Date: Mon, 3 Mar 2003 13:43:29 -0800 (PST) From: Jason Stone <jason-fbsd-security@shalott.net> To: Chris Samaritoni <chris@tierra.net> Cc: <security@freebsd.org> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:04.sendmail Message-ID: <20030303132808.Q81383-100000@walter> In-Reply-To: <20030303195720.GA85269@madman.celabo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > Question, I have a some systems that don't run any sendmail daemons, but > > local users that have scripts that run sendmail to send messages. I'm not > > familiar with how running sendmail from the command line would differ, but > > would this also be affected by this bug, in which case wouldn't this also > > make it a local compromise as well? I'm just looking for clarification. > > Yes, upgrade. Of course you should upgrade, but to answer your question more fully, I don't think that it's possible to gain root from the local exploit. Now I'm not very familiar with sendmail (I've run only qmail for many years, as sendmail never stops getting hacked...), but when the user runs sendmail locally, I think that the sendmail process is the only process that runs, and that it reads the message and then either drops the message into the local clientmqueue for delivery by an already running root sendmail daemon, or else delivers it itself, immediately. On a recently built -STABLE box, I see hermione/home/jason-1005: ls -l /usr/libexec/sendmail/sendmail - -r-xr-sr-x 1 root smmsp 582520 Feb 3 20:58 /usr/libexec/sendmail/sendmail which leads me to believe that exploiting the daemon would give you group smmsp priveleges and not root privelegs. This would allow a malicious local user to potentially read the outgoing mail of other users in the clientmqueue, but not take over the machine. Finally, if you are running an alternate mailer like qmail (which I cannot reccommend highly enough), it's probably a good idea to "chmod 0 /usr/libexec/sendmail/sendmail", to prevent this local exploit. Even though it's not so bad in this case, users should never be able to execute code as another user/group. -Jason -------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE+Y8yBswXMWWtptckRAjFYAKDISZThZPrldv28ECwjesZgdSk/DQCdE+Nf GIPFe0crVvYDp3wLmaUvlq8= =jz5U -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030303132808.Q81383-100000>