Bug#841257: sendmail: Privilege escalation from group smmsp to (user) root

Tue, 18 Oct 2016 18:36:28 -0700 

Package: sendmail
Version: 8.14.4-8+deb8u1
Severity: grave
Tags: patch security
Justification: user security hole


Supposing that due to some bug in sendmail, we were able to execute
commands as group smmsp, then that might be leveraged to cause root
to create any (empty) file.

The directory /var/run/sendmail/stampdir is group-smmsp-writable, so
we (as group smmsp) could create symlinks there pointing to any name.
Then when /etc/init.d/sendmail was run as root (to restart the daemon
maybe?), one or another of the symlinks

  /var/run/sendmail/stampdir/reload
  /var/run/sendmail/stampdir/cron_msp
  /var/run/sendmail/stampdir/cron_mta
  /var/run/sendmail/stampdir/cron_msp

might be followed to create an empty file.

Lines in /etc/init.d/sendmail:

   ...
   110          SENDMAIL_ROOT='/var/run/sendmail';
   ...
   144          STAMP_DIR="${SENDMAIL_ROOT}/stampdir";
   ...
   246          touch $STAMP_DIR/reload;
   ...
   367          touch $STAMP_DIR/reload;
   ...
   900                                          touch $STAMP_DIR/cron_msp;
   ...
   912                          touch $STAMP_DIR/cron_mta;
   ...
   938                                  touch $STAMP_DIR/cron_msp;
   ...
  1130          if [ ! -d "${STAMP_DIR}" ]; then
  1131                  mkdir -p "${STAMP_DIR}";
  1132                  chown root:smmsp "${STAMP_DIR}";
  1133                  chmod 02775 "${STAMP_DIR}";
  1134                  fi;
   ...


Things missing to make a "convincing" exploit:
 - a way to "get" group smmsp: there have not been such issues for some
   years now;
 - how to trick the sysadmin into restarting sendmail;
 - under what conditions would any of those "touch" lines be run;
 - a way to "get root" by creating some empty file: damage can be done
   with /etc/nologin, maybe some exploitation with /etc/hosts.deny.
Seems this issue has low priority.


My suggested fix:

$ diff /etc/init.d/sendmail.bak <---> /etc/init.d/sendmail
246c246
<       touch $STAMP_DIR/reload;
---
>       su smmsp -s /bin/bash -c "touch $STAMP_DIR/reload";
367c367
<       touch $STAMP_DIR/reload;
---
>       su smmsp -s /bin/bash -c "touch $STAMP_DIR/reload";
900c900
<                                       touch $STAMP_DIR/cron_msp;
---
>                                       su smmsp -s /bin/bash -c "touch 
> $STAMP_DIR/cron_msp";
912c912
<                       touch $STAMP_DIR/cron_mta;
---
>                       su smmsp -s /bin/bash -c "touch $STAMP_DIR/cron_mta";
938c938
<                               touch $STAMP_DIR/cron_msp;
---
>                               su smmsp -s /bin/bash -c "touch 
> $STAMP_DIR/cron_msp";


Cheers, Paul

Paul Szabo   p...@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

Reply via email to