Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: sendmail exploit script

From: peter () gecko dialix oz au (Peter Wemm)
Date: Tue, 29 Mar 1994 00:05:54 +0800 (WST)

james w. abendschan writes:
:>                                                However.. on systems
:> with enhanced security, a process can *revoke* kernel permissions.  A
:> SCO unix system (for example) can volunteer to "give up" setuid exec()
:> privs and that will *probably* mean that you could get
:> /usr/lib/sendmail (unreadable, setuid) to core dump (as it's no longer
:> setuid).  Assuming this works, this would mean that a user could use
:> the "security" system on SCO unix to *obtain* *extra* information that
:> normal OS's dont give..  kinda like a security negative-enhancement.
:> Of course, I've not tested this, but I did write some code once that
:> had to deal with removing privs for a replacement login binary.  It's
:> probably possible on any system with SecureWare(TM) "enhancements".
:
:it would be wortwhile seeing this done..

Well, I tried it...  It behaved differently to what I expected - if
you disable execsuid, it does not run it without suid, but instead, it
wont run it at all.

Script started on Mon Mar 28 23:57:31 1994

peter@perth:[11:57pm]~-105> auths
Current system authorizations:
suspendaudit,execsuid,chmodsugid,chown

peter@perth:[11:57pm]~-106> /usr/lib/sendmail -bt
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>

peter@perth:[11:57pm]~-107> 

peter@perth:[11:57pm]~-107> auths -r execsuid -c sh
$ auths
Current system authorizations:
suspendaudit,chmodsugid,chown

$ /usr/lib/sendmail -bt
/usr/lib/sendmail: cannot execute
$ l /usr/lib/sendmail
lrwxrwxrwx   1 root     root          18 Nov 14 23:48 /usr/lib/sendmail -> /etc/mail/sendmail
$ l /etc/mail/sendmail
---s--s--x   1 root     mem       257152 Dec 09 21:32 /etc/mail/sendmail
$
peter@perth:[11:59pm]~-108> exit

script done on Mon Mar 28 23:59:20 1994

Thank you SecureWare for getting that one right!

I'd be interested to know how the others go with this.. by "others",
I'm referring to Sun's extensions, USL's SVR4.2 and SVR4.2ES/MP, OSF/1
and so on.

-Peter

-- 
Peter Wemm <peter () DIALix oz au> - NIC Handle: PW65 - The keeper of "NN"
      "My computer is better than your computer" - Anonymous
  (Overheard, shortly after the creation of the second computer....)
Previous By Date Next
Previous By Thread Next

Current thread: