Another autoreply security hole

[geiri () stud cs uit no (Geir Inge Jensen)]

With all this talk about elms autoreply bug, I thought that I should take a
look at the source. Wow, what am I seeing - yet another security hole.
Simpler and less powerful than the other, but still - its there. It will
take you a while to become root, but it is not impossible.

Since most sysadms already have removed autoreply, I can's see no harm in
posting it here. You can exploit the hole to read any file on the system!
(Including /.secure/etc/passwd, /dev/kmem, etc).

Autoreply takes a filename as an argument. Then it checks that the real uid
have permissions to read the spesified file. Fine, a suid program should do
just that. But then it does the fatal thing, it checks the filename if it
has an / in front of it - and if it doesnt, autoreply do things the easy way.
The program just reads the environment variable $HOME to find the full path
of the file...! Have this been done before the test of readability, things
would have been fine, but after....

Well, autoreply does'nt complain about the file, and since arepdaemon has
to run as root, it can read any spesified file. Hence, you can do the
following:

# cd $HOME
# echo x > passwd
# export HOME=/.secure/etc
# autoreply passwd
# mail geiri < /dev/null

And the file pops up in your inbox....


Bye,
--
   Greetings from the Northernmost University in the World  ! To err is human,
       Geir Inge Jensen, University of Tromsoe, Norway      ! to really foul up
  --------------------------------------------------------- ! requires the
   Internet: geiri () staff cs uit no     Fidonet: 2:212/8.17  ! root password...