Re: Sendmail 8.x.x - any user may rebuild aliases database

[sendmail+gshapiro () SENDMAIL ORG (Gregory Neil Shapiro)]

-----BEGIN PGP SIGNED MESSAGE-----

lcamtuf> Sendmail up to recent 8.9.x versions - any user may pass -bi
lcamtuf> parameter to /usr/sbin/sendmail. This will result in aliases
lcamtuf> database rebuild. IMHO there's no reason to allow such things, but
lcamtuf> no matter - something rather stupid is done during rebuild:

lcamtuf> 5366  open("/etc/aliases.db", O_RDWR|O_TRUNC) = 6

lcamtuf> What a bad luck! There's approx 0.1 sec delay due to /etc/aliases
lcamtuf> processing (on my system). Meantime, luser might deliver any
lcamtuf> signals to sendmail process... SIGKILL is quite good. After that,
lcamtuf> /etc/aliases.db will be left in unusable state (no EOF marker),
lcamtuf> causing DoS:

Thank you for bringing this to our attention.  We have limited the
newaliases command to root and trusted users for 8.10.0.Beta7.  We have
also deprecated the AutoRebuildAliases option since if set, a similar
attack may be possible.  We intend to remove the AutoRebuildAliases
functionality in a future version.

I've included a patch against sendmail 8.9.3 for those who want to protect
against this denial of service attack.

As always, we encourage mailing bug reports, including documentation or
release notes bugs, to release notes bugs, to sendmail-bugs () sendmail org.  Security issues can be
mailed to sendmail-security () sendmail org and encrypted with the
sendmail-security () sendmail org PGP key:

Type Bits KeyID      Created    Expires    Algorithm       Use
pub  1024 0x16F4CCE9 1999-06-23 ---------- RSA             Sign & Encrypt
uid  Sendmail Security <sendmail-security () sendmail org>

The sendmail 8.9.3 patch:

- --- main.c~orig       Sat Jan  9 15:31:13 1999
+++ main.c      Wed Nov 17 19:04:44 1999
@@ -984,6 +984,18 @@
                 usrerr("Permission denied");
                 finis(FALSE, EX_USAGE);
         }
+       if (OpMode == MD_INITALIAS &&
+           RealUid != 0 &&
+           RealUid != TrustedUid &&
+           !wordinclass(RealUserName, 't'))
+       {
+               if (LogLevel > 1)
+                       sm_syslog(LOG_ALERT, NOQID,
+                                 "user %d attempted to rebuild the alias map",
+                                 RealUid);
+               usrerr("Permission denied");
+               finis(FALSE, EX_USAGE);
+       }

         if (MeToo)
                 BlankEnvelope.e_flags |= EF_METOO;

Note that PGP signing this message changes the first line of the patch by
adding a "- " before the "---".  Remove the added "- " before trying to
apply the patch.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0 for non-commercial use
Comment: Processed by Mailcrypt 3.5.4, an Emacs/PGP interface
Charset: noconv

iQCVAwUBODpGtsApykAW9MzpAQHsnwQAgN/vqojM5DgDdJ/Z3+Qs0JunGqIDWlCh
ML3+sXam38ZFA+/JgTYM4d1ZSxj+y7LmcN8Z1aLV0r6Ix9Ywkp83Akh9D0zs7sZR
15EbyuHhM2Q+MkPeGMtjhj4E9ptP2EjbqumbOWW+zojn+blWqf0GMjoulXDpk1O3
hTSlXU7zYDM=
=WDU8
-----END PGP SIGNATURE-----