youbin, the utility that acts as a network version of the utility biff, has insufficient bounds checking that allows arbitrary code execution.
246db609e0835a2434298e984b43373b3bfa91bc54ee98a12910070f03a1b529
I. BACKGROUND
$ more /usr/ports/mail/youbin/pkg-descr
---- From README (slightly modified) ---
youbin is a kind of biff in the network age. When youbin is used, the
mail spool of a certain, specific machine (mail server) is observed to
inform the arrival of mail to a user at an arbitrary machine through
the network. On the other hands, the conventional "biff" informs only
the user who logs in at the machine on which the mail spool
resides. Combining with POP, youbin eliminates a lot of NFS mount of
mail spool directory caused by checking mail arrival.
More information is available at:
https://www.agusa.nuie.nagoya-u.ac.jp/software/agusalab/youbin/youbin-e.html
II. DESCRIPTION
Insufficient bounds checking leads to execution of arbitrary code.
perl exploit follows this document.
III. ANALYSIS
Upon setting a large value for the HOME environment variable a buffer can be
overflowed. Since youbin is setuid root this effectively allows for a full
system compromise.
Example run:
$ id
uid=1000(kokanin) gid=1000(kokanin) groups=1000(kokanin), 0(wheel)
$ perl DSR-youbin.pl
# id
uid=0(root) gid=1000(kokanin) groups=1000(kokanin), 0(wheel)
IV. DETECTION
youbin-3.4 shipping with freebsd ports per 02/03/03, the latest available
at the time of writing, is known to be vulnerable.
V. WORKAROUND
# chmod -s `which youbin`
VI. VENDOR FIX
unknown
VII. CVE INFORMATION
unknown
VIII. DISCLOSURE TIMELINE
5/5/03 - FreeBSD port maintainer notified
5/5/03 - FreeBSD port maintainer replies, bug is known, apparently no fix
is planned at the moment
6/5/03 - public disclosure
IX. CREDIT
Knud Erik Højgaard/kokanin, dtors security research