thr3ads.net - Secure testing team - [Secure-testing-team] Bug#638002: Improper seteuid() calls in src/log.c and src/masqmail.c [Aug 2011]

If this information is useful, please help other people find it:
Share via:

John Lightsey

2011-Aug-16 13:27 UTC

[Secure-testing-team] Bug#638002: Improper seteuid() calls in src/log.c and src/masqmail.c

Package: masqmail
Version: 0.2.21-4
Severity: critical
Tags: security
Justification: root security hole

Reporting publicly since this has already been disclosed on the masqmail list.

In src/log.c there are two logging functions that use this logic:

uid_t saved_uid;
saved_uid = seteuid(conf.mail_uid);

....write to a log file...

seteuid(saved_uid);


The first seteuid() call here isn''t returning the previous EUID,
it''s
returning 0 on success and -1 on failure. The net result should be that
any time masqmail writes to the log, it''s resetting the EUID to root.
This would undo the effect of other code in masqmail that drops root
privileges.

The most recent upstream version of masqmail (0.3.2) contains identical
code to the version I audited (Debian stable''s version 0.2.27).

Per information provided by the upstream author, src/masqmail.c contains
additional code with the same type of flaw.

-- System Information:
Debian Release: 6.0.2
  APT prefers stable
  APT policy: (500, ''stable'')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Secure testing team - Aug 2011 - Bug#638002: Improper seteuid() calls in src/log.c and src/masqmail.c

[Secure-testing-team] Bug#638002: Improper seteuid() calls in src/log.c and src/masqmail.c