ZOOM International Security Advisory
OpenBSD local root compromise
Systems affected:
OpenBSD all version, OpenBSD Current prior April 8, 2002
Risk: High
Date: April 11, 2002
Legal Notice:
This advisory is copyright (c) ZOOM International.
Disclaimer:
Information contained in this advisory are provided only ``AS IS''.
ZOOM International is not liable for any damages whatsoever
arising out of or in connection with the use or spread of this information.
Any use of this information is at our own risk.
Background:
Program /usr/bin/mail is a simple mail user agent which can be used also in the batch mode, for example to send mail to the administrator when
running cron tasks.
Problem description:
There is a local root compromise in all versions of OpenBSD including
OpenBSD Current prior to April 9, 2002 due to a bug in program
/usr/bin/mail.
Details:
Program /usr/bin/mail accepts escape sequences while running in
the non-interactive mode. When the attacker inserts the escape sequence
into the stream which is used as an input to the mail command this escape
sequence is interpreted by the mail command and it is possible for example
execute arbitrary commands or read/write any file in the system with the
privileges of the user running /usr/bin/mail.
Impact:
Users can gain superuser privileges because the output of
the /etc/daily script is piped to the /usr/bin/mail command while
running regular cron tasks.
There exists a method developed by Przemyslav Frasunek which allows
to perform a local attack by creating a file with a specialy designed
filename and permissions. Method of performing remote exploitation of this
bug is currently unknown.
Exploit:
An exploit for this bug exists and is publicly available.
Workaround:
Remove /usr/bin/mail binary until a patch for your release is available.
Contact Status:
Vendor was contacted on 2002-04-08. Problem report related to the
security advisory was sent on 2002-04-10.
Available Fixes:
This bug was patched in OpenBSD Current on April 8, 2002.
Official patch for other OpenBSD releases is not available at the moment
but the bug can be solved by applying the attached source code patch
to the 1.23 revision of the appropriate file and installing new mail
binary.
Credits:
The bug was found by Milos Urbanek, Security Conslutant at ZOOM
International. Exploit was written by Przemyslav Frasunek.
About ZOOM International:
ZOOM International is a Czech company providing services and
solutions in the area of IT security. For more information visit
our website at http://www.zoom-int.cz/.
Mail Patch
Index: collect.c
===================================================================
RCS file: /cvs/src/usr.bin/mail/collect.c,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -r1.23 -r1.24
--- collect.c 2001/11/21 15:26:39 1.23
+++ collect.c 2002/04/08 20:27:17 1.24
@@ -1,4 +1,4 @@
-/* $OpenBSD: collect.c,v 1.23 2001/11/21 15:26:39 millert Exp $ */
+/* $OpenBSD: collect.c,v 1.24 2002/04/08 20:27:17 millert Exp $ */
/* $NetBSD: collect.c,v 1.9 1997/07/09 05:25:45 mikel Exp $ */
/*
@@ -38,7 +38,7 @@
#if 0
static const char sccsid[] = "@(#)collect.c 8.2 (Berkeley) 4/19/94";
#else
-static const char rcsid[] = "$OpenBSD: collect.c,v 1.23 2001/11/21 15:26:39 millert Exp $";
+static const char rcsid[] = "$OpenBSD: collect.c,v 1.24 2002/04/08 20:27:17 millert Exp $";
#endif
#endif /* not lint */
@@ -161,7 +161,8 @@
value("interactive") != NULL && !lastlong &&
(value("dot") != NULL || value("ignoreeof") != NULL))
break;
- if (linebuf[0] != escape || lastlong) {
+ if (linebuf[0] != escape || value("interactive") == NULL ||
+ lastlong) {
if (putline(collf, linebuf, !longline) < 0)
goto err;
continue;
