Attached documents explain all. -- kokanin at dtors.net
Attachment:
DSR-youbin.pl
Description: Binary data
I. BACKGROUND $ more /usr/ports/mail/youbin/pkg-descr ---- From README (slightly modified) --- youbin is a kind of biff in the network age. When youbin is used, the mail spool of a certain, specific machine (mail server) is observed to inform the arrival of mail to a user at an arbitrary machine through the network. On the other hands, the conventional "biff" informs only the user who logs in at the machine on which the mail spool resides. Combining with POP, youbin eliminates a lot of NFS mount of mail spool directory caused by checking mail arrival. More information is available at: http://www.agusa.nuie.nagoya-u.ac.jp/software/agusalab/youbin/youbin-e.html II. DESCRIPTION Insufficient bounds checking leads to execution of arbitrary code. perl exploit follows this document. III. ANALYSIS Upon setting a large value for the HOME environment variable a buffer can be overflowed. Since youbin is setuid root this effectively allows for a full system compromise. Example run: $ id uid=1000(kokanin) gid=1000(kokanin) groups=1000(kokanin), 0(wheel) $ perl DSR-youbin.pl # id uid=0(root) gid=1000(kokanin) groups=1000(kokanin), 0(wheel) IV. DETECTION youbin-3.4 shipping with freebsd ports per 02/03/03, the latest available at the time of writing, is known to be vulnerable. V. WORKAROUND # chmod -s `which youbin` VI. VENDOR FIX unknown VII. CVE INFORMATION unknown VIII. DISCLOSURE TIMELINE 5/5/03 - FreeBSD port maintainer notified 5/5/03 - FreeBSD port maintainer replies, bug is known, apparently no fix is planned at the moment 6/5/03 - public disclosure IX. CREDIT Knud Erik Højgaard/kokanin, dtors security research
