Bug#841257: sendmail: Privilege escalation from group smmsp to (user) root

2016-11-09 Thread paul . szabo 
Dear Andreas,

> I have a completely untested patch sitting in GIT - do you have a
> possibility to test packages built from that?

I could replace files, or DEB packages, on some test machines. Do not
know whether that testing would be exhaustive: do not know how many
features of the sendmail package I use. Or if the changes are "small"
then could just inspect.

Cheers, Paul

Bug#841257: sendmail: Privilege escalation from group smmsp to (user) root

2016-10-19 Thread paul . szabo 
Hmm (again) ... Maybe file /usr/share/sendmail/sendmail needs updating
also? It is almost identical to /etc/init.d/sendmail, and in file
/etc/cron.daily/sendmail I notice the lines:

...
#--
# Every so often, give sendmail a chance to run the MSP queues.
*/20 ****   smmsp   test -x /etc/init.d/sendmail && 
/usr/share/sendmail/sendmail cron-msp
#
#--
# Every so often, give sendmail a chance to run the MTA queues.
# Will also run MSP queues if enabled
#*/10 ****  roottest -x /etc/init.d/sendmail && 
/usr/share/sendmail/sendmail cron-mta
...

Maybe no problem as long as that second line is commented out.

I wonder about the first line (whether it is needed), seeing how my
machines always have a process like:

USER   PID %CPU %MEMVSZ   RSS TTY  STAT START   TIME COMMAND
smmsp 2880  0.0  0.0  11956  3236 ?Ss   Oct11   0:00 sendmail: 
Queue runner@00:10:00 for /var/spool/mqueue-client

running.

Cheers, Paul

Paul Szabo   p...@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of SydneyAustralia

Bug#841257: sendmail: Privilege escalation from group smmsp to (user) root

2016-10-18 Thread paul . szabo 
Hmm... you may also need to (once) do:
  chown smmsp /var/run/sendmail/stampdir/reload
when adopting my patch.

Cheers, Paul

Bug#841257: sendmail: Privilege escalation from group smmsp to (user) root

2016-10-18 Thread Paul Szabo 
Package: sendmail
Version: 8.14.4-8+deb8u1
Severity: grave
Tags: patch security
Justification: user security hole


Supposing that due to some bug in sendmail, we were able to execute
commands as group smmsp, then that might be leveraged to cause root
to create any (empty) file.

The directory /var/run/sendmail/stampdir is group-smmsp-writable, so
we (as group smmsp) could create symlinks there pointing to any name.
Then when /etc/init.d/sendmail was run as root (to restart the daemon
maybe?), one or another of the symlinks

  /var/run/sendmail/stampdir/reload
  /var/run/sendmail/stampdir/cron_msp
  /var/run/sendmail/stampdir/cron_mta
  /var/run/sendmail/stampdir/cron_msp

might be followed to create an empty file.

Lines in /etc/init.d/sendmail:

   ...
   110  SENDMAIL_ROOT='/var/run/sendmail';
   ...
   144  STAMP_DIR="${SENDMAIL_ROOT}/stampdir";
   ...
   246  touch $STAMP_DIR/reload;
   ...
   367  touch $STAMP_DIR/reload;
   ...
   900  touch $STAMP_DIR/cron_msp;
   ...
   912  touch $STAMP_DIR/cron_mta;
   ...
   938  touch $STAMP_DIR/cron_msp;
   ...
  1130  if [ ! -d "${STAMP_DIR}" ]; then
  1131  mkdir -p "${STAMP_DIR}";
  1132  chown root:smmsp "${STAMP_DIR}";
  1133  chmod 02775 "${STAMP_DIR}";
  1134  fi;
   ...


Things missing to make a "convincing" exploit:
 - a way to "get" group smmsp: there have not been such issues for some
   years now;
 - how to trick the sysadmin into restarting sendmail;
 - under what conditions would any of those "touch" lines be run;
 - a way to "get root" by creating some empty file: damage can be done
   with /etc/nologin, maybe some exploitation with /etc/hosts.deny.
Seems this issue has low priority.


My suggested fix:

$ diff /etc/init.d/sendmail.bak <---> /etc/init.d/sendmail
246c246
<   touch $STAMP_DIR/reload;
---
>   su smmsp -s /bin/bash -c "touch $STAMP_DIR/reload";
367c367
<   touch $STAMP_DIR/reload;
---
>   su smmsp -s /bin/bash -c "touch $STAMP_DIR/reload";
900c900
<   touch $STAMP_DIR/cron_msp;
---
>   su smmsp -s /bin/bash -c "touch 
> $STAMP_DIR/cron_msp";
912c912
<   touch $STAMP_DIR/cron_mta;
---
>   su smmsp -s /bin/bash -c "touch $STAMP_DIR/cron_mta";
938c938
<   touch $STAMP_DIR/cron_msp;
---
>   su smmsp -s /bin/bash -c "touch 
> $STAMP_DIR/cron_msp";


Cheers, Paul

Paul Szabo   p...@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of SydneyAustralia