Bugtraq mailing list archives
Sendmail up to 8.9.1 - mail.local instroduces new class of bugs
From: lcamtuf () IDS PL (Michal Zalewski)
Date: Thu, 9 Jul 1998 19:31:52 +0200
Local, setuid mail delivery program included in recent packages - mail.local - introduces new class of local bugs, from DoS attacks to security compromises. For example, it creates unique temporary file in /tmp at UID 0 (no comments), opens and unlinks it. Then blindly writes every line read from fd 0 to this file. So, to eat whole disk space, ignoring sendmail.cf settings (because mail.local won't parse it at all), attacker should run mail.local, caught tmp file creation, hard-link it to /tmp/other_file, then redirect a lot of text junk to it's fd 0. But that's not all. Using 'mail.local -f sender recipient', local users are able to put **anything** to mailboxes of other users. This cute program simply allows creating and writing to files /var/mail with virtually no restrictions. Aliases are not expanded, so attacker can even *create* and fill with hundred megabytes of junk mailboxes for accounts like 'nobody'. It won't even put basical auth information, except 'From xxx' line at the beginning... But it can be altered with '-f' switch :-0 Arbitrary headers are allowed, opening potential security compromises with dumb mail clients. Additionally, by providing specific data as 'sender', mailbox may be left in unusable state - eg. pine won't open it, saying it's 'Not in mailbox format'. Fix: It's stupid to make any part of sendmail package setuid. It's really possible to make sendmail work with no setuid nor setgid, by arranging proper communication with sendmail daemon, if running. Also, I suggest to be at least careful with new features of recent Sendmail version :-) _______________________________________________________________________ Michal Zalewski [lcamtuf () boss staszic waw pl] <= finger for pub PGP key Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch] [echo "\$0&\$0">_;chmod +x _;./_] <=------=> [tel +48 (0) 22 813 25 86]
Current thread:
- Re: Object tag crashes Internet Explorer 4.0 Paul Leach (Aug 04)
- linux kernel patch - suid procs exec'd with bad 0,1,2 fds Zachary Amsden (Aug 04)
- Re: Object tag crashes Internet Explorer 4.0 Kragen (Aug 04)
- Re: Object tag crashes Internet Explorer 4.0 Pavel Kankovsky (Aug 05)
- Re: Object tag crashes Internet Explorer 4.0 David Damerell (Aug 06)
- Sendmail up to 8.9.1 - mail.local instroduces new class of bugs Michal Zalewski (Jul 09)
- Re: Sendmail up to 8.9.1 - mail.local instroduces new class of Jeremiah Rothschild (Aug 10)
- Re: Sendmail up to 8.9.1 - mail.local instroduces new class of Scott Stone (Aug 10)
- Network Associates Inc. Advisory (OpenBSD) Security Research Labs (Aug 10)
- Sendmail up to 8.9.1 - mail.local instroduces new class of bugs Michal Zalewski (Jul 09)
- Re: Object tag crashes Internet Explorer 4.0 Alan Cox (Aug 07)
- Description of the Eudora Security Hole Aleph One (Aug 07)
- resend Steve Bellovin (Aug 06)
- Re: resend Casper Dik (Aug 07)
- <Possible follow-ups>
- Re: Object tag crashes Internet Explorer 4.0 Paul Leach (Aug 04)
- Re: Object tag crashes Internet Explorer 4.0 Joe (Aug 05)
- Re: Object tag crashes Internet Explorer 4.0 Paul Leach (Aug 06)