From owner-freebsd-security Thu Jan 9 17:58:03 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id RAA06027 for security-outgoing; Thu, 9 Jan 1997 17:58:03 -0800 (PST) Received: from cwsys.cwent.com (0@cschuber.net.gov.bc.ca [142.31.240.113]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id RAA06020 for ; Thu, 9 Jan 1997 17:57:57 -0800 (PST) Received: (from smap@localhost) by cwsys.cwent.com (8.8.4/8.6.10) id RAA00592; Thu, 9 Jan 1997 17:57:53 -0800 (PST) Message-Id: <199701100157.RAA00592@cwsys.cwent.com> X-Authentication-Warning: cwsys.cwent.com: smap set sender to using -f Received: from localhost(127.0.0.1) by cwsys.cwent.com via smap (V1.3) id sma000589; Thu Jan 9 17:57:52 1997 Reply-to: cschuber@uumail.gov.bc.ca X-Mailer: Xmh To: freebsd-security@freebsd.org cc: cschuber@uumail.gov.bc.ca Subject: Re: sendmail running non-root SUCCESS! Date: Thu, 09 Jan 1997 17:57:52 -0800 From: Cy Schubert Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk After the announcement of the latest Sendmail exposure earlier today, I've tested this out and it is quite doable, though my approach was a little different. Instead of having netcat listen to port 25 I used a copy of smap from the old TIS FWTK (prior to the current licensing restrictions). Sendmail's permissions were set to 4510 with ownersip of root/sendmail. /usr/bin/mail's permissions became setgid sendmail. The results are that noone can connect to port 25 and talk directly to sendmail. Local users cannot directly execute sendmail. Only specified MUA's can execute sendmail. I see two exposures with this approach. First is that if someone manages to break an MUA with setgid sendmail permissions and get a setgid sendmail shell, one can use that to attempt an attack against sendmail itself. Though not perfect, any hacker would need to jump through one additional hoop prior to gaining root. The second exposure is that smap chroots to /var/spool/smap. A hacker could break smap and place a setuid-root shell in that directory, then login using a local account and use the just-created setuid-root shell. Alternatively one could use Qmail, however, I haven't managed to get it to work with MH's slocal command. As far as I'm concerned that's a severe restriction. Any thoughts? Regards, Phone: (250)387-8437 Cy Schubert OV/VM: BCSC02(CSCHUBER) UNIX Support BITNET: CSCHUBER@BCSC02.BITNET ITSD Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it."