sendmail ;o)

[sgp () TELSATGP COM PL (Slawek)]

Hello,

Well, I would be gracefull if somebody can tell me if I'm correct in this
simple analise

In fact I've started from checking source code of finger on Open BSD 2.7 and
I've found there an interesting function (in util.c) called expandusername.
This function is probably broken and could be exploited if were invoked with
small output buffer - fortunatelly this buffer is always 1024 long and this
is too long to be overflowed ;) (user names are limited to 8 chars there)

But .. after a while I've decided to follow the line

/* inspired by usr.sbin/sendmail/util.c::buildfname */

and check how it is invoked in sendmail ;) (I'm not using sendmail but ..
just curious)

The function (in sendmail 8.10.1, not sure about the other versions) looks
like this:

---- start ----
void
buildfname(gecos, user, buf, buflen)
 register char *gecos;
 char *user;
 char *buf;
 int buflen;
{
 register char *p;
 register char *bp = buf;

 if (*gecos == '*')
  gecos++;

 /* copy gecos, interpolating & to be full name */
 for (p = gecos; *p != '\0' && *p != ',' && *p != ';' && *p != '%'; p++)
 {
  if (bp >= &buf[buflen - 1])
  {
   /* buffer overflow -- just use login name */
   snprintf(buf, buflen, "%s", user);
   return;
  }
  if (*p == '&')
  {
   /* interpolate full name */
   snprintf(bp, buflen - (bp - buf), "%s", user);
   *bp = toupper(*bp);
   bp += strlen(bp);
  }
  else
   *bp++ = *p;
 }
 *bp = '\0';
}
---- end ----

Well it's about the same like in finger - even "better" ;) .. snprintf does
not null terminate :)
This time it is invoked with destination buffer of MAXNAME+1 (256+1) bytes
in function called "recipient" .. and in "finduser" .. and in some more
places ..

The trick is to use _many_ &'s in user name (chfn allows normal users to do
this on themselves)

After this snprintf will not null terminate and data following just after
the buffer will get "toupper'd".
Are there pointers following output buffers ? :))

Unfortunatelly I've got no time to do some more investigation, but it looks
like local user could change his username to do some "strange" things in
sendmail ;)

I'm not sure if it's exploitable in any way. I'm almost sure attacker could
locally segfault sendmail by changing his own username and sending an email
to himself, but don't know if something more is possible. Well, in fact I
didn't even check if this code is invoked with UID=0.

I hope somebody has got more time and would like to play with it :))

Bye,
Slawek