[11701] in bugtraq
Re: Root shell vixie cron exploit
daemon@ATHENA.MIT.EDU (John Kennedy)
Tue Sep 7 05:44:18 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990903171947.A346@akasha.net.chico.ca.us>
Date: Fri, 3 Sep 1999 17:19:47 -0700
Reply-To: John Kennedy <jk@CSUCHICO.EDU>
From: John Kennedy <jk@CSUCHICO.EDU>
X-To: Seva Gluschenko <gvs@RINET.RU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.BSF.4.10.9909012102410.31140-100000@diggy.rinet.ru>; from
Seva Gluschenko on Wed, Sep 01, 1999 at 09:08:55PM +0400
On Wed, Sep 01, 1999 at 09:08:55PM +0400, Seva Gluschenko wrote:
> man sendmail:
> /-C
> ...skipping...
> -Cfile Use alternate configuration file. Sendmail refuses to run
> as root if an alternate configuration file is specified.
>
> and it does, for sure %-).
>
> Just tested this on different versions of FreeBSD and had no effects
> except Mail Delivery message:
>
> The following address has permanent fatal errors:
> -C/tmp/vixie-cf gvs
>
> So, sendmail _really_ refuses to accept -C key when run as root
??? I haven't looked hard at that exploit, but I know sendmail and that
is untrue.
When an average (non-root) user tries to use a -C in sendmail, sendmail
will drop all its suid privs. You can (mis-)configure sendmail to do
stupid things like run an arbitrary program is root -- your average user
just can't do that themselves.
I had assumed that the whole problem with the vixie-cron exploit was
that cron allowed users to invoke sendmail with arbitrary command-line
options *as root*, so dropping SUID status doesn't do any good.
Sendmail doesn't try to protect the root user from themselves.
