Bug#841257: marked as done (sendmail: Privilege escalation from group smmsp to (user) root)

Wed, 30 Nov 2016 11:46:10 -0800 

Your message dated Wed, 30 Nov 2016 19:41:15 +0000
with message-id <[email protected]>
and subject line Bug#841257: fixed in sendmail 8.15.2-7
has caused the Debian Bug report #841257,
regarding sendmail: Privilege escalation from group smmsp to (user) root
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
841257: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=841257
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: sendmail
Version: 8.14.4-8+deb8u1
Severity: grave
Tags: patch security
Justification: user security hole


Supposing that due to some bug in sendmail, we were able to execute
commands as group smmsp, then that might be leveraged to cause root
to create any (empty) file.

The directory /var/run/sendmail/stampdir is group-smmsp-writable, so
we (as group smmsp) could create symlinks there pointing to any name.
Then when /etc/init.d/sendmail was run as root (to restart the daemon
maybe?), one or another of the symlinks

  /var/run/sendmail/stampdir/reload
  /var/run/sendmail/stampdir/cron_msp
  /var/run/sendmail/stampdir/cron_mta
  /var/run/sendmail/stampdir/cron_msp

might be followed to create an empty file.

Lines in /etc/init.d/sendmail:

   ...
   110          SENDMAIL_ROOT='/var/run/sendmail';
   ...
   144          STAMP_DIR="${SENDMAIL_ROOT}/stampdir";
   ...
   246          touch $STAMP_DIR/reload;
   ...
   367          touch $STAMP_DIR/reload;
   ...
   900                                          touch $STAMP_DIR/cron_msp;
   ...
   912                          touch $STAMP_DIR/cron_mta;
   ...
   938                                  touch $STAMP_DIR/cron_msp;
   ...
  1130          if [ ! -d "${STAMP_DIR}" ]; then
  1131                  mkdir -p "${STAMP_DIR}";
  1132                  chown root:smmsp "${STAMP_DIR}";
  1133                  chmod 02775 "${STAMP_DIR}";
  1134                  fi;
   ...


Things missing to make a "convincing" exploit:
 - a way to "get" group smmsp: there have not been such issues for some
   years now;
 - how to trick the sysadmin into restarting sendmail;
 - under what conditions would any of those "touch" lines be run;
 - a way to "get root" by creating some empty file: damage can be done
   with /etc/nologin, maybe some exploitation with /etc/hosts.deny.
Seems this issue has low priority.


My suggested fix:

$ diff /etc/init.d/sendmail.bak <---> /etc/init.d/sendmail
246c246
<       touch $STAMP_DIR/reload;
---
>       su smmsp -s /bin/bash -c "touch $STAMP_DIR/reload";
367c367
<       touch $STAMP_DIR/reload;
---
>       su smmsp -s /bin/bash -c "touch $STAMP_DIR/reload";
900c900
<                                       touch $STAMP_DIR/cron_msp;
---
>                                       su smmsp -s /bin/bash -c "touch 
> $STAMP_DIR/cron_msp";
912c912
<                       touch $STAMP_DIR/cron_mta;
---
>                       su smmsp -s /bin/bash -c "touch $STAMP_DIR/cron_mta";
938c938
<                               touch $STAMP_DIR/cron_msp;
---
>                               su smmsp -s /bin/bash -c "touch 
> $STAMP_DIR/cron_msp";


Cheers, Paul

Paul Szabo   [email protected]   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

--- End Message ---
--- Begin Message --- 
Source: sendmail
Source-Version: 8.15.2-7

We believe that the bug you reported is fixed in the latest version of
sendmail, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Beckmann <[email protected]> (supplier of updated sendmail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 30 Nov 2016 12:32:49 +0100
Source: sendmail
Binary: sendmail-bin rmail sensible-mda libmilter1.0.1 libmilter-dev 
sendmail-doc sendmail sendmail-base sendmail-cf
Architecture: source
Version: 8.15.2-7
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <[email protected]>
Changed-By: Andreas Beckmann <[email protected]>
Description:
 libmilter-dev - Sendmail Mail Filter API (Milter) (development files)
 libmilter1.0.1 - Sendmail Mail Filter API (Milter)
 rmail      - MTA->UUCP remote mail handler
 sendmail   - powerful, efficient, and scalable Mail Transport Agent (metapacka
 sendmail-base - powerful, efficient, and scalable Mail Transport Agent (arch 
inde
 sendmail-bin - powerful, efficient, and scalable Mail Transport Agent
 sendmail-cf - powerful, efficient, and scalable Mail Transport Agent (config ma
 sendmail-doc - powerful, efficient, and scalable Mail Transport Agent 
(documenta
 sensible-mda - Mail Delivery Agent wrapper
Closes: 840837 841257 843682
Changes:
 sendmail (8.15.2-7) unstable; urgency=medium
 .
   * QA upload.
   * Fix openssl argument order.  (Closes: #843682)
   * sendmail-bin: Add missing Depends: lsb-base.
   * Stop using dh_buildinfo in favor of dpkg-buildinfo.
   * Enable more hardening flags.
   * debian/examples/db/access: Comment out localhost entries, may be forged.
     (Closes: #840837)
   * Only touch files as smmsp:smmsp in /var/run/sendmail/stampdir (writable by
     group smmsp) to avoid possible privilege escalation.  (Closes: #841257)
Checksums-Sha1:
 6797e584e083de8c29518b33e71193cce0f71f6f 2522 sendmail_8.15.2-7.dsc
 77c866ff57a0c3f06b7021cc257db1662166bfcc 406764 sendmail_8.15.2-7.debian.tar.xz
Checksums-Sha256:
 fc58d44f3e7c0ae863d6b0cef33080cc5455d8c42aca1dbc5f7fb00a58e46429 2522 
sendmail_8.15.2-7.dsc
 b0506ba4b2e55de2c4ac2e5b64ae0659fdc1ad781f3be6111eec6f50e4294fdc 406764 
sendmail_8.15.2-7.debian.tar.xz
Files:
 9fb79c6cfb122920429619b7055978e5 2522 mail extra sendmail_8.15.2-7.dsc
 d6eaa8111c7fa4ff5a4e64ef6a0d4dbd 406764 mail extra 
sendmail_8.15.2-7.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYPr+WAAoJEF+zP5NZ6e0I0moQAJCnkejDRxLtziHp5D1vgy3V
DkHiBv8hqqN7DmkCAf7AjbyloyhLAyE/t2PAM3+knyAoL6ZCkWAgdXo/0/kSGjph
n7Je7TfebbbaB6odUVkThbEgLF5j1aetzz5sAt9N010Wk0Y2MzTYvK66igqX5X1D
YZyzK3g64BRDSReJDCFZ5VArvcbMII03VEKovfFr2W7Urg9+h8NHGA5eYYGkc7/c
CrdOTjLez/rpm+rQRyCJWQIZN10XP8RUt+o6llievNCC4mib/0nIn4tNp0b75g5H
3LzW0pXaWbwWt4+Mk6B+fWNpD6zFTVLB3AG2wCjOTbvkhoAIjX4cDYKTGNxrEPet
EjZgn7INBQXRjCF5ExbOJGxJehaJcLD8Ce/xzyIvcRCsM9HbIZ3Y1Lq3dPcRnXay
BV1o/kLbaNzuuHnR2knEMt+CxPCgwNRmcMMCSyzggKJbZK2dppZgX/sk/Bcr2qQ9
BMXFJmZ1NSU+RHfMX3qobsdgguvk6XDusgtLa/E44VJ8g2ICxEz5pbHtDW47Lymt
gkgD+VpS17QQoY2EQk5fmhA8Y02dd44mjfUoCKs7un1rpRQkqCLbEMDXl/Dyh8k2
6rM+Uhl/sXbRSZh/RoReIK7C20wy9+E94XtI5vbyTRBSmwXZMWuJnDyJ9ZjD2dNf
Ng917IsHThQta3UG2Uoi
=LbHI
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to