Bugtraq mailing list archives
Security hole in mgetty+sendfax
From: gert () GREENIE MUC DE (Gert Doering)
Date: Thu, 24 Jul 1997 22:23:09 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hi, a security hole has been found in the auxiliary fax scripts "faxq" and "faxrunq" in the mgetty+sendfax package. It has been in there since the first day those scripts were written. Due to improper quoting in these shell scripts, it's possible to execute code with a foreign user id, and get root access to the machine. The exploit is actually quite trivial, so it's not necessary to include that here. Appended below, you'll find replacement scripts that fix the problems. The scripts can be used "as is" with mgetty+sendfax 1.0.* and 1.1.*, and I'm fairly sure that they will work with all older versions as well. This weekend, I will release new versions of mgetty+sendfax (1.1.8 for the development cycle, 1.0.1 as "stable release"), which will have the changes worked in. Credits for finding the problem go to Herbert Thielen (thielen () lpr e-technik tu-muenchen de). Thanks again. gert - ---------- begin 644 faxq+faxrunq.tar.gz M'XL( (RYUS, ^U::UL;.;*>K_:OJ AGL!.,+Y#DQ,290QC(,$,@"^3LSC-D MH7'+=@_M;M.MAGB3/;]]JTI2WVP89F8W^\5Z$FRW2B6I5)>W2CUT/EU_\Q]N MG7;[^>8F? , &YTN?P(\,Y\ SY\_W\"_&\^?O>AV-S:> ^" %^UOH/V?7ABU M)%9.!/#-2$;J7KID,/T:Z_G*;>51Z](+6O&XNE)=@2%J TRC<!0Y$^ GOG<E M0?C3:P%A!&+B>/ZU6(-X'-["K^%E#+>.I[Q@!%X :BPA3-0T47"=R$0R@Y.= MG9,>_&]]I4',U[V@LKF^ 2]?M-HO6MU-V FGL\@;C174=QK0>?ER$][B2<#W MH8R0+;+8V_[;^<G[HZ.#?BN)HU8\#4._A;RRCO.C#Z>ESA:N8Q02 UZ$'(S# M=%]J["BX]7P?G,% 3A7(>.!,90SU2R<>]T P=5/2-I.@!\SY&4F).AK(D#[[ M3"8T?R< Y_9*<_9B"$(%L0H#V0Q]MWD9.5[0=*7C0MU0K#%)B&/6U]>)X_9? M?^KCKVK5&\+ A5IA;U!%R0;0JTH_EE4RF1HO40R<@/@,QJX7@0I+PY"U@-?? M=GF$_.0IZ%2'7K5*Q]873UH_'KT1U4CR4?4%[F2()SSTG5'5#7G,P(DEU.@) MGFZUTKQIP(V,+L,8R5642 %;6_@X;$".Y;J+^S8]<;$G?F*>.X7G]FDT1[T% MZ?*R^9XT<&$*7KW:/=H[?W?REK=8:_=PC3>.[[D03I47XKGQRJOY9W$/]]4, M>UI]\6QX0GH6FV=Q$D]EX,JLQS$]#NJ+?7;3LX(P^DX/HQZNEIR)*G,Q"ZU6 MTG.@C?"IQ,Z@2@(SIW+AQU!CL^J^;KGRIA4DOG]1_06:_P#!'0(^PK??6@4( M0IYA7?#9>62$3&5/\,/)[C$>[1:\_^'H<%=_VWZ[>\+?WFWO'YP>\=?_VSU^ M8[[RN.V=G5/^M7_X_H/^]OYXGS^/=UE7B IUU:S,2 ,7QQVDKM6*1-'#A8J@ MZ<+J67NSB_]?G'4VVV>=C4W\CO]?;*S"JYH'7^",I8.:C98 J[5.OR^26$8" M/J/=>H$:@N#-/(ZWT"YK7?AGM4(CF'(Z9IW+2/5V%],Z(QD7:%D@CUVB/=QK M=HK4D1=&GIH5!J DS@3]Q!G6SP3/\<]5:%Y4*^9<:EY/NT 7+F=0HY6O0XUG M EI '2V#[)77N5Y#CD+K QGX5Q0<N7,!.5*C$V?B<7PFMM@#7L8JJD.MO0;/ MH?&'Q6XTY%R%@I9<J9C () GPTV KAX:H0-Q;G1=:OSL1.XOKR+(2OQ'>PV2NR\ M *TXOQ6M^(M'OR@-5MY$%J1XNO]NE\?VS'!:7Z4HRS7 +17Y_L]:>9?8^ZL< M*)&Q/MZ]8U$ORX=C-;>LN';P77:!5EU'0^CW:3%%(\D/UELBA<U&H%2K\) V MSQ8RSOA_(^/^AQEB^"LR/=S+J<F<O8KTQYGZBS7=GK9=81>1>3RMK=;AI3XO M96&?8K#15I[RT#:^D% SA;H>T4B'8-2V9!AAX)%>PO&NH%!P-L_L6"*SXVS* M_"AMX8M&[C;?H3O D89DT6@VBX73[I,%X6!-4>I\3\K5,QYP(6,RF3F^)QA$ M@:P+AS+!HI%DYG,CM]$]8#0<DE298-%(<KMS6WEO[(962VZY6HE1%9H25ELG MRE%)W'KDKO+OV#[(Z:%^TFNM0LTK*LV0M&S=#P=7TJ4@OJ4UQ@[,B\LP@8.C MG9]VOT=8*@E@QS)0H*%R$-XV2OHD/TTCG!,0OJX_(4110^R70@CX\J5X(G8* M1JK$>"956=T(*Z[0ZH5!86A(YAL\64\Q3O-'C8KL1@/<J!V@P0JO#7<O].H8 MW.57E\,,;O\"L6S@3!!X>FB?S!*/ZQ9J;B:T2DYB%&H93-\&,EI#:!BL*@O$ M4 VU='+T>N<@+EQ'R0L!321V!LJ[P9\Z6A\<O3W<)FU\_1H/D<=.;DBV-9> M:;62DX_&;JQ4O/$4"#4=_4!C-OH5P;KOQ.H\2@(42A[&GP4'V %G%V<7F+I@ M__7J*A"9@P9U06 W'7F!"OEOS?_,A/]6GN5V?_[?Q=X7Y?S_>??%,O__&FTN M_R=MT)E_&%X!I14VE:9>3C?6R&6X9(H3N/$<_H5]:^0 X@1SZGB8^.0K)N&- M1$Y,.(S"B:T0:';:D]01PVE^#A <)5S,9.CJO,!1M( A/4%&.'F#UW8ZEI$$ M!__'BA-Y7"U:?9B,QB!=C#5HUI<)1@!,],/H"E?,LXS#!'.^D7<C818F^(S\ M&R;F0 D>SNM-IA$N&8?-ERY(+K^[>O%GBQ=,M7OX/65Q3(/QP_%;,1^9EKI@ M(L:Z6?K?(GB,P0970,$\&^Y=MDC(+?E)#AC\5ZL[1X=[YWM(5)A"JD%K,I)* MS9Z:B5I6"(,P&'HC\94J*[=71?9_KKQ"+"?.%>I-@LIS*U=QK4,/=4,$\C:F MZ"Q854)4N A&88A:HY+A$&ZI D,^F?58#*(P$,@<&;[?/OVAGY,<;J=7HX=Z MME@J<.7027R%Z^)"#NX';20&+<@D<J@V@<OPT1K0A%!IY2<O5C&MW W/Z9S. MX[XX/?Z ",@^&-H'=)3GT]&$2'*_AO1KXGPZ'Q+U((R5/^L_RYZH4#E^O].N MNM*72IX3"N#,7D=Q!!.I8A31BLY.=;K9^CL\66EATA#(3XK2"8UE.M#O@]"N M(&Z2_C1UIDF)6I:/9'O+$HLZIB7_#ZV__S+[^=<?U6GG8ZOQ'294HB=$F3]M M T_QM_D/_QA_NWX\5+]I=+ \14[XY<QJT5(?Q&IX+RL\0.+6U"?*^-5NJ=U\ M^;%5XEK6@(>P9M5X.&>M2?<QUBI&!Z6:&A"5#BJG@K_OJ- WYO+NLT!08I=I M[@47/,D,!^%D0H;M>P$%CE$RP<EB[$IBS$VH9H(?B/G;\$LS_HA_KC^B+=R. MR2A[A8*HJ'4$U4/1M'TII[#11AM'4W9C<(8*O0;"R3&%JC4=:2:AB^&/LA@* M,>@.E"]U;93'4_V\O]'>BL?>4&UM(=OKQ$.?$4ZE=@Q(>]T THX\H-\"'@ \ MHECYQ %/&BD\;O<@":XP8PBRPF@GJPN7\H\:RT%WLX1-W9B_F^KK)0+FJW+Y MDKU&;06:(P5MS(I3=[& <8ZO/9Y12,(A@,%1$# )D .,_;.UU%M2 1;A-_M) M.KCJ?)W\RQ?+MQHSS.^+ML@JJUQ7+E96"=]@_USA5&]',\& =0V;*:)/3ZU0 M[5QA*5))F09!+PC)O0>XB2VC ;C^\#;6GC*2KH=>E&9-V9$6Q=7":7 ?0:4B M%>F:3=:T#F;]-C-A=2T+J)4E5[C9B_SY&"GS9-A'=P=\, 4%%/!8R2?P2H: MT56]VUCE>Q]%)T<YG<YM&SQHU8;350K8"!$G='P[Q5#^*V)O()<8 W-$L[SY MI?-Q#?A+]R/%/UIB/F0?T&H88EQ*@S!=DB.;)N'&>"P)?UR&D=+25)$SQ11V M0BEXMLR\&@AH/Y 2S8X5K-L6T($N;$#GF:Z%V_VRI!8/SBG6=ZA*DNTD2WW- M03@^FI<[ U,IJ%9X5>ULN@J>O_*"1-JC9OM!CT%E7SH+Q#[>< ;UYFNNY)R? M'C70BJA6"T$RN40BZM(E)@([A.*<R/<HB8UMQ85IJ.9B#^&A16G:OZE*:XSP M9O?M_B$Z:5H>WR!03.8OE"RKD+_2E/PETA]4F2S4LGFT*5GF2M>?-;="9;61 M$3VD0ITKX7[6Z\AWY.O6G^V*S70X6Z>;F\U6:Y$0MY$1O=0T.E9QL903G4<8 M&46NQFH.*Q<!B4Q70G69YQY2DD_55C?GZM":AC8W1T,UQZ.3W2(WO<\YVK3X MS)4@KJ'"A8FO8TF&.98,G#,U0NNG^LI8ND:/;$4G*_KEC8![N30#XNGC'X1X M_$Y<0--7N@"(M)6Y"A#ZJFP^ OYF0E1ZQ#S3," WA3Y-Z%%HWYE]ZD>I1>5+ M.QHU!'B&R4 5\0,:&<7C1$FS*=/;_QWVD0^^)4MAK>V+)MH!76'&;!%<G^]K MZ%.9NX#A$6E%GSO'Z$;(=JA]-HSXKX#F&(5?()Z&Y 9A(?&T,&<01NC+SR-] M65"D# J4A2N:,NDVH!;E[&BC(<Y*F[,7$ABCZ^#UNUO@O>H?[N''TZ<-(P_^ M2Y5%.[0("%=%+4NA!:KK#=\TX#_4X/RM$2_+>,DUS=M<$>@L5Y\V 116-7/> MYO0MQ#%/1>8O:QGA"FA1H':J) H NQ/&,1S%-5JI?5>XW3<J1Q$'(\FMI\:& MT"(3DR.C#$G%J8 1#/S$E100C3-BA<V;7GI[H8V^8'Y6'<W8OIB%2<2H++VL MS-U3WD^=35&ZS["V10)*R-"-0:(DN)<#2FV%21;=]*IMWVS9"%**T;4%8KH M03SQ$->$@64[3/PTV):+P1F)/^.Z.!6!J>9+S)(I^R54ZS )^)T7*K"D5TC& M)QLYS?'D<K(MU3 _UB1R\;QI+IG'BEQ25D=/,V2QN/C-XK=L6.QF%8S?F+(. M)E72\*:-.K]"+U!@CO)F^^0'N$Q&EL P/0U[*1]1ZCO19]V#HY^0R :\$M$> MGE,/HA!=<7T/SPX'Q3/<VJ2!"5J)]F>K,V,G1D@G WT=43@(*H.?#=*1)-=T M3UQYM[=A7QAXV!.IF\7"K1/S?=B"Z<^"L^!'5*T6 LL1(]Q>2D*%=Z[W6_$A M0NI?C"+$VT9OM"^W]T,==Q5_W0XP7%W,34-767R+0QN3]&H()XL":LP71!)D M>]9SV1-LP!=SZ+J6E^F:X(!5Y0-%<"I25=.N)DKA=CVO8(V\AF4%C'M4C+C3 MXBV[W*A,T7(/RVD'913I4CG=BH'21FB^MC:.H#JM$&L3KTQN4C"M<\P*I_%3 MJA6@5IB!1))FBU / ^PJ[9829/SJN+J2[.DZ'"]DP!7A2RH)#,;>C;X!*DH% M,\0X+!AE5JVX1V9,99"'SEGA:;;03&QS25J*4IK1$$H)&\M0.^"B[T. U$'G M5REX/QE%N/A+B0&4"N5.I$R8,&X1S5.AS)R1XP4HIMOQ#/&VKA4(W)9^_<O, MX)D==AK =,P[YLPKAXST&UI$US5TYA6U<(J636:.R9 WP.Q"PZ_O&MF(#3-" M9\M>X"E,D;U_Z.(H3Y?1;AI:SJ*I"$4F"&\^G/R<T3Q;2'-X!-_O;Q^<4BAC M4JYAW!4/]+ U#L%U(XH&^A)D;"-#&@Y3@>NBD94QR7R-@:2'< S7,'24XS]4 MVNV[-K&S?7R\CY@FW6['G@P:J0H'H2;'E'DM?463BAU_.SK,C>G>,8:#"EL\ M%VU^4TY[VZ?;!_AW_^##\>Z]XOH3@72HWTXPS(JQ%*W!2.=5J>+YFO,"NK/2 M%]; ODCG&>S+16'QPCAU[<:A.<)#*7%<F(24)4)6GUZ1]]#H0HS1P<Q(2EM/ M)A-B= \@R,!;'A0,\]ZG\B! 4"$T4+D7"E3NP@&5>1! ,LM@@#F! NEO0(&, M<)_#-*=OF+7%WJ5ORJ6XEWD4^LB.7AC_<\=R!P;(;7*<X4N,2NF1K?$-(7JO M])4'NDLD"$ZAP_B\7H'50F_>$F477AR@@USV-@7]*BW1-\@$[9=+B&96 T\T M/*@LP@86;1OU8HR@793!!_?K678A45"T!^&"H=&WW)/%H*"XQM02,EN%.EWD MNES6TD&5CJ)1&)!#"ID@\Y6W7%Y/J4<2<*F.N<L;C$P>WS SDQ2'1I).S;75 MS8PQRL^4>VVS$$7C"JIE%FNBYI9:W^H]LA6U<J'1ODQ2JO?QBE68#+3J<94# M7>MDND:3<&64TE(NFX^=Z72& S3KDL#3ETBJ['Y?W]D]&&,,!GIEXTZ2__9K M"\NV;,NV;,NV;,NV;,NV;,NV;,NV;,NV;,NV;,NV;,NV;,NV;,NV;,NV;,M6 +:O\"=]F"_0!0 "V end - -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert () greenie muc de fax: +49-89-3545980 gert.doering () physik tu-muenchen de -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBM9e5qKkuBuNlUUl1AQG2DwP+KAh9yxiyFXWfXCBA42Xp3iMmzDlvjlic b27rF9mpjdWA9mzcsI0xCXVnwFyeh5aCDxsUB10typR0oGjk4bzj3ll0k5B9ZXdq QBgE2mQKkdOod8Ew0gQ89VwlMcJAANS+pp0/68ABRDQp6+1K29HysaCMJwmgV0GH 3+cw2ywsOQ8= =NOr0 -----END PGP SIGNATURE-----
Current thread:
- Re: CPSR 7: IRIX WWW Server Thomas Walter (Jul 24)
- Re: CPSR 7: IRIX WWW Server Aaron Bornstein (Jul 24)
- Security hole in mgetty+sendfax Gert Doering (Jul 24)
- BIND Nuking Aveek Datta (Jul 24)
- Re: BIND Nuking Thomas H. Ptacek (Jul 29)
- ANNOUNCE: inn-1.5.1sec (fwd) Christopher Samuel (Jul 30)
- Re: Security hole in mgetty+sendfax Gert Doering (Jul 25)
- BIND Nuking Nicolas Dubee (Jul 25)
- Re: your mail Ariel Biener (Jul 25)
- Re: request-route Zoltan Hidvegi (Jul 28)
- Re: request-route Eric Bennett (Jul 29)
- Re: request-route John Macdonald (Jul 29)
- Re: request-route Kragen Sitaker (Jul 30)
- BIND Nuking Aveek Datta (Jul 24)