tancsa Subject: Fwd: Multiple vendor 'Taylor UUCP' problems. Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I imagine FreeBSD is vulnerable to this was well :-( ---Mike >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >List-Id: >List-Post: >List-Help: >List-Unsubscribe: >List-Subscribe: >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >Date: Sat, 8 Sep 2001 22:58:39 +1200 (NZST) >From: zen-parse >X-X-Sender: >To: >Subject: Multiple vendor 'Taylor UUCP' problems. > >******************* Brief description ************* > > Due to incorrect argument handling in a component of the > Taylor UUCP package, it is possible for local users to > gain uid/gid uucp. > > This may allow further elevation, depending on the system, > up to and including root access. > > On OpenBSD 2.8 (and probably others) it allows root compromise. > By overwriting the uucp owned program /usr/bin/uustat, arbitrary > commands may be executed as part of the /etc/daily crontab script. > > On Redhat 7.0 (and probably others) it allows creation of empty > files as root, and the ability to execute commands as if logged > in at the console (as checked via /lib/security/pam_console.so). > This may also allow further elevation of privileges, or denial of > service. (Tested against uucp-1.06.1-25) > > Other systems running this package are also affected to > a greater or lesser degree. > >*********************** Solution ****************** > >Patches should be available very soon, if not already, for most >affected systems. > >If you do not require uucp functionality, you should remove the >uucp packages from your system. > >********************** The Programs *************** > >uux (1) - Remote command execution over UUCP > If you specify an alternative configuration, it will run as the user > that called it, and pass the same configuration to uuxqt. > >uuxqt (1) - UUCP execution daemon > Defaults to allowing rmail and uucp to be run, and nothing else, > unless the configuration it is invoked with allows it to run other > commands. > >uucp (1) - Unix to Unix copy > If you specify an alternate configuration, it will also run as the user > that called it. > > uuxqt checks the arguments for the programs it is asked to execute > and gets rid of what it thinks are the potentially dangerous ones. > However, it does not remove long arguments. > >******************** The Exploit ****************** > >uux 'uucp -I/tmp/vv.v /tmp/somefile /tmp/someotherfile' > >will execute uucp, but will not use the /tmp/vv.v configuration file. > >However, > >uux 'uucp --config=/tmp/vv.v /tmp/somefile /tmp/someotherfile' > >will use the supplied configuration, without dropping privileges. > >1) Make a configuration file that allows any command to be executed, and > allows files from anywhere to be copied to anywhere that is writable > by uid/gid uucp. ( /tmp/config.uucp ) >2) Make a command file with the command you want to be executed. > ( /tmp/commands.uucp ) >3) Do something like the following: > >$ THISHOST=`uuname -l` >$ WHEREYOUWANTIT=/var/spool/uucp/${THISHOST}/X./X.${THISHOST}X1337 >$ uux 'uucp --config=/tmp/config.uucp /tmp/commands.uucp '${WHEREYOUWANTIT} > >The commands in /tmp/commands.uucp file will be executed by uuxqt, with >the uid/gid of uucp. > >If you want to perform an exploit, and don't know what to put in the >files, you should read the documentation for uucp. > >(Proof of concept root exploit for OpenBSD was performed on the wargame >running OpenBSD 2.8 at damageinc.tv [ http://damageinc.tv ] ) > >-- zen-parse > >=========================================================================== > http://mp3.com/cosv = Because %49%74%27%73%20%67%6f%6f%64%2e > 'gone platinum' = Buy the CD that %74%6f%6f%6b%20%61%67%65%73 > = and %73%6f%75%6e%64%73%20%6f%6b >=========================================================================== > >------------------------------------------------------------------------- >The preceding information is confidential and may not be redistributed >without explicit permission. Legal action may be taken to enforce this. >If this message was posted by zen-parse@gmx.net to a public forum it may >be redistributed as long as these conditions remain attached. If you are >mum or dad, this probably doesn't apply to you. -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message