Re: Security hole in mgetty+sendfax

[gert () GREENIE MUC DE (Gert Doering)]

-----BEGIN PGP SIGNED MESSAGE-----

Hi,

Gert Doering wrote:
> [Mgetty+sendfax security problem]

> begin 644 faxq+faxrunq.tar.gz

Well... some minor points:

- - this is not releated to the "Hylafax" (formerly FlexFax) package.
  Hylafax has a "faxq" program as well, but it works completely different
  and is not affected.

- - the URL for mgetty is http://www.leo.org/~doering/mgetty/, but the
  patch is not yet there (weekend).

- - somehow the uuencode'd file got corrupted traversing bugtraq's relay
  mailer [linux-security got it correctly], so I'll append it again, as
  a "shar" archive.

gert

#!/bin/sh
# This is a shell archive (produced by shar 3.52.3)
# To extract the files from this archive, save it to a file, remove
# everything above the "!/bin/sh" line above, and type "sh file_name".
#
# made 07/25/1997 07:55 UTC by gert@greenie
# Source directory /u/gert/src/mgetty/fax
#
# existing files will NOT be overwritten unless -c is specified
#
# This shar contains:
# length  mode       name
# ------ ---------- ------------------------------------------
#   3507 -rw-r--r-- faxq
#   8247 -rw-r--r-- faxrunq
#
touch -am 1231235999 $$.touch >/dev/null 2>&1
if test ! -f 1231235999 && test -f $$.touch; then
  shar_touch=touch
else
  shar_touch=:
  echo 'WARNING: not restoring timestamps'
fi
rm -f 1231235999 $$.touch
#
# ============= faxq ==============
if test -f 'faxq' && test X"$1" != X"-c"; then
  echo 'x - skipping faxq (File already exists)'
else
  echo 'x - extracting faxq (Text)'
  sed 's/^X//' << 'SHAR_EOF' > 'faxq' &&
#!/bin/sh
#
# faxq program
#
# like "lpq" or "mailq", show jobs waiting in the output queue
#
# SCCS: @(#)faxq.in     4.3 97/07/24 Copyright (C) 1994 Gert Doering
#
FAX_SPOOL=/usr/spool/fax
FAX_SPOOL_OUT=/usr/spool/fax/outgoing
X
#
# echo program that will accept escapes (bash: "echo -e", sun: /usr/5bin/echo)
#
echo="echo"
X
#
# an awk that is not stone-old-brain-dead (that is, not oawk...)
#
AWK=awk
X
if cd $FAX_SPOOL_OUT
then:
else
X    $echo "cannot chdir to $FAX_SPOOL_OUT..." >&2
X    exit 1
fi
X
jobs="*/JOB"
requeue=""
X
for flag
do
X    case $flag in
X       -v) verbose="true" ;;
X       -o) jobs="*/JOB.done" ;;
X       -s) jobs="*/JOB.s*" ;;
X       -a) jobs="*/JOB*" ;;
X       -r) jobs="*/JOB.s*"; requeue="true" ;;
X       *) cat <<EOF_MSG >&2
$0: invalid option: $flag
valid options:
X  -o: show old jobs
X  -s: show suspended jobs
X  -a: show all jobs
X  -v: verbose output
X  -r: restart suspended jobs
EOF_MSG
X          exit 1 ;;
X    esac
done
X
jobs=`ls $jobs 2>/dev/null`
[ -z "$jobs" ] && $echo "no jobs."
for i in $jobs
do
X    USER=""; PHONE=""; PAGES=""; MAILTO=""; VERBTO="";
X    ACCT=""; INPUT=""; PRI=""; RE=""
X
X    if [ -z "$verbose" ]
X    then
X       eval `tr -d '\042\047\140\134\044\073' <$i | \
X            $AWK '$1=="user" { printf "USER=%s;", $2 }
X                  $1=="phone" { printf "PHONE=%s;", $2 }
X                  $1=="pages" { printf "PAGES=%d;", NF-1 }
X                  $1=="priority" { printf "PRI=\" pri=%s.\"", $2}' -`
X       $echo "$i: queued by $USER. $PAGES page(s) to $PHONE.$PRI"
X    else
X       eval `tr -d '\042\047\140\134\044\073' <$i | \
X            $AWK '$1=="user" { printf "USER=%s;", $2 }
X                  $1=="mail"  { printf "MAILTO=\"%s\";", substr( $0, 6 ) }
X                  $1=="phone" { printf "PHONE=%s;", $2 }
X                  $1=="verbose_to" \
X                              { printf "VERBTO=\"%s\";", substr( $0, 12 ) }
X                  $1=="acct_handle" \
X                              { printf "ACCT=\"%s\";", substr( $0, 13 ) }
X                  $1=="input" { printf "INPUT=\"%s\";", substr( $0, 7 ) }
X                  $1=="time"  { printf "TIME=\"%s:%s\";",
X                                substr( $0, 6, 2 ), substr( $0, 8,2 ) }
X                  $1=="subject"{ printf "RE=\"%s\";", substr( $0, 9 ) }
X                  $1=="priority"{ printf "PRI=\"%s\";", $2 }
X                  $1=="pages" { if ( NF==2 ) printf "PAGES=\"%s\";", $2
X                                else if ( NF==3 )
X                                     printf "PAGES=\"%s %s\";", $2, $3
X                                else
X                                     printf "PAGES=\"%s ... %s\";", $2, $NF
X                              }' -`
X       $echo "$i:"
X       $echo "\tQueued by: $USER"
X       if [ -z "$VERBTO" ]
X       then
X       $echo "\t       to: $PHONE"
X       else
X       $echo "\t       to: $VERBTO ($PHONE)"
X       fi
X       test ! -z "$RE" && \
X       $echo "\t       Re: $RE"
X       test ! -z "$MAILTO" && \
X       $echo "\t   E-Mail: $MAILTO"
X       test ! -z "$INPUT" && \
X       $echo "\t    Input: $INPUT"
X       $echo "\t    Pages: $PAGES"
X       test ! -z "$TIME" && \
X       $echo "\tSend time: $TIME"
X       test ! -z "$ACCT" && \
X       $echo "\tAcct info: $ACCT"
X       test ! -z "$PRI" && \
X       $echo "\t Priority: $PRI"
X
X       sed -e '/Status/!d' -e 's/Status/           Status:/' $i
X       if [ -f "$i.locked" ] ; then
X        $echo "\t   Status: LOCKED (being sent right now)"
X       else
X       expr $i : ".*done$" >/dev/null ||
X       $echo "\t   Status: not sent yet"
X       fi
X    fi
X
# if "requeue", requeue *.suspended-Jobs
X    if [ -n "$requeue" ] && expr "$i" : ".*JOB.s" >/dev/null
X    then
X       d=`dirname $i`
X       if [ ! -w $d ] ; then
X           $echo "$i: not owner, can't restart"
X       else
X           $echo "Status "`date`" - reactivated by $LOGNAME" >>$i
X           mv $i $d/JOB
X       fi
X    fi
X
done
X
test -n "$verbose" -a -n "$jobs" -a -r .last_run &&
X    $echo "\nLast \`\`faxrunq'' run at: `cat .last_run`"
X
SHAR_EOF
  $shar_touch -am 0724205497 'faxq' &&
  chmod 0644 'faxq' ||
  echo 'restore of faxq failed'
  shar_count="`wc -c < 'faxq'`"
  test 3507 -eq "$shar_count" ||
    echo "faxq: original size 3507, current size $shar_count"
fi
# ============= faxrunq ==============
if test -f 'faxrunq' && test X"$1" != X"-c"; then
  echo 'x - skipping faxrunq (File already exists)'
else
  echo 'x - extracting faxrunq (Text)'
  sed 's/^X//' << 'SHAR_EOF' > 'faxrunq' &&
#!/bin/sh
#
# faxrunq
#
# look for outgoing fax jobs, send them via sendfax, if succesful, remove
# them from the outgoing queue (and send a mail to the originator of the
# job)
#
# There are still a lot rough edges - but it works, and should give you an
# idea how to improve it
#
# SCCS: @(#)faxrunq.in  4.3 97/07/24 Copyright (C) 1994 Gert Doering
X
FAX_SPOOL=/usr/spool/fax
FAX_SPOOL_OUT=/usr/spool/fax/outgoing
FAX_SENDER="/usr/local/sbin/sendfax"
FAX_ACCT=$FAX_SPOOL/acct.log
X
MAILER="/usr/lib/mail/execmail"
X
CONF_FILE="/usr/local/etc/mgetty+sendfax/faxrunq.config"
X
#
# echo program that will accept escapes (bash: "echo -e", sun: /usr/5bin/echo)
#
echo="echo"
X
#
# awk program that is not stone-old-brain-dead (that is, not oawk...)
#
AWK=awk
X
#
# make sure we'll find "newslock" and other good stuff when run from "cron"...
#
PATH=/usr/local/bin:$PATH
X
#
# set defaults, then process configuration file (if it exists)
#
do_mail_s="TRUE"
do_mail_f="TRUE"
exec_pgm_s=""
exec_pgm_f=""
max_fail_costly=5
max_fail_total=10
delete_sent=""
X
if [ -r $CONF_FILE ] ; then
X    eval `$AWK '/^ *#/ { next }
X            $1 == "success-send-mail" \
X               { printf "do_mail_s=\"%s\";", ($2 ~ /^[yYjJtT1]/)? "T":"" }
X            $1 == "failure-send-mail" \
X               { printf "do_mail_f=\"%s\";", ($2 ~ /^[yYjJtT1]/)? "T":"" }
X            $1 == "success-call-program" \
X               { printf "exec_pgm_s=\"%s\";", $2 }
X            $1 == "failure-call-program" \
X               { printf "exec_pgm_f=\"%s\";", $2 }
X            $1 == "maxfail-costly" && $2 ~ /^[0-9]/ \
X               { printf "max_fail_costly=\"%s\";", $2 }
X            $1 == "maxfail-total" && $2 ~ /^[0-9]/ \
X               { printf "max_fail_total=\"%s\";", $2 }
X            $1 == "delete-sent-jobs" \
X               { printf "delete_sent=\"%s\";", ($2 ~ /^[yYjJtT1]/)? "T":"" }
X            END { printf "\n" }' $CONF_FILE`
fi
X
#
# command line arguments
#
usage="usage: $0 [-s] [-q]"
X
while:
do
X    case "$1" in
# sleep 30 seconds after each job, give modem time to settle
X       -s) sleepwait=30;shift;;
# quiet operation
X       -q) exec >/dev/null ; shift ;;
# invalid option
X       -*) $echo "$0: unknown option: $1" >&2
X            $echo "$usage" >&2
X           exit 1
X           ;;
X       *) break
X    esac
done
X
if [ $# -gt 0 ]
then
X    $echo "$usage" >&2
X    exit 1
fi
X
#
# go to fax spool directory, process all JOB files
#
X
cd $FAX_SPOOL_OUT || exit 1
X
status="0"
jobs=`ls */JOB 2>/dev/null`
for job in $jobs
do
X    if [ $status -eq 4 -a -n "$sleepwait" ]
X    then
#     old stat :no connect; modem allows next redial in $sleepwait secs
X      $echo "sleeping $sleepwait seconds"
X      sleep $sleepwait
X    fi
X    cd $FAX_SPOOL_OUT/`dirname $job`
X    $echo "processing $job..."
#
#   lock JOB file (by 'link(2)'ing it to JOB.locked)
#   'newslock' is a small C program that just calls link(argv[1], argv[2])
#
X    # make sure Lock will be removed in case the shell aborts
X    trap "rm -f JOB.locked 2>/dev/null" 0
X    trap "rm -f JOB.locked 2>/dev/null ; exit 20" 1 2 3 15
X
X    newslock JOB JOB.locked 2>/dev/null
X    if [ $? -ne 0 ]
X    then
X       $echo "already locked"
X       trap 0 1 2 3 15
X       continue
X    fi
#
# get user to notify (->$MAIL_TO), phone number (->$PHONE) and
# earliest send time (->$TIME)
#
X    eval `tr -d '\042\047\140\134\044\073' <JOB | \
X         $AWK 'BEGIN { user=""; mail=""; verbto=""; time=""; re=""; }
X               $1=="user" { user=$2 }
X               $1=="mail" { mail=substr( $0, 6) }
X               $1=="phone" { printf "PHONE=%s;", $2 }
X               $1=="time" { time=$2 }
X               $1=="verbose_to" { verbto=substr($0,12) }
X               $1=="subject" { re=substr($0,9) }
X               END { if ( mail != "" ) printf "MAIL_TO=\"%s\";", mail
X                                  else printf "MAIL_TO=\"%s\";", user
X                     printf "TIME=\"%s\";", time
X                     printf "VERBOSE_TO=\"%s\";", verbto
X                     printf "RE=\"%s\"", re }' - `
X
#
# check whether send time is reached
#
X    if [ ! -z "$TIME" ]
X    then
X       if [ `date "+%H""%M"` -lt $TIME ]
X       then
X           $echo "...send time not reached, postponing job"
X           rm JOB.locked
X           continue
X       fi
X    fi
X
#
# construct command line to execute
#
X    command=`tr -d '\042\047\140\134\044\073' <JOB | \
X             $AWK 'BEGIN { phone="-"; flags=""; pages="" }
X                 $1=="phone" { phone=$2 }
X                 $1=="header"     { flags=flags" -h "$2 }
X                 $1=="poll"       { flags=flags" -p" }
X                 $1=="normal_res" { flags=flags" -n" }
X                 $1=="acct_handle" { flags=flags" -A \""substr($0,13)"\"" }
X                 $1=="pages" { for( i=2; i<=NF; i++) pages=pages$i" " }
X                 END { printf "'"$FAX_SENDER"' -v%s %s %s", \
X                              flags, phone, pages }' -`
X
#
# execute faxsend command
#
X    $echo "$command"
X    eval $command
#
# handle return values
#
X    status=$?
X    $echo "command exited with status $status"
X
#
# string to include in subject line
#
X    if [ -z "$VERBOSE_TO" ]
X    then
X        subject="your fax to $PHONE"
X    else
X        subject="your fax to $VERBOSE_TO ($PHONE)"
X    fi
X
#
# evaluate return codes, if success, remove fax job from queue
#
X    if [ $status -eq 0 ]
X    then
X       # transmission successful
X       $echo "Status "`date`" successfully sent" >>JOB
X
X       # update accounting log
X       $echo "$MAIL_TO $PHONE "`date`" success" >>$FAX_ACCT
X
X       # send mail, if requested
X       if [ -n "$do_mail_s" ] ; then
X           $echo "    send mail to $MAIL_TO..."
X           (
X             trap 0                    # catch BASH bug
X             $echo "To: $MAIL_TO"
X             $echo "Subject: OK: $subject"
X             $echo "From: root (Fax Subsystem)\n"
X             $echo "Your fax has been sent successfully at: \c"
X             date
X             test -z "$RE" || \
X               $echo "(Subject was: $RE)\n"
X             $echo "\n\nJob / Log file:"
X             cat JOB
X             tries=`grep Status JOB | sed -e '1d' | wc -l`
X             $echo "\nSending succeeded after" $tries "unsuccessful tries."
X           ) |
X           $MAILER "$MAIL_TO"
X       fi
X
X       # call "success" handler program (if requested)
X       if [ -n "$exec_pgm_s" ] ; then
X           $echo "    calling program $exec_pgm_s..."
X           $exec_pgm_s $FAX_SPOOL_OUT/$job
X       fi
X
X       # job is done -> remove it from the queue
X       mv JOB JOB.done
X
X       # completely remove JOB directory (only if requested)
X       # instead of this, the job could be archived by "$exec_pgm_s" or so
X       if [ -n "$delete_sent" ] ; then
X           $echo "    deleting job files + directory..."
X           cd $FAX_SPOOL_OUT
X           rm -rf `dirname $job`
X       fi
X
X    elif [ $status -lt 10 ]
X    then
X       # error before starting to transmit (try again)
X       why="unknown" ; case $status in
X           1) why="errors in command line" ;;
X           2) why="cannot open fax device (locked?)" ;;
X           3) why="modem initialization error" ;;
X           4) why="dial failed - BUSY" ;;
X           5) why="dial failed - NO DIALTONE" ;;
X       esac
X       $echo "Status "`date`" failed, exit($status): $why" >>JOB
X    else
X       # error while transmitting, considered fatal
X       why="unknown" ; case $status in
X           10) why="dial failed - NO CARRIER" ;;
X           11) why="protocol failure, waiting for XON" ;;
X           12) why="protocol failure sending page" ;;
X       esac
X       $echo "Status "`date`" FATAL FAILURE, exit($status): $why" >>JOB
X
X       # update accounting log
X       $echo "$MAIL_TO $PHONE "`date`" fail: $why" >>$FAX_ACCT
X
X       # if failed <max_fail_costly> times, suspend job
X       if [ `grep "FATAL FAILURE" JOB | wc -l` -ge $max_fail_costly ]
X       then
X           $echo "Status "`date`" job suspended: too many FATAL errors" >>JOB
X
X           # send mail, if requested
X           if [ -n "$do_mail_f" ] ; then
X               echo "    send mail to $MAIL_TO..."
X               (
X                 trap 0                        # catch BASH bug
X                 $echo "To: $MAIL_TO"
X                 $echo "Subject: FAIL: $subject failed"
X                 $echo "From: root (Fax Subsystem)\n"
X                 $echo "It was not possible to send your fax to $PHONE!\n"
X                 test -z "$RE" || \
X                   $echo "(Subject was: $RE)\n"
X                 $echo "The fax job is suspended, you can requeue it with the command:"
X                 $echo "    cd $FAX_SPOOL_OUT/"`dirname $job`
X                 $echo "    mv JOB.suspended JOB\n"
X                 $echo "log file follows:"
X                 cat JOB ) |
X               $MAILER "$MAIL_TO"
X           fi
X
X           # call error handler, if requested
X           if [ -n "$exec_pgm_f" ] ; then
X               $echo "    calling program $exec_pgm_f..."
X               $exec_pgm_f $FAX_SPOOL_OUT/$job
X           fi
X
X           #
X           # suspend job (but do not delete it)
X           #
X           mv JOB JOB.suspended 2>/dev/null
X       fi
X    fi
#
# unlock job (even if the JOB has been renamed to JOB.suspended or
#             JOB.done, the link to JOB.locked still exists!)
#
X    rm -f JOB.locked
done
X
trap 0 1 2 3 15
X
#
# touch the time stamp, to make faxspool happy
#
rm -f $FAX_SPOOL_OUT/.last_run
date >$FAX_SPOOL_OUT/.last_run
chmod 644 $FAX_SPOOL_OUT/.last_run
SHAR_EOF
  $shar_touch -am 0724205497 'faxrunq' &&
  chmod 0644 'faxrunq' ||
  echo 'restore of faxrunq failed'
  shar_count="`wc -c < 'faxrunq'`"
  test 8247 -eq "$shar_count" ||
    echo "faxrunq: original size 8247, current size $shar_count"
fi
exit 0
- --
ftp.leo.org:/pub/comp/networking/communication/modem/mgetty/mgetty*.tar.gz
greenie (login: nuucp, 089/3545988):/pub/uploads/mgetty1.1*.tar.gz
***** SEE THE DOCS on ***** http://www.leo.org/~doering/mgetty/ *****

Gert 'Mr. Mgetty' Doering   ---   gert () greenie muc de   ---   mgetty () muc de

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQCVAwUBM9hga6kuBuNlUUl1AQHgaQP+NlvJS7Fk+hPFsV4hTkJuo7tW+ZjI0n6c
m7zaGR5mT1gR73GikeCAQJUfmrCU2KQRDWQYe4eXChXfvk31yF3Yg+A7thpAjpJb
d2H56MEKypOooKLR0HsBaDp5ds2jqPp2pzQA5LPNcktCyfJ4VQ/TTSt/Bi5b1wRX
Ufa8AMOJ7vU=
=AAPP
-----END PGP SIGNATURE-----