New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Emacs movemail local exploit against 4.3BSD, inspired by The Cuckoo's Egg #11049

Merged
merged 3 commits into from Dec 3, 2018

Conversation

Projects
None yet
6 participants
@wvu-r7
Contributor

wvu-r7 commented Dec 1, 2018

msf5 exploit(unix/local/emacs_movemail) > info

       Name: Emacs movemail Privilege Escalation
     Module: exploit/unix/local/emacs_movemail
   Platform: Unix
       Arch: cmd
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 1986-08-01

Provided by:
  Markus Hess
  Cliff Stoll
  wvu <wvu@metasploit.com>

Available targets:
  Id  Name
  --  ----
  0   /usr/lib/crontab.local

Check supported:
  Yes

Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  MOVEMAIL  /etc/movemail    yes       Path to movemail
  SESSION                    yes       The session to run this module on.

Payload information:
  Avoid: 1 characters

Description:
  This module exploits a SUID installation of the Emacs movemail
  utility to run a command as root by writing to 4.3BSD's
  /usr/lib/crontab.local. The vulnerability is documented in Cliff
  Stoll's book The Cuckoo's Egg.

References:
  CVE: Not available
  https://en.wikipedia.org/wiki/Movemail
  https://en.wikipedia.org/wiki/The_Cuckoo%27s_Egg
  http://pdf.textfiles.com/academics/wilyhacker.pdf
  https://www.gnu.org/software/emacs/manual/html_node/efaq/Security-risks-with-Emacs.html
  https://www.gnu.org/software/emacs/manual/html_node/emacs/Movemail.html
  https://mailutils.org/manual/html_node/movemail.html

@wvu-r7 wvu-r7 assigned bcook-r7 and busterb and unassigned bcook-r7 Dec 1, 2018

@busterb

This comment has been minimized.

Contributor

busterb commented Dec 1, 2018

LGTM! Wonder if we could get a retro CVE assigned :)

@AmbitiousOkie

This comment has been minimized.

AmbitiousOkie commented Dec 3, 2018

Wunderbra!

@busterb busterb merged commit 4242de3 into rapid7:master Dec 3, 2018

2 checks passed

Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

busterb added a commit that referenced this pull request Dec 3, 2018

@busterb

This comment has been minimized.

Contributor

busterb commented Dec 3, 2018

Release Notes

This adds an Emacs movemail local exploit against 4.3BSD, inspired by events described in Cliff Stoll's "The Cuckoo's Egg".

@wvu-r7 wvu-r7 deleted the wvu-r7:feature/movemail branch Dec 3, 2018

msjenkins-r7 added a commit that referenced this pull request Dec 3, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment