[12704] in bugtraq
Re: Sendmail 8.x.x - any user may rebuild aliases database
daemon@ATHENA.MIT.EDU (Gregory Neil Shapiro)
Tue Nov 23 15:09:50 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <14394.18113.153257.488735@horsey.gshapiro.net>
Date: Mon, 22 Nov 1999 23:48:17 -0800
Reply-To: Gregory Neil Shapiro <sendmail+gshapiro@SENDMAIL.ORG>
From: Gregory Neil Shapiro <sendmail+gshapiro@SENDMAIL.ORG>
X-To: Michal Zalewski <lcamtuf@IDS.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <lcamtuf.4.05.9912122118210.4246-100000@nimue.ids.pl>
-----BEGIN PGP SIGNED MESSAGE-----
lcamtuf> Sendmail up to recent 8.9.x versions - any user may pass -bi
lcamtuf> parameter to /usr/sbin/sendmail. This will result in aliases
lcamtuf> database rebuild. IMHO there's no reason to allow such things, but
lcamtuf> no matter - something rather stupid is done during rebuild:
lcamtuf> 5366 open("/etc/aliases.db", O_RDWR|O_TRUNC) = 6
lcamtuf> What a bad luck! There's approx 0.1 sec delay due to /etc/aliases
lcamtuf> processing (on my system). Meantime, luser might deliver any
lcamtuf> signals to sendmail process... SIGKILL is quite good. After that,
lcamtuf> /etc/aliases.db will be left in unusable state (no EOF marker),
lcamtuf> causing DoS:
Thank you for bringing this to our attention. We have limited the
newaliases command to root and trusted users for 8.10.0.Beta7. We have
also deprecated the AutoRebuildAliases option since if set, a similar
attack may be possible. We intend to remove the AutoRebuildAliases
functionality in a future version.
I've included a patch against sendmail 8.9.3 for those who want to protect
against this denial of service attack.
As always, we encourage mailing bug reports, including documentation or
release notes bugs, to sendmail-bugs@sendmail.org. Security issues can be
mailed to sendmail-security@sendmail.org and encrypted with the
sendmail-security@sendmail.org PGP key:
Type Bits KeyID Created Expires Algorithm Use
pub 1024 0x16F4CCE9 1999-06-23 ---------- RSA Sign & Encrypt
uid Sendmail Security <sendmail-security@sendmail.org>
The sendmail 8.9.3 patch:
- --- main.c~orig Sat Jan 9 15:31:13 1999
+++ main.c Wed Nov 17 19:04:44 1999
@@ -984,6 +984,18 @@
usrerr("Permission denied");
finis(FALSE, EX_USAGE);
}
+ if (OpMode == MD_INITALIAS &&
+ RealUid != 0 &&
+ RealUid != TrustedUid &&
+ !wordinclass(RealUserName, 't'))
+ {
+ if (LogLevel > 1)
+ sm_syslog(LOG_ALERT, NOQID,
+ "user %d attempted to rebuild the alias map",
+ RealUid);
+ usrerr("Permission denied");
+ finis(FALSE, EX_USAGE);
+ }
if (MeToo)
BlankEnvelope.e_flags |= EF_METOO;
Note that PGP signing this message changes the first line of the patch by
adding a "- " before the "---". Remove the added "- " before trying to
apply the patch.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0 for non-commercial use
Comment: Processed by Mailcrypt 3.5.4, an Emacs/PGP interface
Charset: noconv
iQCVAwUBODpGtsApykAW9MzpAQHsnwQAgN/vqojM5DgDdJ/Z3+Qs0JunGqIDWlCh
ML3+sXam38ZFA+/JgTYM4d1ZSxj+y7LmcN8Z1aLV0r6Ix9Ywkp83Akh9D0zs7sZR
15EbyuHhM2Q+MkPeGMtjhj4E9ptP2EjbqumbOWW+zojn+blWqf0GMjoulXDpk1O3
hTSlXU7zYDM=
=WDU8
-----END PGP SIGNATURE-----
