Bug 52194
Summary: | SUID sendmail allows local overflow | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | Philip Rowlands <phr> |
Component: | sendmail | Assignee: | Florian La Roche <laroche> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | David Lawrence <dkl> |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 7.1 | CC: | alfcruz, chrismcc, djuran, donfede, leonard-rh-bugzilla, oliver, per.starback, schumann, sjcjonker |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2001-09-13 08:06:52 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Philip Rowlands
2001-08-21 16:29:16 UTC
Exploit now posted to Bugtraq, which works after some tweaking. By "works", I mean "can create root owned mode 4755 executable copy of /bin/bash". I'm damned if I can get the thing to run as root though... IMHO this is a serious exploit. Is it possible to release a new sendmail rpm. Currently running with my own compiled version, but an rpm would be real nice ;-) http://people.redhat.com/laroche/sendmail* contains our current sendmail rpm for rawhide. Please email me, if you see any problems with these rpms, apart from recompiling them on our release. I am now working on rpms for older releases and it will take some more QA time to verify them. Florian La Roche There may be a remote extension to this security bug, I am not sure. Somebody is trying to exploit a couple of my boxes with a hack to the Errors-To header parameter. I found this while in debug on a box that was having sendmail problems... 06433 === EXEC procmail -f f10879.il -Y -a -d validdomain 06433 >>> Return-Path: <f10879.il> 06433 >>> Received: from vikee.com (nszx104.134.szptt.net.cn [202.104.134.182] ( may be forged)) 06433 >>> by emerson.xyz.com (8.9.3/8.9.3) with ESMTP id QAA06431 06433 >>> for <deborah>; Mon, 27 Aug 2001 16:00:04 -0700 06433 >>> From: f10879.il 06433 >>> Received: from 195.55.23.2 [4.4.177.79] by vikee.com 06433 >>> (SMTPD32-6.04) id AA7BF90132; Sun, 26 Aug 2001 06:45:15 +0800 06433 >>> To: 06433 >>> Subject: Watch Censored Pix - Anonymously! 06433 >>> Date: Sun, 26 Aug 01 13:11:27 US Mountain Standard Time 06433 >>> Errors-To: C%^S'$"du^P^U)c^N\0&IbW#&3!k_^TZO8Nl0,@emerson.xyz.co m, 06433 >>> az.com 06433 >>> X-Mailer: 'L,m: 06433 >>> X-Priority: 3 06433 >>> X-MSMailPriority: Normal 06433 >>> Importance: Normal 06433 >>> Message-Id: <200108260645445.SM01424.23.2> 06433 >>> 06433 >>> <!doctype html public "-//w3c//dtd html 4.0 transitional//en"> Note the envelope return address from Israel (.il) and the relay mail server in Canada (.cn). xyz.com is substituted for my domain, and "validdomain" is a virtual domain hosted on the box. Note that the Errors-To contains some binary followed by a reference to my domain. This email preceeded strange behavior by sendmail. I am not sure it was a valid exploit, but it warrants looking into. Thanks... tburt; Um, just for the record, CN isn't canada. Please check your figures or join the FBI - Canada's not exactly the cracker's haven you wish. We just burn White Houses, which makes us arsonists. - bish bishop... Right you are.. I didn't mean to slight our neighbors to the north... .cn is that China? I haven't memorized too many of the international roots. I wasn't even positive that .il is Israel. It was also graciously pointed out that this is not a 8.11.* version of sendmail. However, I was receiving similar attacks on both this older version and the 8.11.* Forwarned is for-armed? Thats all. Hello, me again. Checking on the status of this security fix. 10 days since this ticket was opened, and a week since Security Focus issued it's recommendation to upgrade sendmail on all servers. The link for the rawhide rpm, as seen above, is dead. Is this security fix only available to subscribers of RedHat's premium service? I am not a subscriber, but if I were, I would be wondering loudly why I am paying and not getting.... I do not mean to insult or belittle the maintainers of this code, you guys are saints. I have an uneasy feeling that Redhat may be witholding this fix to the general public to boost subscribers to the Premium support service... In the past, I have seen an increase in exploit activity on the eve of a major American Holiday. It seems Admins like to enjoy a day off like everyone else, and the hackers know that come monday morning, their late Sunday night efforts may go unnoticed. Will RedHat make this rpm available before the weekend is upon us? Seen on Linux Weekly News: http://lwn.net/2001/0906/security.php3 Input validation problem with sendmail. An input validation error exists in versions of sendmail prior to 8.11.6 (or 8.12.0Beta19) which may be exploited by local users to obtain root access. See the August 23 Security Page for the initial report. This week's updates: Mandrake (August 31, 2001) Previous updates: Caldera (August 24, 2001) Conectiva (August 23, 2001) Debian (not vulnerable). Immunix (August 23, 2001) Slackware (August 27, 2001) SuSE (August 23, 2001) There hasn't been any anouncement on the Redhat watch list yet. Isn't it time to make an announcement and let people know they should use the Rawhide RPMS for now? Or even better, release an update? Leonard. After updating to sendmail-8.11.6-1.7.0, I get this errors: Sep 10 16:45:06 mail sendmail[16928]: f8AKj6h16928: tcpwrappers (polaris.pla.net.py, 216.250.196.10) rejection Sep 10 16:45:06 mail sendmail[16928]: NOQUEUE: IDENT:uucp.net.py [216.250.196.10] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA and the mail server does not accept any mail at all. Where do I disable this extra security options? Thanks Oliver Ok, isolated the problem to: tcpwrappers (polaris.pla.net.py, 216.250.196.10) rejection and thanks to http://groups.google.com/ the solution is to add a line to /etc/hosts.allow sendmail: ALL uff, in production again. :-) I propose to add this info to the errata Oliver All the referred articles state versions 8.10 and 8.11 vulnerable, but I haven't seen anybody claim 8.9.3 vulnerable. More like, ISTR, someone in Bugtraq claimed it's not vulnerable. But trying to find out now, I found _nothing_ relevant to 8.9.3 from BugTraq archives (SF's new look doesn't help at all :/ Of course, changing to new (minor) release is unpleasant idea, with a nontrivial conf that we have and all. If it isn't vulnerable, I'd definitely like to forgo upgrading what works -- I have had enough experiences from Microsoft world how that's just a really bad idea. And I'm _not_ interested in possibly buggy new features. Does anybody know? |