The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #275 [Re: DANGER: UUCP *can* propogate the Worm] (1 message, 2252 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/275.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

From: ames!pyramid.pyramid.com!csg@ea.ecn.purdue.edu (Carl S. Gutekunst)
To: phage
Date: Fri 15:06:16 18/11/1988 EST
Subject: Re: DANGER: UUCP *can* propogate the Worm
References: [Thread Prev: 249] [Thread Next: 282] [Message Prev: 276] [Message Next: 277]

[This is a repost. None of my phage mail seems to be getting through.]

This is long, but Mel alludes to at least one more serious sendmail security
hole. So bear with me. There's a sendmail patch at the very end.

Mel Pleasant writes:
>Someone else pointed out a related problem with sendmail where
>a local user can take advantage of the sendmail hole. You probably
>want to remove all references to tTd(0, 1) in the sendmail sources.

(In other words, delete all tests for Debug Flag 0 being enabled. Sendmail has
100 debugging flags; the -d option or the SMTP debug command sets them all to
1. You can puts arguments on the -d option to only enable certain flags.)

Or just restrict the "dangerous" debug functions to root. I think this may be
just as safe and certainly more friendly than completely restricting debugging
to root, as I suggested in my original article. And it will allow SysAdmins to
continue to use the old features.

Note that Flag 0 also controls some benign things: printing the host's canon-
ical name and all aliases, printing an interpretted list of mailers from the
configuration file, and printing the addresses of the argument vector table.
It also determines whether or not daemon mode (-bd) will put sendmail into the
background; I'm not sure how dangerous this is.

How's *that* for overloading of operators? :-(

>Its [tTd(0, 1)] occurrences allow sendmail to run programs, append directly
>to files (as recipients), or cause sendmail to include a list of names as
>a mailing list (:include:).

I admit to being less concerned about what local users could do than what an
outsider could do. Pipes are obviously useful both to outside crackers and to
inside tomfoolery, even if it only gives permission as user "daemon" and group
"other"; that's why I posted the patch to remove it in my original posting.

Mailing to files is less of a problem; the file has to be (practically) world
writable. But I agree, there's no reason for normal users to have this capa-
bility. So it goes out, too.

The :include: mechanism seems harmless enough, and it *is* useful to users who
are maintaining mailing lists. (They can test out the list before giving it to
a system administrator to install.) Unfortunately, sendmail opens the include
file with root permissions, and displays it! (Yet another way to read any file
on the machine, folks.) Rather then remove this useful debugging facility, I
chose to fix it: I have the include() function check the file with access(2)
before opening it. This also introduces a new security feature: if a :include:
file has 600 permissions, then only the owner or root can mail through it.

My new patch for sendmail 5.59 follows, with the following changes:

- Mail to pipes and files is restricted to /usr/lib/aliases, .forward files,
  and root debugging;
 
- Check permissions before opening an :include: file.

You more paranoid types can remove the calls to !tTd(0, 1) instead.

<csg>
_______________________________________________________________________________

*** recipient.c.old	Sun Mar 13 21:31:54 1988
--- recipient.c	Mon Nov 14 12:19:52 1988
***************
*** 20,25
 
  # include <pwd.h>
  # include "sendmail.h"
  # include <sys/stat.h>
 
  /*

--- 20,26 -----
 
  # include <pwd.h>
  # include "sendmail.h"
+ # include <sys/file.h>
  # include <sys/stat.h>
 
  /*
***************
*** 202,208
  	{
  		a->q_mailer = m = ProgMailer;
  		a->q_user++;
! 		if (a->q_alias == NULL && !tTd(0, 1) && !QueueRun && !ForceMail)
  		{
  			a->q_flags |= QDONTSEND|QBADADDR;
  			usrerr("Cannot mail directly to programs");

--- 203,210 -----
  	{
  		a->q_mailer = m = ProgMailer;
  		a->q_user++;
! 		if (a->q_alias == NULL && !(tTd(0, 1) && getruid() == 0)
! 		    && !QueueRun && !ForceMail)
  		{
  			a->q_flags |= QDONTSEND|QBADADDR;
  			usrerr("Cannot mail directly to programs");
***************
*** 284,290
  		{
  			p = rindex(buf, '/');
  			/* check if writable or creatable */
! 			if (a->q_alias == NULL && !tTd(0, 1) && !QueueRun && !ForceMail)
  			{
  				a->q_flags |= QDONTSEND|QBADADDR;
  				usrerr("Cannot mail directly to files");

--- 286,293 -----
  		{
  			p = rindex(buf, '/');
  			/* check if writable or creatable */
! 			if (a->q_alias == NULL && !(tTd(0, 1) && getruid() == 0)
! 			    && !QueueRun && !ForceMail)
  			{
  				a->q_flags |= QDONTSEND|QBADADDR;
  				usrerr("Cannot mail directly to files");
***************
*** 475,480
  	char *oldfilename = FileName;
  	int oldlinenumber = LineNumber;
 
  	fp = fopen(fname, "r");
  	if (fp == NULL)
  	{

--- 478,488 -----
  	char *oldfilename = FileName;
  	int oldlinenumber = LineNumber;
 
+ 	if (access(fname, R_OK))
+ 	{
+ 		usrerr("Cannot access %s", fname);
+ 		return;
+ 	}
  	fp = fopen(fname, "r");
  	if (fp == NULL)
  	{

END OF DOCUMENT