Your message dated Sun, 12 Feb 2017 22:47:11 +0000 with message-id <[email protected]> and subject line Bug#841257: fixed in sendmail 8.14.4-8+deb8u2 has caused the Debian Bug report #841257, regarding sendmail: Privilege escalation from group smmsp to (user) root to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 841257: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=841257 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: sendmail Version: 8.14.4-8+deb8u1 Severity: grave Tags: patch security Justification: user security hole Supposing that due to some bug in sendmail, we were able to execute commands as group smmsp, then that might be leveraged to cause root to create any (empty) file. The directory /var/run/sendmail/stampdir is group-smmsp-writable, so we (as group smmsp) could create symlinks there pointing to any name. Then when /etc/init.d/sendmail was run as root (to restart the daemon maybe?), one or another of the symlinks /var/run/sendmail/stampdir/reload /var/run/sendmail/stampdir/cron_msp /var/run/sendmail/stampdir/cron_mta /var/run/sendmail/stampdir/cron_msp might be followed to create an empty file. Lines in /etc/init.d/sendmail: ... 110 SENDMAIL_ROOT='/var/run/sendmail'; ... 144 STAMP_DIR="${SENDMAIL_ROOT}/stampdir"; ... 246 touch $STAMP_DIR/reload; ... 367 touch $STAMP_DIR/reload; ... 900 touch $STAMP_DIR/cron_msp; ... 912 touch $STAMP_DIR/cron_mta; ... 938 touch $STAMP_DIR/cron_msp; ... 1130 if [ ! -d "${STAMP_DIR}" ]; then 1131 mkdir -p "${STAMP_DIR}"; 1132 chown root:smmsp "${STAMP_DIR}"; 1133 chmod 02775 "${STAMP_DIR}"; 1134 fi; ... Things missing to make a "convincing" exploit: - a way to "get" group smmsp: there have not been such issues for some years now; - how to trick the sysadmin into restarting sendmail; - under what conditions would any of those "touch" lines be run; - a way to "get root" by creating some empty file: damage can be done with /etc/nologin, maybe some exploitation with /etc/hosts.deny. Seems this issue has low priority. My suggested fix: $ diff /etc/init.d/sendmail.bak <---> /etc/init.d/sendmail 246c246 < touch $STAMP_DIR/reload; --- > su smmsp -s /bin/bash -c "touch $STAMP_DIR/reload"; 367c367 < touch $STAMP_DIR/reload; --- > su smmsp -s /bin/bash -c "touch $STAMP_DIR/reload"; 900c900 < touch $STAMP_DIR/cron_msp; --- > su smmsp -s /bin/bash -c "touch > $STAMP_DIR/cron_msp"; 912c912 < touch $STAMP_DIR/cron_mta; --- > su smmsp -s /bin/bash -c "touch $STAMP_DIR/cron_mta"; 938c938 < touch $STAMP_DIR/cron_msp; --- > su smmsp -s /bin/bash -c "touch > $STAMP_DIR/cron_msp"; Cheers, Paul Paul Szabo [email protected] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia
--- End Message ---
--- Begin Message ---Source: sendmail Source-Version: 8.14.4-8+deb8u2 We believe that the bug you reported is fixed in the latest version of sendmail, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andreas Beckmann <[email protected]> (supplier of updated sendmail package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 06 Feb 2017 00:16:03 +0100 Source: sendmail Binary: sendmail-bin rmail sensible-mda libmilter1.0.1 libmilter1.0.1-dbg libmilter-dev sendmail-doc sendmail sendmail-base sendmail-cf Architecture: source all Version: 8.14.4-8+deb8u2 Distribution: jessie Urgency: medium Maintainer: Debian QA Group <[email protected]> Changed-By: Andreas Beckmann <[email protected]> Description: libmilter-dev - Sendmail Mail Filter API (Milter) (development files) libmilter1.0.1 - Sendmail Mail Filter API (Milter) libmilter1.0.1-dbg - Sendmail Mail Filter API (Milter) (debug symbols) rmail - MTA->UUCP remote mail handler sendmail - powerful, efficient, and scalable Mail Transport Agent (metapacka sendmail-base - powerful, efficient, and scalable Mail Transport Agent (arch inde sendmail-bin - powerful, efficient, and scalable Mail Transport Agent sendmail-cf - powerful, efficient, and scalable Mail Transport Agent (config ma sendmail-doc - powerful, efficient, and scalable Mail Transport Agent (documenta sensible-mda - Mail Delivery Agent wrapper Closes: 841257 Changes: sendmail (8.14.4-8+deb8u2) jessie; urgency=medium . * QA upload. * Only touch files as smmsp:smmsp in /var/run/sendmail/stampdir (writable by group smmsp) to avoid possible privilege escalation. (Closes: #841257) * Use lockfile-create (from lockfile-progs) instead of touch to manage the cronjob lockfiles. * sendmail-base: Add Depends: netbase for /etc/services. Checksums-Sha1: b8d2825bcae45db53fb5630cf450304d47a0b66b 2633 sendmail_8.14.4-8+deb8u2.dsc f25c3c8e2805c398a9a0bf49984e85032ad9bc1f 395860 sendmail_8.14.4-8+deb8u2.debian.tar.xz 1e208e8905da4de797743d130a5c18760a87b871 860236 sendmail-doc_8.14.4-8+deb8u2_all.deb 35e2082c6efd5f8453f3098244fd0ed905a77e73 217222 sendmail_8.14.4-8+deb8u2_all.deb 5a4e80c4d95ae4b44b9ff519e0910cff7cb84fcf 339092 sendmail-base_8.14.4-8+deb8u2_all.deb b3e2163ee38b53456ae5e064bf8f0cb5ad8b16cc 286272 sendmail-cf_8.14.4-8+deb8u2_all.deb Checksums-Sha256: e34ec9c55b23f130999c5fcf81d4827023c64c02f9e5555d5dfeb203f13e7a5f 2633 sendmail_8.14.4-8+deb8u2.dsc 177ffe6a2191ac2c31688a8207115e7f3ff0d537f898c56b943d000429632d30 395860 sendmail_8.14.4-8+deb8u2.debian.tar.xz 196744d13faea50d8e9b9dffb3352fa2cef10a1520f88d89b32341db76d3b4cd 860236 sendmail-doc_8.14.4-8+deb8u2_all.deb cf536fca6d870e56628f2ddf9fe6a1f9702fd7a160f61a58a5e42a887a718ccc 217222 sendmail_8.14.4-8+deb8u2_all.deb 90f47255e974bd6f29da29a0f20bf6edac5af935f2a434a4a77826fc862382cf 339092 sendmail-base_8.14.4-8+deb8u2_all.deb f6e61296bd8945f08d0e6a7dae92f9bd541478ef63155475e8ae15accf0cda0b 286272 sendmail-cf_8.14.4-8+deb8u2_all.deb Files: 5fc10ba170ba4195f72700c03af7a91f 2633 mail extra sendmail_8.14.4-8+deb8u2.dsc ff47729b84f8313fe421078b8a571aa1 395860 mail extra sendmail_8.14.4-8+deb8u2.debian.tar.xz c0286e4131d77ba601916580785f1d2c 860236 doc extra sendmail-doc_8.14.4-8+deb8u2_all.deb 1fd1ed47c6cb5a36f9c49df452e923ee 217222 mail extra sendmail_8.14.4-8+deb8u2_all.deb 257e5176dfb463c8b55912686422c488 339092 mail extra sendmail-base_8.14.4-8+deb8u2_all.deb d8575e3d506f85f55fb52281b0bf4a01 286272 mail extra sendmail-cf_8.14.4-8+deb8u2_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYl7j0AAoJEF+zP5NZ6e0ITsQP/Rqh2cZTtlSL1uzDvJkV3Bfb Au4kQ7scl4bbSGM0c0bhGsdphzs1epx8eHrVZQmWZ7Q6w5h4/YxeixIFsEq83thB RngZuXt+8cFna3NukvROlRPLon4i1XRAB5GfP7UY/TkErrJS6ucPfIGIg4IIJZlj 7PSIk2DUK9tzrfT3LWC6RkzTbFPbUNTUQt70QZmPDIOjgRn5D3kbga0xyNX9qLFF HZSvdqjszt5/Uc8QnW5hUEpG7vV+1efuBQeYZxXK7uwiypSssni0eKg6tcr6e5TR Uyx09MHobEe2EgfI8M2YltvZ0vQ0hMUi2tSCCal9HUXRrI23EyGYvt9Og6KqVnfK h7ogRyzJ2utf9B0wgwfNsk0NAN0JMtnvl+DhHMgyndXGJSBK9Vhlvzup7lT1LN51 tAoD1M4gX++NVlgu2h+VGZUo2ioXEeqUPKP9M+3ktI+mBTIx2gWCQqiDi73TaSmO Jd64y2mKWATnwdhtR8M96xS8NHBB7bekvD8vQ58VY9fEfRMW2fA/UDirSQtlBfuU 0r9OLHIYhm5usigb3AddXx8EwzU7yaa3pRlI4CCgCOUdFrA7g0PcwZgr1dtaIV75 nOrLGDT0D19PGC3I+F52UgOVVQQUp31H1XwEszNy7yBHu7scJ0EX4/a16ZUTTNob xQhif2GAnAOSI/KEXvvy =3Z/x -----END PGP SIGNATURE-----
--- End Message ---
