uucp --config patch -- not sufficient

2002-01-18T00:00:00
ID SECURITYVULNS:DOC:2385
Type securityvulns
Reporter Securityvulns
Modified 2002-01-18T00:00:00

Description

Problem: uucp patch from RedHat (possibly others) prevents original exploit, but not variations.

Severity: Potential for local root on some distributions, uucp.uucp on others.

  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=54466

I had seen this report some time ago, and thought: "Good. They've got a bug report. That'll get it fixed. They'll check that before they release a new version, at least."

They didn't.

The patch does prevent the original exploit from working.

However, a trivial patch to the exploit I posted makes it work again.
local user -> uucp (via this problem) -> root (on some distributions, via /usr/sbin/makewhatis: '${PATH:0:1} (or similar) + redirection characters' issue.)

$ cd redhat7.0-uucp-to-root $ sed s/--config/--confi/ < exp-erm.sh >tmp-exp-erm.sh $ mv tmp-exp-erm.sh exp-erm.sh $ ./runme

and wait for /tmp/rootshell to appear.

(Does anyone at RedHat actually read their bugzilla posts? Might it not be an idea to make anything flagged as security actually get looked at by someone? 2001-10-09 seems along time for that to go unnoticed.)

-- zen-parse

--

1) If this message was posted to a public forum by zen-parse@gmx.net, it may be redistributed without modification. 2) In any other case the contents of this message is confidential and not to be distributed in any form without express permission from the author. This document may contain Unclassified Controlled Nuclear Information.