[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Redhat 7.0 local root (via uucp) (attempt 2)
From:       zen-parse <zen-parse () gmx ! net>
Date:       2001-11-30 12:56:52
[Download RAW message or body]


Affects:  RedHat 7.0 (possibly others)

28 Aug 2001 01:27:24 +1200 uucp vulnerability exposed to vendor
 9 Nov 2001 07:14:15 +1300 this makewhatis vulnerability exposed to vendor

/usr/sbin/makewhatis 

An earlier version(1) of makewhatis had a fault in the handling of 
compressed files that allowed execution of arbitrary commands as root.
 
A patch for this problem was developed that seemed to be effective.  
However, the patch was not restrictive enough in the metacharacters it
filtered out.

It is still possible to perform file creation or overwriting with
arbitrary contents, as root.


Taylor UUCP package and uucp exploit.

The uucp utilities fail to filter out long options, which lets users 
specify alternate configurations and as a result, execute commands with 
uid and gid uucp. (2)

Attached is an exploit for uucp (developed for RedHat 7.0, but other 
vulnerable distributions should be similar).


The root exploit.

drwxrwxr-x    4 root     uucp         4096 Nov 30 19:48 /var/lock/

On RH7.0 uucp allows arbitrary filename creation through the lockfile
creation performed by /etc/cron.{daily,weekly}/makewhatis.cron.

--- Start /etc/cron.daily/makewhatis.cron ---
#!/bin/bash

LOCKFILE=/var/lock/makewhatis.lock

# the lockfile is not meant to be perfect, it's just in case the
# two makewhatis cron scripts get run close to each other to keep
# them from stepping on each other's toes.  The worst that will
# happen is that they will temporarily corrupt the database...
[ -f $LOCKFILE ] && exit 0
trap "rm -f $LOCKFILE" EXIT
touch $LOCKFILE
makewhatis -u -w
exit 0
--- End /etc/cron.daily/makewhatis.cron ---

Simply symlinking /var/lock/makewhatis.lock to the filename u want to 
create will cause it to be created. 

This root exploit is only for RedHat 7.0, but a similar method may work on 
other distributions.


-- zen-parse
(1) http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=42450
Previous makewhatis problem.

(2) http://www.securityfocus.com/bid/3312
Taylor UUCP vulnerability.

(3) http://mp3.com/cosv
Some starving musicians.

This is my 2nd attempt to post this: if it was rejected for any reason
last time, would be nice to know why. If the previous one had just
disappeared, that would be strange.

-- 
-------------------------------------------------------------------------
The preceding information is confidential and may not be redistributed
without explicit permission. Legal action may be taken to enforce this.  
If this message was posted by zen-parse@gmx.net to a public forum it may
be redistributed as long as these conditions remain attached. If you are
mum or dad, this probably doesn't apply to you.

["redhat7.0-uucp-to-root.tar.gz" (APPLICATION/X-GZIP)]

[prev in list] [next in list] [prev in thread] [next in thread]