Poor BSDI squid permissions

Summary
Description:on BSDI squid configuration files are owned by "www", which is the same UID that user CGI runs at. Thus a user could change start-squid to start a root shell, for example.
Author:"Jonathan A. Zdziarski" <jonz@NETRAIL.NET>
Compromise:user WWW privs -> root
Vulnerable Systems:BSDI 3.1 , perhaps other squid installs
Date:7 May 1998
Details


Date: Thu, 7 May 1998 15:49:07 -0400
From: "Jonathan A. Zdziarski" <jonz@NETRAIL.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: BSDI 3.1/Squid Default Owner

I noticed that by default, SQUID is installed on BSDi 3.1 with the
following permissions:

ls > ls -la
total 234
drwxrwxr-x  2 www  www    512 Feb  7  1997 .
drwxrwxr-x  3 www  www    512 Feb  7  1997 ..
-rwxr-xr-x  1 www  www   3635 Jan 20  1997 access-extract-urls.pl
-rwxr-xr-x  1 www  www   4269 Jan 20  1997 access-extract.pl
-rwxr-xr-x  1 www  www   9168 Jan 20  1997 access-summary.pl
-rwxr-xr-x  1 www  www   4153 Jan 20  1997 cache-summary.pl
-rwxr-xr-x  1 www  www  20480 Jan 20  1997 cachemgr.cgi
-rwxr-xr-x  1 www  www   4280 Jan 20  1997 client
-rwxr-xr-x  1 www  www   4448 Jan 20  1997 dnsserver
-rwxr-xr-x  1 www  www  36864 Jan 20  1997 ftpget
-rwxr-xr-x  1 www  www   2388 Jan 20  1997 pinger
-rwxr-xr-x  1 www  www  10235 Jan 20  1997 squid-logs.pl
-rwxr-xr-x  1 www  www    980 Jan 20  1997 squid.daily
-rwxr-xr-x  1 www  www    980 Jan 20  1997 squid.daily.sample
-rwxr-xr-x  1 www  www   1813 Jan 20  1997 squid.weekly
-rwxr-xr-x  1 www  www   1813 Jan 20  1997 squid.weekly.sample
-rwxr-xr-x  1 www  www   1724 Jan 20  1997 start-squid
-rwxr-xr-x  1 www  www   1724 Jan 20  1997 start-squid.sample
-rwxr-xr-x  1 www  www   3068 Jan 20  1997 upgrade-1.0-store.pl

Now I've seen what can happen when you have a httpd.conf owned by the same
user CGI Runs as (all user's cgi has the ability to modify the file)...the
same thing should be possible here.  One could easily modify the
start-squid file, or a configuration file, to set up a root shell or
anything else they care to do; since start-squid is initially run as root,
their modifications will be run as root as well.

It might be a good idea to modify BSDi to install them owned by root, just
as it does with apache.

Thank you,

Jonathan A. Zdziarski
Systems Administrator
Netrail Incorporated
jonz@netrail.net
(888) NET-RAIL

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]