Re: new sendmail bug?

[mvn () Library UCLA EDU (Michael Van Norman)]

A number of people have asked for details on how to exploit one aspect
of the recently revealed sendmail bug.  The short answer is that I do
not feel comfortable sending out a cookbook type approach to the net
at large.  The longer answer is that I don't think that cookbook
approaches equal full disclosure.  In my previous mail I indicated
that newlines in the recipient address could be used to write "extra"
lines to the sendmail queue file.  This level of detail to me is
almost (if not actually) equivalent to full disclosure.  The clue is
enough to indicate the nature of the attack.  Combined with a little
investigation into the structure of a sendmail queue file, it is
enough information to understand what is taking place (and to
construct an exploit script if one is so inclined).

I agree that CERT-type messages are woefully inadequate.  Saying
"sendmail has a hole, patch it" is a far cry from the information
necessary to understand what is wrong.  Without knowing what is
actually going on, one cannot verify that something is fixed -- nor
does one learn anything from the experience (and may therefore proceed
to write code with the same problem, or fail to recognize a similar
exposure in some other area).  I would argue that simply providing a
exploit script is also a flawed approach.  First, the script may not
work on all platforms (the attack is slightly different between stock
AIX and sendmail 8.6.6 for instance).  This might lead one to have a
false sense of security.  Second, the script may or may not make clear
the reason for the exposure.  If I don't know why the script works,
then I am no better off than before.  On the other hand, a discription
of the problem educates me to what is going on, gives me what I need
to analyze potential fixes, and gives me a reasonable start on
developing my own test if I need such a tool.  That said, let me
expand a bit on my admitedly terse description from yesterday.

When a message is queued for delivery by sendmail, a pair of files are
written to the spool directory (/var/spool/mqueue on many systems).
One of these files (qf<something>) contains information related to the
processing of the message (headers, sender, recipient, etc.).  Taking
versions of sendmail prior to 8.6.10 as an example, one of the pieces
of information maintained in this file is the name of the controlling
user if mail is being delivered to a script (or file).  By feeding
sendmail a recipient address that contains newlines, it is possible to
add lines to the queue file which specify a controlling user and an
executable to run with that users access level.  The 8.6.10 patch
removes this hole, by stripping newlines from the recipient address
before writing the queue file.

-- 
Michael Van Norman
mvn () library ucla edu                  Library Information Systems/Development
+1.310.206.5579 (voice)                 University of California, Los Angeles
+1.310.206.2880 (facsimile)                 11334 University Research Library
http://www.library.ucla.edu/~mvn          Los Angeles, California  90095-1575