64 lines
2.8 KiB
Plaintext
64 lines
2.8 KiB
Plaintext
**************************************************************************
|
|
HACK: Shell access users can use "popper" to create root owned files
|
|
System: Unix
|
|
Source: Mark Fullmer (maf@cob.ohio-state.edu) from Bugtraq
|
|
Date: Fri, 6 May 1994
|
|
**************************************************************************
|
|
|
|
On systems that have /var/spool/mail mode 'drwsrwxrwt' and use the Berkeley
|
|
popper daemon, users that have access to /var/spool/mail (ie. a user with a
|
|
shell login) can create arbitrary root owned files on the host that popper
|
|
is executed on.Depending on the umask that popper was run with, this file may also be world
|
|
writeable.
|
|
|
|
Details: version UCB Pop server (version 1.831beta)
|
|
|
|
#line 59 of pop_dropcopy.c:
|
|
# currently running as root: (POP_TMPDROP is /usr/spool/mail/tmpXXXXXX)
|
|
|
|
> strcpy(template,POP_TMPDROP);
|
|
> (void) mktemp(template);
|
|
|
|
# The race starts.
|
|
# if a user guesses the pathname in "template", they could of previously
|
|
# made a link to say /etc/nologin.
|
|
|
|
# instead of script to exploit this bug, you can verify it exists by adding
|
|
# sleep(30) here -- after the mktemp(), before the fopen(), which will make the
|
|
# race condition easy to win. Ofcourse, you allready need to be root to be
|
|
# able to do this...
|
|
|
|
> if ( (tf=fopen(template,"w+")) == NULL ) { /* failure, bail out */
|
|
> pop_log(p,POP_PRIORITY,
|
|
> "Unable to create temporary temporary maildrop '%s': %s",template,
|
|
> (errno < sys_nerr) ? sys_errlist[errno] : "") ;
|
|
> return pop_msg(p,POP_FAILURE,
|
|
> "System error, can't create temporary file.");
|
|
> }
|
|
|
|
# at this point, the file is created. Depending on the umask that popper was
|
|
# run with, this file may have world write permission.
|
|
|
|
# chown/chmod won't follow your link.
|
|
> /* Now give this file to the user */
|
|
> (void) chown(template,pwp->pw_uid, pwp->pw_gid);]
|
|
> (void) chmod(template,0600);
|
|
> /* Now link this file to the temporary maildrop. If this fails it
|
|
> * is probably because the temporary maildrop already exists. If so,
|
|
> * this is ok. We can just go on our way, because by the time we try
|
|
> * to write into the file we will be running as the user.
|
|
> */
|
|
> (void) link(template,p->temp_drop);
|
|
> (void) fclose(tf);
|
|
> (void) unlink(template);
|
|
|
|
> /* Now we run as the user. */
|
|
> (void) setuid(pwp->pw_uid);
|
|
> (void) setgid(pwp->pw_gid);
|
|
|
|
Solution. If your /var/spool/mail is mode 'drwsrwxrwt' this code isn't
|
|
necessary. Remove lines 59-82 of pop_dropcopy.c. This doesn't entirely
|
|
solve the problem, especially if root reads their mail via popper. The
|
|
best solution is to not have /var/spool/mail with world write permissions,
|
|
as this same type of problem exists in atleast one delivery agent (/bin/mail),
|
|
and probably in user agents. |