Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Emacs movemail local exploit against 4.3BSD, inspired by The Cuckoo's Egg #11049

Merged
merged 3 commits into from Dec 3, 2018
Merged

Add Emacs movemail local exploit against 4.3BSD, inspired by The Cuckoo's Egg #11049

merged 3 commits into from Dec 3, 2018

Conversation

wvu
Copy link
Contributor

@wvu wvu commented Dec 1, 2018 

msf5 exploit(unix/local/emacs_movemail) > info

       Name: Emacs movemail Privilege Escalation
     Module: exploit/unix/local/emacs_movemail
   Platform: Unix
       Arch: cmd
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 1986-08-01

Provided by:
  Markus Hess
  Cliff Stoll
  wvu <wvu@metasploit.com>

Available targets:
  Id  Name
  --  ----
  0   /usr/lib/crontab.local

Check supported:
  Yes

Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  MOVEMAIL  /etc/movemail    yes       Path to movemail
  SESSION                    yes       The session to run this module on.

Payload information:
  Avoid: 1 characters

Description:
  This module exploits a SUID installation of the Emacs movemail
  utility to run a command as root by writing to 4.3BSD's
  /usr/lib/crontab.local. The vulnerability is documented in Cliff
  Stoll's book The Cuckoo's Egg.

References:
  CVE: Not available
  https://en.wikipedia.org/wiki/Movemail
  https://en.wikipedia.org/wiki/The_Cuckoo%27s_Egg
  http://pdf.textfiles.com/academics/wilyhacker.pdf
  https://www.gnu.org/software/emacs/manual/html_node/efaq/Security-risks-with-Emacs.html
  https://www.gnu.org/software/emacs/manual/html_node/emacs/Movemail.html
  https://mailutils.org/manual/html_node/movemail.html

@wvu wvu assigned bcook-r7 and busterb and unassigned bcook-r7 Dec 1, 2018
@busterb
Copy link
Member

busterb commented Dec 1, 2018

LGTM! Wonder if we could get a retro CVE assigned :)

@AmbitiousOkie
Copy link

Wunderbra!

@busterb busterb merged commit 4242de3 into rapid7:master Dec 3, 2018
busterb added a commit that referenced this pull request Dec 3, 2018
@busterb
Land #11049, Add Emacs movemail local exploit
ffb5738
@busterb
Copy link
Member

busterb commented Dec 3, 2018
edited by gdavidson-r7

Release Notes

The Emacs Movemail Privilege Escalation module has been added to the framework. This is a local exploit against 4.3BSD, inspired by events described in Cliff Stoll's "The Cuckoo's Egg."

@wvu wvu deleted the feature/movemail branch December 3, 2018 18:46
msjenkins-r7 pushed a commit that referenced this pull request Dec 3, 2018
@busterb @msjenkins-r7
Land #11049, Add Emacs movemail local exploit
67cddff
@wvu wvu mentioned this pull request Dec 24, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bcoles bcoles bcoles left review comments

@Green-m Green-m Green-m left review comments

Assignees

@busterb busterb

Labels
feature module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@wvu @busterb @AmbitiousOkie @bcoles @Green-m @bcook-r7 @gdavidson-r7