Re: PMDF sendmail vulnerability

Kevin V. Carosso (Kevin.Carosso@INNOSOFT.COM)
Fri, 23 May 1997 17:27:08 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: David Hedley: "Irix buffer overflow in /bin/df"
Previous message: Sam Schlansky: "[WinNT] Post-SP3 Hotfix Avail for Macintosh OOB DOS Attack"
Maybe in reply to: Jonathan Rozes: "PMDF sendmail vulnerability"

This vulnerability has been addressed and there is a fix available from
our ftp area. Instructions for downloading the new images are also
available at:

http://www.innosoft.com/517patches/aa_sendmail_patches.html

There are versions available for each UNIX platform that PMDF supports.

It is worthy to note, as stated in Jonathan's report, that this bug does
not grant root access.

> And for kicks, a few other PMDF gotchas: if the installer needs to create a
> top level installation and/or state directory, it will leave them world
> writable. It will also chown the /pmdf/www directory to UID 30 instead of
> the pmdf user (they use UID 30 for pmdf in the example, but never state
> that it is required or assumed to be such). Innosoft will have a fix for
> these RSN as well.

Both of these issues have been addressed in the Digital UNIX installer and will
be reflected when PMDF is rekitted for our next CD-ROM. Note that PMDF is not
compromised by files appearing in the top-level directory, though it may be
exploited to get around quotas.

Sincerely,

/Kevin Carosso
VP, Engineering
Innosoft

> I've only tested this on PMDF 5.1-7 under Digital Unix 4.0B, though I
> presume it works under other flavors of Unix...
>
> Caveat: While the name of the program is 'sendmail' it has no relation to
> standard UCB sendmail.
>
> Synopsis: The sendmail-alike utility included with the latest version of
> PMDF has a vulnerability that allows any local user to overwrite any file
> owned by the pmdf account. This can be blatantly exploited to trash the
> mail system, or more subtly to induce a trojan horse or get around user
> quota restrictions.
>
> Detail: The sendmail program can be put into a debug mode by setting the
> environment variable PMDF_SENDMAIL_DEBUG. In this mode, sendmail creates
> two output files, /tmp/pmdf_sendmail.debug, which contains the command line
> you ran, and /tmp/pmdf_sendmail.msg, which contains the message you gave
> to sendmail. As you might have guessed, sendmail doesn't check for symlinks
> before writing to the files, and thus will happily overwrite any file owned
> by the pmdf user (PMDF sendmail is setuid to the pmdf account).
>
> Fortunately, pointing one of the debug files to a setuid binary ends up
> clearing the setuid bit, so you can't gain priviledges that way. You can
> do other kinds of nasty stuff though, by simply replacing one of the PMDF
> binaries with a program of your own choosing (the pmdf_sendmail.msg file
> is whatever you give to sendmail; it isn't modified in any way).
>
> I've notified Innosoft of this and expect a fix Real Soon Now. Alternatively,
> you can su to the pmdf account and 'touch' the two output files to prevent
> anybody else from symlinking them.
>

Next message: David Hedley: "Irix buffer overflow in /bin/df"
Previous message: Sam Schlansky: "[WinNT] Post-SP3 Hotfix Avail for Macintosh OOB DOS Attack"
Maybe in reply to: Jonathan Rozes: "PMDF sendmail vulnerability"