Date: Thu, 11 Apr 2002 14:12:01 -0600 From: Brett Glass <brett@lariat.org> To: security@FreeBSD.ORG Subject: [Corrected message] This OpenBSD local root hole may affect some FreeBSD systems Message-ID: <4.3.2.7.2.20020411141011.030a0b80@nospam.lariat.org>
next in thread | raw e-mail | index | archive | help
[This is a corrected version of the previous message, which omitted the word "isn't" near the beginning of the second paragraph.] The vulnerability described in the message below is a classic "in-band signalling" problem that may give an unauthorized user the ability to run an arbitrary command as root. Fortunately, the vulnerability isn't present in FreeBSD's daily, weekly, and monthly maintenance scripts, because they use sendmail rather than /bin/mail. Nonetheless, the same patch should be applied to FreeBSD's /bin/mail due to the possibility that other privileged utilities (or user-written scripts) might use /bin/mail instead of sendmail to create e-mail messages. --Brett Glass >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >Precedence: bulk >List-Id: <bugtraq.list-id.securityfocus.com> >List-Post: <mailto:bugtraq@securityfocus.com> >List-Help: <mailto:bugtraq-help@securityfocus.com> >List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com> >List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com> >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >Received: (qmail 32477 invoked from network); 11 Apr 2002 16:58:57 -0000 >Date: Thu, 11 Apr 2002 19:01:17 +0200 >From: Milos Urbanek <urbanek@zoom-int.cz> >To: bugtraq@securityfocus.com >Subject: OpenBSD Local Root Compromise >Message-ID: <20020411170117.GB26359@zoli.zoom-int.cz> >Mime-Version: 1.0 >Content-Type: text/plain; charset=us-ascii >Content-Disposition: inline >User-Agent: Mutt/1.3.27i >X-UIDL: 480c7f8899114108be23f7bf813d28fd > > > ZOOM International Security Advisory > > OpenBSD local root compromise > > Systems affected: > OpenBSD all version, OpenBSD Current prior April 8, 2002 > > Risk: High > Date: April 11, 2002 > > Legal Notice: > This advisory is copyright (c) ZOOM International. > > Disclaimer: > Information contained in this advisory are provided only ``AS IS''. > ZOOM International is not liable for any damages whatsoever > arising out of or in connection with the use or spread of this information. > Any use of this information is at our own risk. > > Background: > Program /usr/bin/mail is a simple mail user agent which can be used also in the batch mode, for example to send mail to the administrator when > running cron tasks. > > Problem description: > There is a local root compromise in all versions of OpenBSD including > OpenBSD Current prior to April 9, 2002 due to a bug in program > /usr/bin/mail. > > Details: > Program /usr/bin/mail accepts escape sequences while running in > the non-interactive mode. When the attacker inserts the escape sequence > into the stream which is used as an input to the mail command this escape > sequence is interpreted by the mail command and it is possible for example > execute arbitrary commands or read/write any file in the system with the > privileges of the user running /usr/bin/mail. > > Impact: > Users can gain superuser privileges because the output of > the /etc/daily script is piped to the /usr/bin/mail command while > running regular cron tasks. > There exists a method developed by Przemyslav Frasunek which allows > to perform a local attack by creating a file with a specialy designed > filename and permissions. Method of performing remote exploitation of this > bug is currently unknown. > > Exploit: > An exploit for this bug exists and is publicly available. > > Workaround: > Remove /usr/bin/mail binary until a patch for your release is available. > > Contact Status: > Vendor was contacted on 2002-04-08. Problem report related to the > security advisory was sent on 2002-04-10. > > Available Fixes: > This bug was patched in OpenBSD Current on April 8, 2002. > Official patch for other OpenBSD releases is not available at the moment > but the bug can be solved by applying the attached source code patch > to the 1.23 revision of the appropriate file and installing new mail > binary. > > Credits: > The bug was found by Milos Urbanek, Security Conslutant at ZOOM > International. Exploit was written by Przemyslav Frasunek. > > > About ZOOM International: > ZOOM International is a Czech company providing services and > solutions in the area of IT security. For more information visit > our website at http://www.zoom-int.cz/. > > >Mail Patch > >Index: collect.c >=================================================================== >RCS file: /cvs/src/usr.bin/mail/collect.c,v >retrieving revision 1.23 >retrieving revision 1.24 >diff -u -r1.23 -r1.24 >--- collect.c 2001/11/21 15:26:39 1.23 >+++ collect.c 2002/04/08 20:27:17 1.24 >@@ -1,4 +1,4 @@ >-/* $OpenBSD: collect.c,v 1.23 2001/11/21 15:26:39 millert Exp $ */ >+/* $OpenBSD: collect.c,v 1.24 2002/04/08 20:27:17 millert Exp $ */ > /* $NetBSD: collect.c,v 1.9 1997/07/09 05:25:45 mikel Exp $ */ > > /* >@@ -38,7 +38,7 @@ > #if 0 > static const char sccsid[] = "@(#)collect.c 8.2 (Berkeley) 4/19/94"; > #else >-static const char rcsid[] = "$OpenBSD: collect.c,v 1.23 2001/11/21 15:26:39 millert Exp $"; >+static const char rcsid[] = "$OpenBSD: collect.c,v 1.24 2002/04/08 20:27:17 millert Exp $"; > #endif > #endif /* not lint */ > >@@ -161,7 +161,8 @@ > value("interactive") != NULL && !lastlong && > (value("dot") != NULL || value("ignoreeof") != NULL)) > break; >- if (linebuf[0] != escape || lastlong) { >+ if (linebuf[0] != escape || value("interactive") == NULL || >+ lastlong) { > if (putline(collf, linebuf, !longline) < 0) > goto err; > continue; To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20020411141011.030a0b80>