Affects: RedHat 7.0 (possibly others)
28 Aug 2001 01:27:24 +1200 uucp vulnerability exposed to vendor
9 Nov 2001 07:14:15 +1300 this makewhatis vulnerability exposed to vendor
/usr/sbin/makewhatis
An earlier version(1) of makewhatis had a fault in the handling of
compressed files that allowed execution of arbitrary commands as root.
A patch for this problem was developed that seemed to be effective.
However, the patch was not restrictive enough in the metacharacters it
filtered out.
It is still possible to perform file creation or overwriting with
arbitrary contents, as root.
Taylor UUCP package and uucp exploit.
The uucp utilities fail to filter out long options, which lets users
specify alternate configurations and as a result, execute commands with
uid and gid uucp. (2)
Attached is an exploit for uucp (developed for RedHat 7.0, but other
vulnerable distributions should be similar).
The root exploit.
drwxrwxr-x 4 root uucp 4096 Nov 30 19:48 /var/lock/
On RH7.0 uucp allows arbitrary filename creation through the lockfile
creation performed by /etc/cron.{daily,weekly}/makewhatis.cron.
--- Start /etc/cron.daily/makewhatis.cron ---
#!/bin/bash
LOCKFILE=/var/lock/makewhatis.lock
# the lockfile is not meant to be perfect, it's just in case the
# two makewhatis cron scripts get run close to each other to keep
# them from stepping on each other's toes. The worst that will
# happen is that they will temporarily corrupt the database...
[ -f $LOCKFILE ] && exit 0
trap "rm -f $LOCKFILE" EXIT
touch $LOCKFILE
makewhatis -u -w
exit 0
--- End /etc/cron.daily/makewhatis.cron ---
Simply symlinking /var/lock/makewhatis.lock to the filename u want to
create will cause it to be created.
This root exploit is only for RedHat 7.0, but a similar method may work on
other distributions.
-- zen-parse
(1) http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=42450
Previous makewhatis problem.
(2) http://www.securityfocus.com/bid/3312
Taylor UUCP vulnerability.
(3) http://mp3.com/cosv
Some starving musicians.
This is my 2nd attempt to post this: if it was rejected for any reason
last time, would be nice to know why. If the previous one had just
disappeared, that would be strange.
--
-------------------------------------------------------------------------
The preceding information is confidential and may not be redistributed
without explicit permission. Legal action may be taken to enforce this.
If this message was posted by zen-parseat_private to a public forum it may
be redistributed as long as these conditions remain attached. If you are
mum or dad, this probably doesn't apply to you.
This archive was generated by hypermail 2b30 : Fri Nov 30 2001 - 15:00:05 PST