linux, säkerhet

6710690 2001-07-05 00:07 -0600  /179 rader/ Charles Stevenson <core@ezlink.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-05  20:49  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com <bugtraq@securityfocus.com>
Mottagare: Bugtraq (import) <17801>
Ärende: lmail local root exploit
------------------------------------------------------------
From: Charles Stevenson <core@ezlink.com>
To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>
Message-ID: <3B440416.33F8D314@ezlink.com>

`lmail` is vulnerable to an insecure mktemp() race which allows a
user to overwrite or create a files.

Offending code (lmail.c):

#define MAIL_TMPFILE    "/tmp/rmXXXXXX"

...

static char     tempfname[] = MAIL_TMPFILE;

...

if (fseek(stdin, 0L, 0) != 0) {
        mailfile = fopen(mktemp(tempfname), "w+");
...

Patch: s/mktemp/mkstemp/g (was mkstemp even in existence when this was
written?)

Source Code:

http://ftp.unicamp.br/pub/unix-c/mail/lmail.tar.gz

Exploit:

http://www.ezlink.com/~core/hot/lmail-xpl.c

As Jon Zeef said:

 * Caution: I wrote this for my own use and it does what I want.  I    
 * haven't looked into all portability and security issues nor is the 
 * code as clean as I would like.  Use at your own risk.  

Amazingly lmail is still in use. 

References I found after I exploited it and went looking for the damn
source code (man this is ancient good stuff):

lmail: Author Jon Zeef.

    When you install smail 2.5, you link the original /bin/mail
    (binmail above) to /bin/lmail to perform the task of actually
    delivering the mail to the user's mailbox (LDA).

    Since smail 2.5 was not capable of doing mail-to-pipe and
mail-to-file
    aliasing, Jon Zeef wrote a replacement lmail that implemented
    these (along with user mailbox delivery).

    Jon's program is okay for casual use, but has some pretty serious
    bugs.  Fixed versions are available, but you're probably better
    off waiting for smail 2.7, or installing deliver or procmail.

http://iubio.bio.indiana.edu/R0-50789-/news/bionet/users/addresses/9202.newsm

3. Merit line issues.
 
     jfk reported on the current status of the Merit line.  Jon Zeef
(zeef)
     will fix certain identified bugs in the program.  Utilization of
the
     guest line is virtually 100%, of the patron/member lines about
70%, much
     better than expected.  By consensus, it was agreed that Jon Zeeff
would
     have in return for his efforts a free patronship of at least two
years,
     or as long as we use his hardware and software.

http://arbornet.org/bod_minutes/19920216

Configuration is done using subst.   Subst is in config/subst.sh and
doc/subst.1.  The history file is written using DBZ.  The DBZ sources
and
manual page are in the dbz directory.  Unlike subst, DBZ is kept
separately, to make it easier to track the C News release.  The subst
script and DBZ data utilities are currently at the "Performance Release"
patch date.  Thanks to Henry Spencer and Geoff Collyer for permission to
use and redistribute subst, and to Jon Zeef for permission to use DBZ as
modified by Henry.

http://www.mibsoftware.com/userkt/inn/readme/0005.htm

SolidSpeed was founded late last year by Jon Zeeff, an
Internet pioneer in Ann Arbor who founded Branch
Information Services in 1993. It provided dedicated
access lines to the Internet and helped pioneer the
concept of hosting Web sites for small businesses. Branch
was sold to Verio, a national Internet service provider.

http://www.arborpartners.com/may1200.html

   Ok, changes... there are a couple of totally new modules here.
One is simply labled "misc.chk"; this checks for a potpourri of
things -- right now it checks for unrestricted tftp, uuencode &
decode problems (including the "decode" alias) writability of things
in /etc/inetd.conf|/etc/services, and to see if rexd is enabled.  The
second is a CRC generator, called, amazingly enough, "crc.chk" (Jon
Zeef was kind enough to let me use his version).  It's similar to the
SUID trouble finder, in that you run it once, create a database, then
compare future runs against that standard.  It reports any changes
that are found.  There are some problems with this
-- 
nothing is functionally wrong with the program, as far as I know, but
there
are a few operational hazards -- for more information, read the README
file,
and the man page.

http://www.ja.net/CERT/CERT-CC/tools/cops/1.02/cover_letter

Jon Zeef said that Msen was thinking of offering free Internet
connections
 to M-Net and Grex.  Is this an April fool or did he mean it?  I'll call
Ed
 Vielmetti to ask for more information.

http://grex.cyberspace.org/grexdoc/archives/minutes/1993-04-01

  This checks for unexpected file system corruption or security
breaches.
It's nice to be able to say that you know all your files are as they
should
be.  Mark Mendel wrote most of crc.c and Jon Zeef wrote crc_check.c. 
Seems
to work fine on BSD or SYS V.

http://www.doclib.org/Linux/system/security/cops_104_linux/cops_104/docs/CRC.README

             |           364:        * system.h, sys5.unx
(fsysdep_execute), uuxqt.c (uqdo_xqt_file):
             |           365:        Jon Zeef: if a temporary failure
occurs, retry the execution
             |           366:        later.

http://cvsweb.netbsd.org/bsdweb.cgi/gnusrc/gnu/libexec/uucp/ChangeLog?annotate=1.1

http://www.cctec.com/maillists/nanog/historical/9604/msg00388.html

http://www.oreilly.com/catalog/musenet/

**4.  MAKING YOUR WEB SITE MORE EFFECTIVE. Research from analysts and
experts conclude that besides a Web site's content, the most
important thing you can do to increase sales and lengthen face time
is increase the speed in which the first page is viewed, says Jon
Zeeff, CTO and founder of SolidSpeed Networks, a service-based
Internet infrastructure company providing small and mid-size-business
(SMB) Web sites significant performance enhancements.  Customers
typically experience 5 times the reliability and up to 10 times the
speed improvement, as well as the ability to handle spikes in
demand. "It used to be that eight seconds was acceptable, now if the
home page takes more than four seconds, the Web viewer gets bored and
moves on to the next Web site, perhaps your competitor's," says
Zeef. News contact: Scott Lorenz, Westwind Communications
<scottlorenz@mediaone.net> Phone: 734-667-2090, Cell Phone:
248-705-2214, Web site: http://www.solidspeed.com

http://www.solidspeed.com/about/team/jonz.html
http://www.gssnet.com/faqs/faq_unix.htm

...

Greetz to b1nary 0utlawz (b10z)

Best Regards,
Charles Stevenson
http://ezlink.com/~core/
(6710690) /Charles Stevenson <core@ezlink.com>/(Ombruten)