Bugtraq mailing list archives
Re: sendmail -C: Known? Patches? (AIX 4.1.5)
From: spaf () CS PURDUE EDU (Gene Spafford)
Date: Sat, 9 Aug 1997 19:31:41 -0500
I had mail from Matt Bishop saying that he documented this problem in a RIACS memo in approximately 1984. I did some more digging and found that this was indeed a problem in sendmail, fixed in version 4.31 on August 5, 1984. Pretty shocking if anyone is still running a version that old.
Yup, it is an old hole. Here is the first mention I found of it in my archives (in the old denelcor security list). However, I recall using it myself sometime before this, perhaps in 1983, to read protected files. I seem to vaguely recall that there was a semi-public problem in mid 1984 with some other program that used config files, and this led several people to independently discover the problem in sendmail. Note that we keep seeing similar problems pop up in other places because programmers don't pay attention to past security mistakes. For instance, the problem with "passwd" that we had a few years back reading in an alternate password file. Old bugs never quite seem to die.... If the problem is in a recent version of AIX I think it would be very interesting to find how & why it got there. --spaf
From: ihnp4!denelvx!lmc (Lyle McElhaney)
Message-Id: <8503180623.AA12253 () denelvx UUCP>
Date: 17 Mar 1985 2323-MST (Sunday)
To: sec-dist
Subject: Security Mailing List, # 10
Topics:
Admin and new people on the list
SUID shell scripts --and-- mesg [ y ] [ n ]
sendmail bugs
Re: Checking for trivial passwords
Re: Can you mail me the password-guessing program?
Re: Treatise on uucp needed
----------------------------------------------------------------------------
[stuff elided]
Date: Tue, 12 Mar 85 18:54:37 est From: ihnp4!watmath!sunybcs!loverso (John Robert LoVerso) Subject: Re: addition to unix security list Enclosed is the stuff on sendmail as mailed to me by Keith Muller: -- Date: Wed, 12 Sep 84 20:16:10 pdt From: rocksvax!amd!ihnp4!sdcsvax!sdcc3!muller (Keith Muller) Subject: sendmail bugs
[some stuff elided]
There are two VERY SERIOUS security holes in sendmail. If sendmail runs
with the setuid root bit on, ANY user can get a root shell. The other
problem allows any user to read ANY file in the system.
Problem 1) Reading any file in the system.
To see if you have this problem:
cd /tmp
/usr/lib/sendmail -Cno_READ_file >& OUTPUT&
Where file is some file that the user who executes this
command SHOULD NOT be able to read. If you have the contents
of no_READ_file in the file OUTPUT you have the bug.
The -C flag allows you to specify a configuration file other than the
default sendmail.cf. The routines in readcf.c blindly opens the file and
start parsing it. If the file is NOT a proper sendmail.cf file,
sendmail complains and ECHOS the offending file to standard output. The
fix requires placing an access call before the fopen(cfname. "r") in
readcf.c.
[more stuff elided]
Current thread:
- Re: your mail, (continued)
- Re: your mail Erik Troan (Aug 10)
- Sun Security Bulletin #00149 Aleph One (Aug 13)
- Sun Security Bulletin #00150 Aleph One (Aug 13)
- Possible fixed identd Phillip R. Jaenke (Aug 13)
- CERT Advisory CA-97.22 - BIND - the Berkeley Internet Name Daemon Aleph One (Aug 14)
- Vulnerability in 4.4BSD rfork() implementation Thomas H. Ptacek (Aug 02)
- Linux clone() looks safe (Re: Vulnerability in 4.4BSD rfork() Jeff Epler (Aug 02)
- Re: Linux clone() looks safe (Re: Vulnerability in 4.4BSD rfork() Marc Slemko (Aug 03)
- Re: sendmail -C: Known? Patches? (AIX 4.1.5) Eric Allman (Aug 06)
- Re: sendmail -C: Known? Patches? (AIX 4.1.5) Eric Allman (Aug 07)
- Re: sendmail -C: Known? Patches? (AIX 4.1.5) Gene Spafford (Aug 09)
- Re: sendmail -C: Known? Patches? (AIX 4.1.5) Troy Bollinger (Aug 10)
- procfs hole Brian Mitchell (Aug 10)
- Re: procfs hole Jonathan A. Zdziarski (Aug 10)
- Re: procfs hole Brian Mitchell (Aug 10)
- Program To decrypt password in ws_ftp.ini JeBe (Aug 10)