From owner-freebsd-security Mon Mar 3 13:43:32 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1E1EB37B401 for ; Mon, 3 Mar 2003 13:43:30 -0800 (PST) Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7A51F43FBF for ; Mon, 3 Mar 2003 13:43:29 -0800 (PST) (envelope-from jason@shalott.net) Received: (qmail 97267 invoked by uid 1000); 3 Mar 2003 21:43:29 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 3 Mar 2003 21:43:29 -0000 Date: Mon, 3 Mar 2003 13:43:29 -0800 (PST) From: Jason Stone X-X-Sender: To: Chris Samaritoni Cc: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:04.sendmail In-Reply-To: <20030303195720.GA85269@madman.celabo.org> Message-ID: <20030303132808.Q81383-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > Question, I have a some systems that don't run any sendmail daemons, but > > local users that have scripts that run sendmail to send messages. I'm not > > familiar with how running sendmail from the command line would differ, but > > would this also be affected by this bug, in which case wouldn't this also > > make it a local compromise as well? I'm just looking for clarification. > > Yes, upgrade. Of course you should upgrade, but to answer your question more fully, I don't think that it's possible to gain root from the local exploit. Now I'm not very familiar with sendmail (I've run only qmail for many years, as sendmail never stops getting hacked...), but when the user runs sendmail locally, I think that the sendmail process is the only process that runs, and that it reads the message and then either drops the message into the local clientmqueue for delivery by an already running root sendmail daemon, or else delivers it itself, immediately. On a recently built -STABLE box, I see hermione/home/jason-1005: ls -l /usr/libexec/sendmail/sendmail - -r-xr-sr-x 1 root smmsp 582520 Feb 3 20:58 /usr/libexec/sendmail/sendmail which leads me to believe that exploiting the daemon would give you group smmsp priveleges and not root privelegs. This would allow a malicious local user to potentially read the outgoing mail of other users in the clientmqueue, but not take over the machine. Finally, if you are running an alternate mailer like qmail (which I cannot reccommend highly enough), it's probably a good idea to "chmod 0 /usr/libexec/sendmail/sendmail", to prevent this local exploit. Even though it's not so bad in this case, users should never be able to execute code as another user/group. -Jason -------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE+Y8yBswXMWWtptckRAjFYAKDISZThZPrldv28ECwjesZgdSk/DQCdE+Nf GIPFe0crVvYDp3wLmaUvlq8= =jz5U -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message