Date: Sun, 17 Nov 1996 12:58:53 +0100 From: roberto@keltia.freenix.fr (Ollivier Robert) To: freebsd-security@FreeBSD.org, freebsd-hackers@FreeBSD.org Subject: Re: New sendmail bug... Message-ID: <Mutt.19961117125853.roberto@keltia.freenix.fr> In-Reply-To: <Pine.NEB.3.95.961116235637.13141B-100000@quagmire.ki.net>; from Marc G. Fournier on Nov 16, 1996 23:57:40 -0500 References: <Pine.LNX.3.92.961116165903.12931A-100000@super-g.inch.com> <Pine.NEB.3.95.961116235637.13141B-100000@quagmire.ki.net>
next in thread | previous in thread | raw e-mail | index | archive | help
According to Marc G. Fournier:
> Please send details on 'sploit...would like to test on my Solaris
> 2.5.1 box as well...
The bug is fixed in FreeBSD 2.2, 2.1.6 and 3.0-CURRENT. Here is Allman's
fix that has been committed:
From: Eric Allman <eric@sendmail.org>
Subject: Re: [leshka@leshka.chuvashia.su: BoS: Exploit for sendmail smtpd bug
(ver. 8.7-8.8.2).]
Date: Sat, 16 Nov 1996 07:15:08 -0800
Maybe I just haven't had enough coffee yet -- I can't reproduce the
problem (on BSD/OS 2.0.1). Perhaps it is because I already have a
daemon running -- I just get "problem creating SMTP socket" logged
a few times. It wouldn't have worked for me anyhow; I disallow
setuid binaries on my /tmp filesystem (always a good idea!).
However, I believe that _other_ people can reproduce this, and
that's good enough.
I'm going to take a couple of precautions (patch enclosed). I would
appreciate it if as many as possible of you can give me the "before
and after" info on this, just to make sure I've patched it successfully.
As I say, since I can't reproduce it, I'm kind of stuck for a
verification.
Many thanks for forwarding this.
eric
------- main.c -------
*** - Wed Dec 31 16:00:00 1969
--- main.c Sat Nov 16 07:07:17 1996
***************
*** 493,507 ****
{
case MD_DAEMON:
case MD_FGDAEMON:
! # ifdef DAEMON
! if (RealUid != 0)
! {
! usrerr("Permission denied");
! exit(EX_USAGE);
! }
! vendor_daemon_setup(CurEnv);
! /* fall through ... */
! # else
usrerr("Daemon mode not implemented");
ExitStat = EX_USAGE;
break;
--- 493,499 ----
{
case MD_DAEMON:
case MD_FGDAEMON:
! # ifndef DAEMON
usrerr("Daemon mode not implemented");
ExitStat = EX_USAGE;
break;
***************
*** 899,904 ****
--- 891,904 ----
/* fall through ... */
case MD_DAEMON:
+ /* check for permissions */
+ if (RealUid != 0)
+ {
+ usrerr("Permission denied");
+ exit(EX_USAGE);
+ }
+ vendor_daemon_setup(CurEnv);
+
/* remove things that don't make sense in daemon mode */
FullName = NULL;
GrabTo = FALSE;
***************
*** 1932,1937 ****
--- 1932,1946 ----
syslog(LOG_INFO, "restarting %s on signal", SaveArgv[0]);
#endif
releasesignal(SIGHUP);
+ if (setuid(RealUid) < 0 || setgid(RealGid) < 0)
+ {
+ #ifdef LOG
+ if (LogLevel > 0)
+ syslog(LOG_ALERT, "could not set[ug]id(%d, %d): %m",
+ RealUid, RealGid);
+ #endif
+ exit(EX_OSERR);
+ }
execv(SaveArgv[0], (ARGV_T) SaveArgv);
#ifdef LOG
if (LogLevel > 0)
--
Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr
FreeBSD keltia.freenix.fr 3.0-CURRENT #28: Sun Nov 10 13:37:41 MET 1996
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Mutt.19961117125853.roberto>