Date: Thu, 09 Jan 1997 17:57:52 -0800 From: Cy Schubert <cy@cwsys.cwent.com> To: freebsd-security@freebsd.org Cc: cschuber@uumail.gov.bc.ca Subject: Re: sendmail running non-root SUCCESS! Message-ID: <199701100157.RAA00592@cwsys.cwent.com>
next in thread | raw e-mail | index | archive | help
After the announcement of the latest Sendmail exposure earlier today, I've
tested this out and it is quite doable, though my approach was a little
different.
Instead of having netcat listen to port 25 I used a copy of smap from the
old TIS FWTK (prior to the current licensing restrictions). Sendmail's
permissions were set to 4510 with ownersip of root/sendmail. /usr/bin/mail's
permissions became setgid sendmail.
The results are that noone can connect to port 25 and talk directly to
sendmail. Local users cannot directly execute sendmail. Only specified
MUA's can execute sendmail.
I see two exposures with this approach. First is that if someone manages
to break an MUA with setgid sendmail permissions and get a setgid sendmail
shell, one can use that to attempt an attack against sendmail itself.
Though not perfect, any hacker would need to jump through one additional
hoop prior to gaining root.
The second exposure is that smap chroots to /var/spool/smap. A hacker could
break smap and place a setuid-root shell in that directory, then login using
a local account and use the just-created setuid-root shell.
Alternatively one could use Qmail, however, I haven't managed to get it to
work with MH's slocal command. As far as I'm concerned that's a severe
restriction.
Any thoughts?
Regards, Phone: (250)387-8437
Cy Schubert OV/VM: BCSC02(CSCHUBER)
UNIX Support BITNET: CSCHUBER@BCSC02.BITNET
ITSD Internet: cschuber@uumail.gov.bc.ca
cschuber@bcsc02.gov.bc.ca
"Quit spooling around, JES do it."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199701100157.RAA00592>