lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 21 Dec 2004 16:30:03 -0500
From: Michael Barnes <mbarnes@...psci.wm.edu>
To: bugtraq@...urityfocus.com
Subject: possible local exploit via sendmail with procmail on solaris


I was debugging a new procmail rule and noticed some strange information
in the logfile.  It ended up to be mkdir complaining that it could not
create a directory because it existed.  I found out that this was coming
from a user's .cshrc file that had something like:

if ( ! -r /home/user/TMPDIR ) then
  mkdir /home/user/TMPDIR
endif

The TMPDIR was there but it was with mode 0700 and owned by the user, so
it was not readable by other users, so if another user was trying to
execute the .cshrc file it would attempt to execute the mkdir command.  

The problem is this.  Why is a user's .cshrc file being executed by
another user?

I put some debugging info in my account and found this:

New shell invocation: PID=18443: id=<<uid=0(root) gid=6(mail)>>
     UID   PID  PPID  C    STIME TTY      TIME CMD
    root 18440     1  0 15:01:52 ?        0:00 /usr/lib/sendmail -bd -q15m
    root 18441 18440  0 15:01:52 ?        0:00 procmail -f somebodyelse@...mple.com -Y -a  -d mbarnes
    root 18442 18441  0 15:01:52 ?        0:00 procmail -f somebodyelse@...mple.com -Y -a  -d mbarnes
    root 18443 18442  0 15:01:52 ?        0:00 /bin/zsh -c echo $ORGMAIL | sed s,$MAILDIR/,,

mbarnes is me.  The procmail command that invoked the shell as root but
sourced my shell's dotfiles was this:

DEST_USER=`echo $ORGMAIL | sed s,$MAILDIR/,,`

The invocation of procmail is via sendmail.cf and it is called by:

Mlocal, P=/usr/local/bin/procmail, F=ESAw5:|/@...FMPhsfn, S=10/30, R=20/40,
        T=DNS/RFC822/X-Unix,
        A=procmail -Y -a $h -d $u


Note the the '$h' appears to be an empty string or nonexstant
alltogether, I havn't gotten any further at this time.

I am by no means a sendmail or procmail expert, and I simply may have
something misconfigured on my system, but at this time, at least for me,
this is a local root exploit.

Any comments?

Mike

-- 
/-----------------------------------------\
| Michael Barnes <mbarnes@...psci.wm.edu> |
| UNIX Systems Administrator              |
| College of William and Mary             |
| Phone: (757) 879-3930                   |
\-----------------------------------------/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ