[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [linux-security] Re: Re: Sendmail 8.8.2 exploit.



-----BEGIN PGP SIGNED MESSAGE-----

Uri Blumenthal wrote:
>
> Wolfgang Ley says:
> > > Hm, look what I got hold of today.. Works if sendmail is mode 4111 or
> > > similar:
> > [exploit script deleted]
> >
> > Sendmail 8.8.3 (which is available now) fixes the problem.
>
> NO IT DOESN'T.
>
> I've tried it, and was able to get root consistently with sendmail-8.8.3.
> Would anybody outline the code that presumably plugs this hole?

Most probably you've forgotten to install the new sendmail binary (and
delete the old one or at least turn of the setuid bit on the old version).
Sendmail 8.8.3 does fix the problem at two indpendend places.

The other possible problem is that you've forgotten to remove the setuid
shell in /tmp before trying the exploit again.

[mod: Uri has now admitted that this was indeed the case. Sorry for
the stir. -- REW]

Excerpt from the sendmail.8.8.3.patch file:

*** sendmail-8.8.2/src/main.c   Sat Oct 12 17:19:41 1996
- --- sendmail-8.8.3/src/main.c Sat Nov 16 10:34:25 1996
***************
*** 931,936 ****
- --- 915,933 ----
                /* fall through ... */

          case MD_DAEMON:
+               /* check for permissions */
+               if (RealUid != 0)
+               {
+ #ifdef LOG
+                       if (LogLevel > 1)
+                               syslog(LOG_ALERT, "user %d attempted to run daemon",
+                                       RealUid);
+ #endif
+                       usrerr("Permission denied");
+                       exit(EX_USAGE);
+               }
+               vendor_daemon_setup(CurEnv);
+

Which fixes the problem that the can start sendmail in daemon mode, and

***************
*** 1964,1969 ****
- --- 1961,1975 ----
                syslog(LOG_INFO, "restarting %s on signal", SaveArgv[0]);
  #endif
        releasesignal(SIGHUP);
+       if (setgid(RealGid) < 0 || setuid(RealUid) < 0)
+       {
+ #ifdef LOG
+               if (LogLevel > 0)
+                       syslog(LOG_ALERT, "could not set[ug]id(%d, %d): %m",
+                               RealUid, RealGid);
+ #endif
+               exit(EX_OSERR);
+       }
        execv(SaveArgv[0], (ARGV_T) SaveArgv);

Which resets the userid before restarting.

[mod: In setuid programs, when you try to reset your uid back to
the real uid/gid, ALWAYS first do the group ID and only then the
uid. Doing the uid first, may disable your "right" to alter the
gid. Linux may currently have "saved uids" but don't count on that
being portable. I just checked my approval mailbox, and about 50%
of the submitted patches do it in the wrong order.]

 
Bye,
  Wolfgang.
- --
Wolfgang Ley, DFN-CERT, Vogt-Koelln-Str. 30, 22527 Hamburg,    Germany
Email: ley cert dfn de   Phone: +49 40 5494-2262 Fax: +49 40 5494-2241
PGP-Key available via finger ley ftp cert dfn de any key-server or via
WWW from http://www.cert.dfn.de/~ley/               ...have a nice day

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQCVAwUBMpLi4gQmfXmOCknRAQGW3wQAigJVd+JtGEfBgcmCOL4FTDNiyzu1SgrT
4ZwFBGq+vtdXwh77UtR85q9Agu23DvgGO2BpE+p7PhqiSG7jfHh0tepdmd47q4gt
4Ef0yGlhx2aMpvn2Xx8PoHuGRrUNsdAfgn+w6X0ckhSaVBptlGmCJ0ULXYgKBH4o
v1Mvb6vvvYk=
=uMjU
-----END PGP SIGNATURE-----



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]