zen-parse's note here about the uucp update probably holds true with
ImmunixOS as well.

The crux of his uucp to root privilege escalation is through a cronjob
registered in /etc/cron.daily/makewhatis.cron and
/etc/cron.weekly/makewhatis.cron.

Both cron jobs check a lockfile in /var/lock/ before starting their
task. It is in the process of starting the cron job that the uucp->root
exploit happens (because the cron jobs are run as root).

I have been running without the lockfile for weeks now, and have not
noticed any problems using the whatis database; I've tried to corrupt it
with several makewhatis updates running at once, and it always works
well.

I'd like to hear if doing this causes problems for anyone; if it works
without trouble, I'll take out the lockfile mess from the cron jobs in
a future update.

Thanks.

----- Forwarded message from zen-parse <zen-parsegmx.net> -----

Date: Sat, 19 Jan 2002 03:38:50 +1300 (NZDT)
From: zen-parse <zen-parsegmx.net>
To: bugtraqsecurityfocus.com
Subject: uucp --config patch -- not sufficient

Problem: uucp patch from RedHat (possibly others) prevents
                original exploit, but not variations.

Severity: Potential for local root on some distributions,
                uucp.uucp on others.

      https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=54466

I had seen this report some time ago, and thought: "Good. They've got a
bug report. That'll get it fixed. They'll check that before they release a
new version, at least."

They didn't.

The patch does prevent the original exploit from working.

However, a trivial patch to the exploit I posted makes it work again.
local user -> uucp (via this problem) -> root (on some distributions, via
/usr/sbin/makewhatis: '${PATH:0:1} (or similar) + redirection characters'
issue.)

$ cd redhat7.0-uucp-to-root
$ sed s/--config/--confi/ < exp-erm.sh >tmp-exp-erm.sh
$ mv tmp-exp-erm.sh exp-erm.sh
$ ./runme

and wait for /tmp/rootshell to appear.

(Does anyone at RedHat actually read their bugzilla posts? Might it not be
an idea to make anything flagged as security actually get looked at by
someone? 2001-10-09 seems along time for that to go unnoticed.)

-- zen-parse

-- 
-------------------------------------------------------------------------
1) If this message was posted to a public forum by zen-parsegmx.net, it 
may be redistributed without modification. 
2) In any other case the contents of this message is confidential and not 
to be distributed in any form without express permission from the author.
This document may contain Unclassified Controlled Nuclear Information.
----- End forwarded message -----
-- 
"I'm not sure which upsets me more: that people are so unwilling
to accept responsibility for their own actions, or that they are
so eager to regulate everyone else's." -- Kee Hinckley

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org

iD8DBQE8SHao1XMg6PgdEDQRAry0AJ0cX1tjmbRmSDX1LulFuLtohA4WNACgyHCv b5sQxTPUtXPY5KuV3Y5jVWQ= =VrnB -----END PGP SIGNATURE-----

_______________________________________________ Immunix-users mailing list Immunix-usersmail.wirex.com http://mail.wirex.com/mailman/listinfo/immunix-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]