-----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:62 Security Advisory FreeBSD, Inc. Topic: UUCP allows local root exploit Category: core Module: uucp Announced: 2001-10-08 Credits: zen-parse@gmx.net Affects: All released versions of FreeBSD 4.x prior to 4.4. FreeBSD 4.3-STABLE prior to the correction date. Corrected: 2001-09-10 20:22:57 UTC (FreeBSD 4.3-STABLE) 2001-09-10 22:30:28 UTC (RELENG_4_3) FreeBSD only: NO I. Background Taylor UUCP is an implementation of the Unix-to-Unix Copy Protocol, a protocol sometimes used for mail delivery on systems where permanent IP connectivity to the internet is not available. II. Problem Description The UUCP suite of utilities allow a user-specified configuration file to be given on the command-line. This configuration file is incorrectly processed by the setuid uucp and/or setgid dialer UUCP utilities while running as the uucp user and/or dialer group, and allows unprivileged local users to execute arbitrary commands as the uucp user and/or dialer group. Since the uucp user owns most of the UUCP binaries (this is required for UUCP to be able to write to its spool directory during normal operation, by virtue of being setuid) the attacker can replace these binaries with trojaned versions which execute arbitrary commands as the user which runs them. The uustat binary is run as root by default during the daily maintenance scripts. All versions of FreeBSD 4.x prior to the correction date including 4.3-RELEASE are vulnerable to this problem, but it was corrected prior to the release of FreeBSD 4.4-RELEASE. III. Impact Unprivileged local users can overwrite the uustat binary, which is executed as root by the daily system maintenance scripts. This allows them to execute arbitrary commands as root the next time the daily maintenance scripts are run. IV. Workaround One or more of the following: 1) Set the noschg flag on all binaries owned by the uucp user: # chflags schg /usr/bin/cu /usr/bin/uucp /usr/bin/uuname \ /usr/bin/uustat /usr/bin/uux /usr/bin/tip /usr/libexec/uucp/uucico \ /usr/libexec/uucp/uuxqt 2) Remove the above binaries from the system, if UUCP is not in use. 3) Disable the daily UUCP maintenance tasks by adding the following lines to /etc/periodic.conf: # 340.uucp daily_uuclean_enable="NO" # Run uuclean.daily # 410.status-uucp daily_status_uucp_enable="NO" # Check uucp status # 300.uucp weekly_uucp_enable="NO" # Clean uucp weekly V. Solution We recommend that UUCP be removed entirely from systems containing untrusted users: to remove UUCP, refer to the directions in section IV above. Compiling the UUCP binaries when rebuilding the FreeBSD system can be prevented by adding the following line to /etc/make.conf: NOUUCP=true 1) Upgrade your vulnerable FreeBSD system to 4.4-RELEASE, 4.4-STABLE or the RELENG_4_3 security branch dated after the respective correction dates. 2) To patch your present system: download the relevant patch from the below location, and execute the following commands as root: [FreeBSD 4.3] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:62/uucp.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:62/uucp.patch.asc Verify the detached PGP signature using your PGP utility. # cd /usr/src # patch -p < /path/to/patch # make depend && make all install 3) FreeBSD 4.3-RELEASE systems: An experimental upgrade package is available for users who wish to provide testing and feedback on the binary upgrade process. This package may be installed on FreeBSD 4.3-RELEASE systems only, and is intended for use on systems for which source patching is not practical or convenient. If you use the upgrade package, feedback (positive or negative) to security-officer@FreeBSD.org is requested so we can improve the process for future advisories. During the installation procedure, backup copies are made of the files which are replaced by the package. These backup copies will be reinstalled if the package is removed, reverting the system to a pre-patched state. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:62/security-patch-uucp-01.62.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:62/security-patch-uucp-01.62.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-uucp-01.62.tgz VI. Correction details The following is the $FreeBSD$ revision number of the file that was corrected for the supported branches of FreeBSD. The $FreeBSD$ revision number of the installed source can be examined using the ident(1) command. The patch provided above does not cause these revision numbers to be updated. [FreeBSD 4.3-STABLE] Revision Path [RELENG_4_3] Revision Path 1.8.4.1 src/gnu/libexec/uucp/cu/Makefile 1.6.4.1 src/gnu/libexec/uucp/uucp/Makefile 1.5.4.1 src/gnu/libexec/uucp/uuname/Makefile 1.5.4.1 src/gnu/libexec/uucp/uustat/Makefile 1.6.4.1 src/gnu/libexec/uucp/uux/Makefile 1.10.8.1 src/usr.bin/tip/tip/Makefile 1.3.2.2.2.1 src/etc/periodic/daily/410.status-uucp VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBO8IU0FUuHi5z0oilAQFE4gP/dqLwzjAk3M5fhtfsENFy0OAlzQA70SG3 IJibpH19KdjcQX53CrLI/wI34JXqCVfiGpw2kLSysL6yfbBI+3Z2YUxPRaxrtoGF 9R4ZcCuuLuE14pCmAtWnLEdXFHVRThJzsLzk2xEZkhYU5hufW3+IqfIMcMNayQbf BSI5/zAjPG4= =TBLy -----END PGP SIGNATURE-----