Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   Taylor UUCP Vendors:   Taylor, Ian Lance
(OpenBSD Issues Patches) Re: Taylor UUCP Input Validation Flaw Allows Local Users to Elevate Privileges
SecurityTracker Alert ID:  1002410
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 12 2001
Impact:   Execution of arbitrary code via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): uucp-1.06.1-25
Description:   A vulnerability was reported in Taylor UUCP. An argument handling flaw in a component of the Taylor UUCP package allows local users to obtain 'uucp' user and group privileges.

The uuxqt module (the UUCP execution daemon), which is designed to remove arguments that appear dangerous before execution, reportedly fails to remove long arguments. This allows a local user to cause cammands to be executed on the system with uucp privileges.

On OpenBSD 2.8 (and probably others), this reportedly indirectly allows root compromise. A local user can exploit the vulnerability to overwrite the uucp owned program /usr/bin/uustat, where arbitrary commands may be executed as part of the /etc/daily crontab script.

On Redhat 7.0 (and probably others), this reportedly indirectly allows a local user to create empty files as root execute commands as if logged in at the console.

Additional demonstration exploit information is provided in the Source Message.

Impact:   A local user can cause arbitrary commands to be executed on the system with 'uucp' user and group privileges, giving the local user 'uucp' level permissions on the system.
Solution:   OpenBSD has issued patches.

OpenBSD 2.8:
OpenBSD 2.9:

Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  UNIX (OpenBSD)

Message History:   This archive entry is a follow-up to the message listed below.
Sep 8 2001 Taylor UUCP Input Validation Flaw Allows Local Users to Elevate Privileges

 Source Message Contents

Subject:  vulnerability in UUCP

A security hole has been found by zen-parse that allows an attacker
to run arbitrary commands as user uucp.  Because several uucp-owned
commands are run from root's crontab file it is possible to gain
root or daemon privileges. The actual bug involves the parsing of
long-style command-line arguments in uuxqt(8).

For more details, see:

Patches are now available:
    OpenBSD 2.8:
    OpenBSD 2.9:

If you do not use the UUCP subsystem and do not wish to rebuild
uuxqt, you can simply remove the setuid bit from the UUCP executables
as follows:
    # chmod u-s /usr/bin/{uucp,uuname,uustat,uux}
    # chmod u-s /usr/libexec/uucp/{uucico,uuxqt}

You should also edit the /etc/daily script and replace the line:
    uustat -a > $TMP
    echo uustat -a | su -m uucp > $TMP

 - todd


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC