Bugtraq mailing list archives
Re: PMDF sendmail vulnerability
From: Kevin.Carosso () INNOSOFT COM (Kevin V. Carosso)
Date: Fri, 23 May 1997 17:27:08 -0700
This vulnerability has been addressed and there is a fix available from our ftp area. Instructions for downloading the new images are also available at: http://www.innosoft.com/517patches/aa_sendmail_patches.html There are versions available for each UNIX platform that PMDF supports. It is worthy to note, as stated in Jonathan's report, that this bug does not grant root access.
And for kicks, a few other PMDF gotchas: if the installer needs to create a top level installation and/or state directory, it will leave them world writable. It will also chown the /pmdf/www directory to UID 30 instead of the pmdf user (they use UID 30 for pmdf in the example, but never state that it is required or assumed to be such). Innosoft will have a fix for these RSN as well.
Both of these issues have been addressed in the Digital UNIX installer and will be reflected when PMDF is rekitted for our next CD-ROM. Note that PMDF is not compromised by files appearing in the top-level directory, though it may be exploited to get around quotas. Sincerely, /Kevin Carosso VP, Engineering Innosoft
I've only tested this on PMDF 5.1-7 under Digital Unix 4.0B, though I presume it works under other flavors of Unix... Caveat: While the name of the program is 'sendmail' it has no relation to standard UCB sendmail. Synopsis: The sendmail-alike utility included with the latest version of PMDF has a vulnerability that allows any local user to overwrite any file owned by the pmdf account. This can be blatantly exploited to trash the mail system, or more subtly to induce a trojan horse or get around user quota restrictions. Detail: The sendmail program can be put into a debug mode by setting the environment variable PMDF_SENDMAIL_DEBUG. In this mode, sendmail creates two output files, /tmp/pmdf_sendmail.debug, which contains the command line you ran, and /tmp/pmdf_sendmail.msg, which contains the message you gave to sendmail. As you might have guessed, sendmail doesn't check for symlinks before writing to the files, and thus will happily overwrite any file owned by the pmdf user (PMDF sendmail is setuid to the pmdf account). Fortunately, pointing one of the debug files to a setuid binary ends up clearing the setuid bit, so you can't gain priviledges that way. You can do other kinds of nasty stuff though, by simply replacing one of the PMDF binaries with a program of your own choosing (the pmdf_sendmail.msg file is whatever you give to sendmail; it isn't modified in any way). I've notified Innosoft of this and expect a fix Real Soon Now. Alternatively, you can su to the pmdf account and 'touch' the two output files to prevent anybody else from symlinking them.
Current thread:
- Re: PMDF sendmail vulnerability Kevin V. Carosso (May 23)