From owner-freebsd-security Sun Nov 17 04:09:10 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id EAA16038 for security-outgoing; Sun, 17 Nov 1996 04:09:10 -0800 (PST) Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.fr [193.56.58.253]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id EAA16018; Sun, 17 Nov 1996 04:09:04 -0800 (PST) Received: from brasil.brainstorm.eu.org (brasil.brainstorm.fr [193.56.58.33]) by mexico.brainstorm.eu.org (8.7.5/8.7.3) with ESMTP id NAA12639; Sun, 17 Nov 1996 13:08:58 +0100 Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.6.12/8.6.12) with UUCP id NAA31352; Sun, 17 Nov 1996 13:08:24 +0100 Received: (from roberto@localhost) by keltia.freenix.fr (8.8.2/keltia-uucp-2.9) id MAA18803; Sun, 17 Nov 1996 12:58:53 +0100 (MET) Message-ID: Date: Sun, 17 Nov 1996 12:58:53 +0100 From: roberto@keltia.freenix.fr (Ollivier Robert) To: freebsd-security@FreeBSD.org, freebsd-hackers@FreeBSD.org Subject: Re: New sendmail bug... References: X-Mailer: Mutt 0.50.05 Mime-Version: 1.0 X-Operating-System: FreeBSD 3.0-CURRENT ctm#2686 In-Reply-To: ; from Marc G. Fournier on Nov 16, 1996 23:57:40 -0500 Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk According to Marc G. Fournier: > Please send details on 'sploit...would like to test on my Solaris > 2.5.1 box as well... The bug is fixed in FreeBSD 2.2, 2.1.6 and 3.0-CURRENT. Here is Allman's fix that has been committed: From: Eric Allman Subject: Re: [leshka@leshka.chuvashia.su: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2).] Date: Sat, 16 Nov 1996 07:15:08 -0800 Maybe I just haven't had enough coffee yet -- I can't reproduce the problem (on BSD/OS 2.0.1). Perhaps it is because I already have a daemon running -- I just get "problem creating SMTP socket" logged a few times. It wouldn't have worked for me anyhow; I disallow setuid binaries on my /tmp filesystem (always a good idea!). However, I believe that _other_ people can reproduce this, and that's good enough. I'm going to take a couple of precautions (patch enclosed). I would appreciate it if as many as possible of you can give me the "before and after" info on this, just to make sure I've patched it successfully. As I say, since I can't reproduce it, I'm kind of stuck for a verification. Many thanks for forwarding this. eric ------- main.c ------- *** - Wed Dec 31 16:00:00 1969 --- main.c Sat Nov 16 07:07:17 1996 *************** *** 493,507 **** { case MD_DAEMON: case MD_FGDAEMON: ! # ifdef DAEMON ! if (RealUid != 0) ! { ! usrerr("Permission denied"); ! exit(EX_USAGE); ! } ! vendor_daemon_setup(CurEnv); ! /* fall through ... */ ! # else usrerr("Daemon mode not implemented"); ExitStat = EX_USAGE; break; --- 493,499 ---- { case MD_DAEMON: case MD_FGDAEMON: ! # ifndef DAEMON usrerr("Daemon mode not implemented"); ExitStat = EX_USAGE; break; *************** *** 899,904 **** --- 891,904 ---- /* fall through ... */ case MD_DAEMON: + /* check for permissions */ + if (RealUid != 0) + { + usrerr("Permission denied"); + exit(EX_USAGE); + } + vendor_daemon_setup(CurEnv); + /* remove things that don't make sense in daemon mode */ FullName = NULL; GrabTo = FALSE; *************** *** 1932,1937 **** --- 1932,1946 ---- syslog(LOG_INFO, "restarting %s on signal", SaveArgv[0]); #endif releasesignal(SIGHUP); + if (setuid(RealUid) < 0 || setgid(RealGid) < 0) + { + #ifdef LOG + if (LogLevel > 0) + syslog(LOG_ALERT, "could not set[ug]id(%d, %d): %m", + RealUid, RealGid); + #endif + exit(EX_OSERR); + } execv(SaveArgv[0], (ARGV_T) SaveArgv); #ifdef LOG if (LogLevel > 0) -- Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #28: Sun Nov 10 13:37:41 MET 1996