Re: sendmail -C: Known? Patches? (AIX 4.1.5)

Gene Spafford (spaf@CS.PURDUE.EDU)
Sat, 09 Aug 1997 19:31:41 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Brian Mitchell: "procfs hole"
Previous message: Aleph One: "NT DNS Implicit Search Order Hole"
Maybe in reply to: DI. Dr. Klaus Kusche: "sendmail -C: Known? Patches? (AIX 4.1.5)"
Next in thread: Troy Bollinger: "Re: sendmail -C: Known? Patches? (AIX 4.1.5)"

> I had mail from Matt Bishop saying that he documented this problem
> in a RIACS memo in approximately 1984. I did some more digging and
> found that this was indeed a problem in sendmail, fixed in version
> 4.31 on August 5, 1984. Pretty shocking if anyone is still running
> a version that old.

Yup, it is an old hole. Here is the first mention I found of it in my
archives (in the old denelcor security list). However, I recall using
it myself sometime before this, perhaps in 1983, to read protected
files. I seem to vaguely recall that there was a semi-public problem
in mid 1984 with some other program that used config files, and this
led several people to independently discover the problem in sendmail.

Note that we keep seeing similar problems pop up in other places
because programmers don't pay attention to past security mistakes.
For instance, the problem with "passwd" that we had a few years back
reading in an alternate password file.

Old bugs never quite seem to die.... If the problem is in a recent
version of AIX I think it would be very interesting to find how & why
it got there.

--spaf

> From: ihnp4!denelvx!lmc (Lyle McElhaney)
> Message-Id: <8503180623.AA12253@denelvx.UUCP>
> Date: 17 Mar 1985 2323-MST (Sunday)
> To: sec-dist
> Subject: Security Mailing List, # 10
>
> Topics:
> Admin and new people on the list
> SUID shell scripts --and-- mesg [ y ] [ n ]
> sendmail bugs
> Re: Checking for trivial passwords
> Re: Can you mail me the password-guessing program?
> Re: Treatise on uucp needed
>
> ----------------------------------------------------------------------------

[stuff elided]

> Date: Tue, 12 Mar 85 18:54:37 est
> From: ihnp4!watmath!sunybcs!loverso (John Robert LoVerso)
> Subject: Re: addition to unix security list
>
> Enclosed is the stuff on sendmail as mailed to me by Keith Muller:
> --
> Date: Wed, 12 Sep 84 20:16:10 pdt
> From: rocksvax!amd!ihnp4!sdcsvax!sdcc3!muller (Keith Muller)
> Subject: sendmail bugs

[some stuff elided]

> There are two VERY SERIOUS security holes in sendmail. If sendmail runs
> with the setuid root bit on, ANY user can get a root shell. The other
> problem allows any user to read ANY file in the system.
>
> Problem 1) Reading any file in the system.
>
> To see if you have this problem:
> cd /tmp
> /usr/lib/sendmail -Cno_READ_file >& OUTPUT&
>
> Where file is some file that the user who executes this
> command SHOULD NOT be able to read. If you have the contents
> of no_READ_file in the file OUTPUT you have the bug.
>
> The -C flag allows you to specify a configuration file other than the
> default sendmail.cf. The routines in readcf.c blindly opens the file and
> start parsing it. If the file is NOT a proper sendmail.cf file,
> sendmail complains and ECHOS the offending file to standard output. The
> fix requires placing an access call before the fopen(cfname. "r") in
> readcf.c.

[more stuff elided]

Next message: Brian Mitchell: "procfs hole"
Previous message: Aleph One: "NT DNS Implicit Search Order Hole"
Maybe in reply to: DI. Dr. Klaus Kusche: "sendmail -C: Known? Patches? (AIX 4.1.5)"
Next in thread: Troy Bollinger: "Re: sendmail -C: Known? Patches? (AIX 4.1.5)"