![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
From: Charles Stevenson <core@ezlink.com>
To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>
Subject: lmail local root exploit
Date: Thu, 05 Jul 2001 00:07:18 -0600
`lmail` is vulnerable to an insecure mktemp() race which allows a
user to overwrite or create a files.
Offending code (lmail.c):
#define MAIL_TMPFILE "/tmp/rmXXXXXX"
...
static char tempfname[] = MAIL_TMPFILE;
...
if (fseek(stdin, 0L, 0) != 0) {
mailfile = fopen(mktemp(tempfname), "w+");
...
Patch: s/mktemp/mkstemp/g (was mkstemp even in existence when this was
written?)
Source Code:
http://ftp.unicamp.br/pub/unix-c/mail/lmail.tar.gz
Exploit:
http://www.ezlink.com/~core/hot/lmail-xpl.c
As Jon Zeef said:
* Caution: I wrote this for my own use and it does what I want. I
* haven't looked into all portability and security issues nor is the
* code as clean as I would like. Use at your own risk.
Amazingly lmail is still in use.
References I found after I exploited it and went looking for the damn
source code (man this is ancient good stuff):
lmail: Author Jon Zeef.
When you install smail 2.5, you link the original /bin/mail (binmail
above) to /bin/lmail to perform the task of actually delivering the
mail to the user's mailbox (LDA).
Since smail 2.5 was not capable of doing mail-to-pipe and
mail-to-file
aliasing, Jon Zeef wrote a replacement lmail that implemented
these (along with user mailbox delivery).
Jon's program is okay for casual use, but has some pretty serious
bugs. Fixed versions are available, but you're probably better
off waiting for smail 2.7, or installing deliver or procmail.
http://iubio.bio.indiana.edu/R0-50789-/news/bionet/users/addresses/9202.newsm
3. Merit line issues.
jfk reported on the current status of the Merit line. Jon Zeef
(zeef)
will fix certain identified bugs in the program. Utilization of
the
guest line is virtually 100%, of the patron/member lines about 70%,
much
better than expected. By consensus, it was agreed that Jon Zeeff
would
have in return for his efforts a free patronship of at least two
years,
or as long as we use his hardware and software.
http://arbornet.org/bod_minutes/19920216
Configuration is done using subst. Subst is in config/subst.sh and
doc/subst.1. The history file is written using DBZ. The DBZ sources
and
manual page are in the dbz directory. Unlike subst, DBZ is kept
separately, to make it easier to track the C News release. The subst
script and DBZ data utilities are currently at the "Performance Release"
patch date. Thanks to Henry Spencer and Geoff Collyer for permission to
use and redistribute subst, and to Jon Zeef for permission to use DBZ as
modified by Henry.
http://www.mibsoftware.com/userkt/inn/readme/0005.htm
SolidSpeed was founded late last year by Jon Zeeff, an
Internet pioneer in Ann Arbor who founded Branch
Information Services in 1993. It provided dedicated
access lines to the Internet and helped pioneer the
concept of hosting Web sites for small businesses. Branch
was sold to Verio, a national Internet service provider.
http://www.arborpartners.com/may1200.html
Ok, changes... there are a couple of totally new modules here. One
is
simply labled "misc.chk"; this checks for a potpourri of things -- right
now it checks for unrestricted tftp, uuencode & decode problems
(including
the "decode" alias) writability of things in
/etc/inetd.conf|/etc/services,
and to see if rexd is enabled. The second is a CRC generator, called,
amazingly enough, "crc.chk" (Jon Zeef was kind enough to let me use his
version). It's similar to the SUID trouble finder, in that you run it
once,
create a database, then compare future runs against that standard. It
reports any changes that are found. There are some problems with this
--
nothing is functionally wrong with the program, as far as I know, but
there
are a few operational hazards -- for more information, read the README
file,
and the man page.
http://www.ja.net/CERT/CERT-CC/tools/cops/1.02/cover_letter
Jon Zeef said that Msen was thinking of offering free Internet
connections
to M-Net and Grex. Is this an April fool or did he mean it? I'll call
Ed
Vielmetti to ask for more information.
http://grex.cyberspace.org/grexdoc/archives/minutes/1993-04-01
This checks for unexpected file system corruption or security
breaches.
It's nice to be able to say that you know all your files are as they
should
be. Mark Mendel wrote most of crc.c and Jon Zeef wrote crc_check.c.
Seems
to work fine on BSD or SYS V.
http://www.doclib.org/Linux/system/security/cops_104_linux/cops_104/docs/CRC.README
| 364: * system.h, sys5.unx
(fsysdep_execute), uuxqt.c (uqdo_xqt_file):
| 365: Jon Zeef: if a temporary failure
occurs, retry the execution
| 366: later.
http://cvsweb.netbsd.org/bsdweb.cgi/gnusrc/gnu/libexec/uucp/ChangeLog?annotate=1.1
http://www.cctec.com/maillists/nanog/historical/9604/msg00388.html
http://www.oreilly.com/catalog/musenet/
**4. MAKING YOUR WEB SITE MORE EFFECTIVE. Research from analysts and
experts conclude that besides a Web site's content, the most important
thing you can do to increase sales and lengthen face time is increase
the speed in
which the first page is viewed, says Jon Zeeff, CTO and founder of
SolidSpeed Networks, a service-based Internet infrastructure company
providing small and mid-size-business (SMB) Web sites significant
performance enhancements.
Customers typically experience 5 times the reliability and up to 10
times the speed improvement, as well as the ability to handle spikes in
demand. "It used to be that eight seconds was acceptable, now if the
home page takes more than four
seconds, the Web viewer gets bored and moves on to the next Web site,
perhaps your competitor's," says Zeef. News contact: Scott Lorenz,
Westwind Communications <scottlorenz@mediaone.net> Phone: 734-667-2090,
Cell Phone:
248-705-2214, Web site: http://www.solidspeed.com
http://www.solidspeed.com/about/team/jonz.html
http://www.gssnet.com/faqs/faq_unix.htm
...
Greetz to b1nary 0utlawz (b10z)
Best Regards,
Charles Stevenson
http://ezlink.com/~core/