Re: Sendmail 8.x.x - any user may rebuild aliases database

From: Gregory Neil Shapiro (sendmail+gshapiroat_private)
Date: Mon Nov 22 1999 - 23:48:17 PST

Next message: Cy Schubert - ITSD Open Systems Group: "Re: local users can panic linux kernel (was: SuSE syslogd"

Previous message: Halcyon Skinner: "NetBeans/ Forte' Java IDE HTTP vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----

lcamtuf> Sendmail up to recent 8.9.x versions - any user may pass -bi
lcamtuf> parameter to /usr/sbin/sendmail. This will result in aliases
lcamtuf> database rebuild. IMHO there's no reason to allow such things, but
lcamtuf> no matter - something rather stupid is done during rebuild:

lcamtuf> 5366  open("/etc/aliases.db", O_RDWR|O_TRUNC) = 6

lcamtuf> What a bad luck! There's approx 0.1 sec delay due to /etc/aliases
lcamtuf> processing (on my system). Meantime, luser might deliver any
lcamtuf> signals to sendmail process... SIGKILL is quite good. After that,
lcamtuf> /etc/aliases.db will be left in unusable state (no EOF marker),
lcamtuf> causing DoS:

Thank you for bringing this to our attention.  We have limited the
newaliases command to root and trusted users for 8.10.0.Beta7.  We have
also deprecated the AutoRebuildAliases option since if set, a similar
attack may be possible.  We intend to remove the AutoRebuildAliases
functionality in a future version.

I've included a patch against sendmail 8.9.3 for those who want to protect
against this denial of service attack.

As always, we encourage mailing bug reports, including documentation or
release notes bugs, to sendmail-bugsat_private  Security issues can be
mailed to sendmail-securityat_private and encrypted with the
sendmail-securityat_private PGP key:

Type Bits KeyID      Created    Expires    Algorithm       Use
pub  1024 0x16F4CCE9 1999-06-23 ---------- RSA             Sign & Encrypt
uid  Sendmail Security <sendmail-securityat_private>

The sendmail 8.9.3 patch:

- --- main.c~orig	Sat Jan  9 15:31:13 1999
+++ main.c	Wed Nov 17 19:04:44 1999
@@ -984,6 +984,18 @@
 		usrerr("Permission denied");
 		finis(FALSE, EX_USAGE);
 	}
+	if (OpMode == MD_INITALIAS &&
+	    RealUid != 0 &&
+	    RealUid != TrustedUid &&
+	    !wordinclass(RealUserName, 't'))
+	{
+		if (LogLevel > 1)
+			sm_syslog(LOG_ALERT, NOQID,
+				  "user %d attempted to rebuild the alias map",
+				  RealUid);
+ 		usrerr("Permission denied");
+ 		finis(FALSE, EX_USAGE);
+ 	}

 	if (MeToo)
 		BlankEnvelope.e_flags |= EF_METOO;

Note that PGP signing this message changes the first line of the patch by
adding a "- " before the "---".  Remove the added "- " before trying to
apply the patch.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0 for non-commercial use
Comment: Processed by Mailcrypt 3.5.4, an Emacs/PGP interface
Charset: noconv

iQCVAwUBODpGtsApykAW9MzpAQHsnwQAgN/vqojM5DgDdJ/Z3+Qs0JunGqIDWlCh
ML3+sXam38ZFA+/JgTYM4d1ZSxj+y7LmcN8Z1aLV0r6Ix9Ywkp83Akh9D0zs7sZR
15EbyuHhM2Q+MkPeGMtjhj4E9ptP2EjbqumbOWW+zojn+blWqf0GMjoulXDpk1O3
hTSlXU7zYDM=
=WDU8
-----END PGP SIGNATURE-----

Next message: Cy Schubert - ITSD Open Systems Group: "Re: local users can panic linux kernel (was: SuSE syslogd"
Previous message: Halcyon Skinner: "NetBeans/ Forte' Java IDE HTTP vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:13:55 PDT