PMDF sendmail vulnerability

Jonathan Rozes (jrozes@GUMBO.TCS.TUFTS.EDU)
Fri, 23 May 1997 15:20:02 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Aleph One: "Update to Windows 95 TCP/IP to Address Out-of-Band Issue"
Previous message: Ervin Fried: "Re: OOB Bug stills persists after hot fix"
Next in thread: Kevin V. Carosso: "Re: PMDF sendmail vulnerability"

Hi--

I've only tested this on PMDF 5.1-7 under Digital Unix 4.0B, though I
presume it works under other flavors of Unix...

Caveat: While the name of the program is 'sendmail' it has no relation to
standard UCB sendmail.

Synopsis: The sendmail-alike utility included with the latest version of
PMDF has a vulnerability that allows any local user to overwrite any file
owned by the pmdf account. This can be blatantly exploited to trash the
mail system, or more subtly to induce a trojan horse or get around user
quota restrictions.

Detail: The sendmail program can be put into a debug mode by setting the
environment variable PMDF_SENDMAIL_DEBUG. In this mode, sendmail creates
two output files, /tmp/pmdf_sendmail.debug, which contains the command line
you ran, and /tmp/pmdf_sendmail.msg, which contains the message you gave
to sendmail. As you might have guessed, sendmail doesn't check for symlinks
before writing to the files, and thus will happily overwrite any file owned
by the pmdf user (PMDF sendmail is setuid to the pmdf account).

Fortunately, pointing one of the debug files to a setuid binary ends up
clearing the setuid bit, so you can't gain priviledges that way. You can
do other kinds of nasty stuff though, by simply replacing one of the PMDF
binaries with a program of your own choosing (the pmdf_sendmail.msg file
is whatever you give to sendmail; it isn't modified in any way).

I've notified Innosoft of this and expect a fix Real Soon Now. Alternatively,
you can su to the pmdf account and 'touch' the two output files to prevent
anybody else from symlinking them.

And for kicks, a few other PMDF gotchas: if the installer needs to create a
top level installation and/or state directory, it will leave them world
writable. It will also chown the /pmdf/www directory to UID 30 instead of
the pmdf user (they use UID 30 for pmdf in the example, but never state
that it is required or assumed to be such). Innosoft will have a fix for
these RSN as well.

Cheers,
jonathan

--
+++ Jonathan Rozes, Unix Systems Administrator, Tufts University
++  jrozes@tcs.tufts.edu, http://rozes.tcs.tufts.edu/
+   Remember, there's a difference between kneeling down and
    bending over --FZ

Next message: Aleph One: "Update to Windows 95 TCP/IP to Address Out-of-Band Issue"
Previous message: Ervin Fried: "Re: OOB Bug stills persists after hot fix"
Next in thread: Kevin V. Carosso: "Re: PMDF sendmail vulnerability"