Bugtraq mailing list archives
PMDF sendmail vulnerability
From: jrozes () GUMBO TCS TUFTS EDU (Jonathan Rozes)
Date: Fri, 23 May 1997 15:20:02 -0400
Hi-- I've only tested this on PMDF 5.1-7 under Digital Unix 4.0B, though I presume it works under other flavors of Unix... Caveat: While the name of the program is 'sendmail' it has no relation to standard UCB sendmail. Synopsis: The sendmail-alike utility included with the latest version of PMDF has a vulnerability that allows any local user to overwrite any file owned by the pmdf account. This can be blatantly exploited to trash the mail system, or more subtly to induce a trojan horse or get around user quota restrictions. Detail: The sendmail program can be put into a debug mode by setting the environment variable PMDF_SENDMAIL_DEBUG. In this mode, sendmail creates two output files, /tmp/pmdf_sendmail.debug, which contains the command line you ran, and /tmp/pmdf_sendmail.msg, which contains the message you gave to sendmail. As you might have guessed, sendmail doesn't check for symlinks before writing to the files, and thus will happily overwrite any file owned by the pmdf user (PMDF sendmail is setuid to the pmdf account). Fortunately, pointing one of the debug files to a setuid binary ends up clearing the setuid bit, so you can't gain priviledges that way. You can do other kinds of nasty stuff though, by simply replacing one of the PMDF binaries with a program of your own choosing (the pmdf_sendmail.msg file is whatever you give to sendmail; it isn't modified in any way). I've notified Innosoft of this and expect a fix Real Soon Now. Alternatively, you can su to the pmdf account and 'touch' the two output files to prevent anybody else from symlinking them. And for kicks, a few other PMDF gotchas: if the installer needs to create a top level installation and/or state directory, it will leave them world writable. It will also chown the /pmdf/www directory to UID 30 instead of the pmdf user (they use UID 30 for pmdf in the example, but never state that it is required or assumed to be such). Innosoft will have a fix for these RSN as well. Cheers, jonathan -- +++ Jonathan Rozes, Unix Systems Administrator, Tufts University ++ jrozes () tcs tufts edu, http://rozes.tcs.tufts.edu/ + Remember, there's a difference between kneeling down and bending over --FZ
Current thread:
- OOB Bug stills persists after hot fix Matthew Dovey (May 17)
- <Possible follow-ups>
- Re: OOB Bug stills persists after hot fix Dan Freise (May 19)
- Re: OOB Bug stills persists after hot fix Ervin Fried (May 20)
- Re: OOB Bug stills persists after hot fix Ervin Fried (May 20)
- Re: OOB Bug stills persists after hot fix Ervin Fried (May 20)
- Re: OOB Bug stills persists after hot fix Ervin Fried (May 22)
- New M$ TCP/IP bug found.... got the NT Blue's yet? Kelly E. Gibbs (May 22)
- PMDF sendmail vulnerability Jonathan Rozes (May 23)
- Update to Windows 95 TCP/IP to Address Out-of-Band Issue Aleph One (May 23)
- [WinNT] Post-SP3 Hotfix Avail for Macintosh OOB DOS Attack Sam Schlansky (May 23)
- cfingerd vulnerability Rodrigo Barbosa (May 23)
- Re: cfingerd vulnerability Edward S. Marshall (May 24)
- Re: cfingerd vulnerability Ken Hollis (May 24)
- Re: cfingerd vulnerability Alan Brown (May 25)
- Re: cfingerd vulnerability Michael Stone (May 25)
- winnuke in one line of perl5.004 Randal Schwartz (May 25)
- Re: cfingerd vulnerability Felix von Leitner (May 25)
- Irix buffer overflow in /bin/df David Hedley (May 24)