[3627] in bugtraq
Re: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2).
daemon@ATHENA.MIT.EDU (Kari E. Hurtta)
Sun Nov 17 18:42:17 1996
Date: Sun, 17 Nov 1996 11:21:30 +0200
Reply-To: sendmail <sendmail@sendmail.org>
From: "Kari E. Hurtta" <Kari.Hurtta@ozone.fmi.fi>
X-To: leshka@leshka.chuvashia.su
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <199611160109.EAA04160@leshka.chuvashia.su> from Leshka Zakharoff
at "Nov 16, 96 04:09:18 am"
--ELM848222490-15212-3_
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Leshka Zakharoff:
> #-------------------------------- CUT HERE -------------------------------------
> #/bin/sh
Perhaps this helps?
--ELM848222490-15212-3_
Content-Type: message/RFC822
Content-Disposition: inline; filename=foo
Content-Description: Fix for SIGHUP bug
Content-Transfer-Encoding: 7bit
Message-Id: <199611170200.SAA13681@knecht.Sendmail.ORG>
From: Eric Allman <eric@sendmail.org>
X-URL: http://WWW.InReference.COM/~eric
cc: sendmail-bugs@sendmail.org
Subject: Re: Security problem in 8.7.x and 8.8.x
Date: Sat, 16 Nov 1996 18:00:33 -0800
Many thanks -- I am aware of it, but I would rather be told twice than
not at all. Sendmail 8.8.3 will come out probably tomorrow; in the
meantime, a patch is enclosed.
eric
------- main.c -------
*** - Wed Dec 31 16:00:00 1969
--- main.c Sat Nov 16 07:07:17 1996
***************
*** 493,507 ****
{
case MD_DAEMON:
case MD_FGDAEMON:
! # ifdef DAEMON
! if (RealUid != 0)
! {
! usrerr("Permission denied");
! exit(EX_USAGE);
! }
! vendor_daemon_setup(CurEnv);
! /* fall through ... */
! # else
usrerr("Daemon mode not implemented");
ExitStat = EX_USAGE;
break;
--- 493,499 ----
{
case MD_DAEMON:
case MD_FGDAEMON:
! # ifndef DAEMON
usrerr("Daemon mode not implemented");
ExitStat = EX_USAGE;
break;
***************
*** 899,904 ****
--- 891,904 ----
/* fall through ... */
case MD_DAEMON:
+ /* check for permissions */
+ if (RealUid != 0)
+ {
+ usrerr("Permission denied");
+ exit(EX_USAGE);
+ }
+ vendor_daemon_setup(CurEnv);
+
/* remove things that don't make sense in daemon mode */
FullName = NULL;
GrabTo = FALSE;
***************
*** 1932,1937 ****
--- 1932,1946 ----
syslog(LOG_INFO, "restarting %s on signal", SaveArgv[0]);
#endif
releasesignal(SIGHUP);
+ if (setuid(RealUid) < 0 || setgid(RealGid) < 0)
+ {
+ #ifdef LOG
+ if (LogLevel > 0)
+ syslog(LOG_ALERT, "could not set[ug]id(%d, %d): %m",
+ RealUid, RealGid);
+ #endif
+ exit(EX_OSERR);
+ }
execv(SaveArgv[0], (ARGV_T) SaveArgv);
#ifdef LOG
if (LogLevel > 0)
[ Rest of mail deleted. - K E H ]
--ELM848222490-15212-3_--
