Bug#841257: sendmail: Privilege escalation from group smmsp to (user) root
Dear Andreas, > I have a completely untested patch sitting in GIT - do you have a > possibility to test packages built from that? I could replace files, or DEB packages, on some test machines. Do not know whether that testing would be exhaustive: do not know how many features of the sendmail package I use. Or if the changes are "small" then could just inspect. Cheers, Paul
Bug#841257: sendmail: Privilege escalation from group smmsp to (user) root
On 2016-10-19 08:12, paul.sz...@sydney.edu.au wrote: > Hmm (again) ... Maybe file /usr/share/sendmail/sendmail needs updating > also? It's generated from the same template script, only the initscript gets an additional header. I have a completely untested patch sitting in GIT - do you have a possibility to test packages built from that? Andreas
Debian bug #841257: sendmail: Privilege escalation from group smmsp to (user) root
Hello sendmail maintainers, What is the status of this bug item? https://bugs.debian.org/841257 -- Henri Salo
Bug#841257: sendmail: Privilege escalation from group smmsp to (user) root
Hmm (again) ... Maybe file /usr/share/sendmail/sendmail needs updating also? It is almost identical to /etc/init.d/sendmail, and in file /etc/cron.daily/sendmail I notice the lines: ... #-- # Every so often, give sendmail a chance to run the MSP queues. */20 **** smmsp test -x /etc/init.d/sendmail && /usr/share/sendmail/sendmail cron-msp # #-- # Every so often, give sendmail a chance to run the MTA queues. # Will also run MSP queues if enabled #*/10 **** roottest -x /etc/init.d/sendmail && /usr/share/sendmail/sendmail cron-mta ... Maybe no problem as long as that second line is commented out. I wonder about the first line (whether it is needed), seeing how my machines always have a process like: USER PID %CPU %MEMVSZ RSS TTY STAT START TIME COMMAND smmsp 2880 0.0 0.0 11956 3236 ?Ss Oct11 0:00 sendmail: Queue runner@00:10:00 for /var/spool/mqueue-client running. Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia
Bug#841257: sendmail: Privilege escalation from group smmsp to (user) root
Hmm... you may also need to (once) do: chown smmsp /var/run/sendmail/stampdir/reload when adopting my patch. Cheers, Paul
Bug#841257: sendmail: Privilege escalation from group smmsp to (user) root
Package: sendmail Version: 8.14.4-8+deb8u1 Severity: grave Tags: patch security Justification: user security hole Supposing that due to some bug in sendmail, we were able to execute commands as group smmsp, then that might be leveraged to cause root to create any (empty) file. The directory /var/run/sendmail/stampdir is group-smmsp-writable, so we (as group smmsp) could create symlinks there pointing to any name. Then when /etc/init.d/sendmail was run as root (to restart the daemon maybe?), one or another of the symlinks /var/run/sendmail/stampdir/reload /var/run/sendmail/stampdir/cron_msp /var/run/sendmail/stampdir/cron_mta /var/run/sendmail/stampdir/cron_msp might be followed to create an empty file. Lines in /etc/init.d/sendmail: ... 110 SENDMAIL_ROOT='/var/run/sendmail'; ... 144 STAMP_DIR="${SENDMAIL_ROOT}/stampdir"; ... 246 touch $STAMP_DIR/reload; ... 367 touch $STAMP_DIR/reload; ... 900 touch $STAMP_DIR/cron_msp; ... 912 touch $STAMP_DIR/cron_mta; ... 938 touch $STAMP_DIR/cron_msp; ... 1130 if [ ! -d "${STAMP_DIR}" ]; then 1131 mkdir -p "${STAMP_DIR}"; 1132 chown root:smmsp "${STAMP_DIR}"; 1133 chmod 02775 "${STAMP_DIR}"; 1134 fi; ... Things missing to make a "convincing" exploit: - a way to "get" group smmsp: there have not been such issues for some years now; - how to trick the sysadmin into restarting sendmail; - under what conditions would any of those "touch" lines be run; - a way to "get root" by creating some empty file: damage can be done with /etc/nologin, maybe some exploitation with /etc/hosts.deny. Seems this issue has low priority. My suggested fix: $ diff /etc/init.d/sendmail.bak <---> /etc/init.d/sendmail 246c246 < touch $STAMP_DIR/reload; --- > su smmsp -s /bin/bash -c "touch $STAMP_DIR/reload"; 367c367 < touch $STAMP_DIR/reload; --- > su smmsp -s /bin/bash -c "touch $STAMP_DIR/reload"; 900c900 < touch $STAMP_DIR/cron_msp; --- > su smmsp -s /bin/bash -c "touch > $STAMP_DIR/cron_msp"; 912c912 < touch $STAMP_DIR/cron_mta; --- > su smmsp -s /bin/bash -c "touch $STAMP_DIR/cron_mta"; 938c938 < touch $STAMP_DIR/cron_msp; --- > su smmsp -s /bin/bash -c "touch > $STAMP_DIR/cron_msp"; Cheers, Paul Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of SydneyAustralia