Bugtraq mailing list archives
Re: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2).
From: Kari.Hurtta () ozone fmi fi (Kari E. Hurtta)
Date: Sun, 17 Nov 1996 11:21:30 +0200
--ELM848222490-15212-3_ Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Leshka Zakharoff:
#-------------------------------- CUT HERE ------------------------------------- #/bin/sh
Perhaps this helps? --ELM848222490-15212-3_ Content-Type: message/RFC822 Content-Disposition: inline; filename=foo Content-Description: Fix for SIGHUP bug Content-Transfer-Encoding: 7bit Message-Id: <199611170200.SAA13681 () knecht Sendmail ORG> From: Eric Allman <eric () sendmail org> X-URL: http://WWW.InReference.COM/~eric cc: sendmail-bugs () sendmail org Subject: Re: Security problem in 8.7.x and 8.8.x Date: Sat, 16 Nov 1996 18:00:33 -0800 Many thanks -- I am aware of it, but I would rather be told twice than not at all. Sendmail 8.8.3 will come out probably tomorrow; in the meantime, a patch is enclosed. eric ------- main.c ------- *** - Wed Dec 31 16:00:00 1969 --- main.c Sat Nov 16 07:07:17 1996 *************** *** 493,507 **** { case MD_DAEMON: case MD_FGDAEMON: ! # ifdef DAEMON ! if (RealUid != 0) ! { ! usrerr("Permission denied"); ! exit(EX_USAGE); ! } ! vendor_daemon_setup(CurEnv); ! /* fall through ... */ ! # else usrerr("Daemon mode not implemented"); ExitStat = EX_USAGE; break; --- 493,499 ---- { case MD_DAEMON: case MD_FGDAEMON: ! # ifndef DAEMON usrerr("Daemon mode not implemented"); ExitStat = EX_USAGE; break; *************** *** 899,904 **** --- 891,904 ---- /* fall through ... */ case MD_DAEMON: + /* check for permissions */ + if (RealUid != 0) + { + usrerr("Permission denied"); + exit(EX_USAGE); + } + vendor_daemon_setup(CurEnv); + /* remove things that don't make sense in daemon mode */ FullName = NULL; GrabTo = FALSE; *************** *** 1932,1937 **** --- 1932,1946 ---- syslog(LOG_INFO, "restarting %s on signal", SaveArgv[0]); #endif releasesignal(SIGHUP); + if (setuid(RealUid) < 0 || setgid(RealGid) < 0) + { + #ifdef LOG + if (LogLevel > 0) + syslog(LOG_ALERT, "could not set[ug]id(%d, %d): %m", + RealUid, RealGid); + #endif + exit(EX_OSERR); + } execv(SaveArgv[0], (ARGV_T) SaveArgv); #ifdef LOG if (LogLevel > 0) [ Rest of mail deleted. - K E H ] --ELM848222490-15212-3_--
Current thread:
- Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Leshka Zakharoff (Nov 15)
- Re: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Kari E. Hurtta (Nov 17)
- Re: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Alan Brown (Nov 17)
- Digital Unix v3.x (v4.x?) security vulnerability Eric Augustus (Nov 16)
- Re: Digital Unix v3.x (v4.x?) security vulnerability hj () globecom net (Nov 17)
- Re: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Bryan Reece (Nov 17)
- Re: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Simon Karpen (Nov 17)
- Magic password of some linux-box(Hardware..) Seo Euiseong (Nov 17)
- rplayd on HPUX 10.1 Henrik P Johnson (Nov 19)
- Re: BoS: Magic password of some linux-box(Hardware..) Sergiu Popovici (Nov 19)
- Re: BoS: Magic password of some linux-box(Hardware..) Sergei A. Golubchik (Nov 19)
- Irix: root exploit for LicenseManager Yuri Volobuev (Nov 19)
- Digital Unix v3.x (v4.x?) security vulnerability Eric Augustus (Nov 16)