23 messages in org.freebsd.freebsd-securityRe: FreeBSD Security Advisory FreeBSD...| From | Sent On | Attachments |
|---|---|---|
| Mike Tancsa | Mar 3, 2003 9:26 am | |
| Bruce A. Mah | Mar 3, 2003 9:56 am | |
| Chris Samaritoni | Mar 3, 2003 11:38 am | |
| Jacques A. Vidrine | Mar 3, 2003 11:56 am | |
| Jason Stone | Mar 3, 2003 1:43 pm | |
| Matthew Seaman | Mar 3, 2003 3:45 pm | |
| Chris McCluskey | Mar 3, 2003 4:58 pm | |
| Hans Zaunere | Mar 3, 2003 6:28 pm | |
| Claus Assmann | Mar 3, 2003 8:06 pm | |
| Chris McCluskey | Mar 3, 2003 8:08 pm | |
| Peter Elsner | Mar 4, 2003 6:35 am | |
| Jacques A. Vidrine | Mar 4, 2003 7:06 am | |
| Jacques A. Vidrine | Mar 4, 2003 7:07 am | |
| Mike Tancsa | Mar 4, 2003 9:46 am | |
| Greg Shenaut | Mar 4, 2003 9:58 am | |
| Brett Glass | Mar 4, 2003 10:12 am | |
| Mike Tancsa | Mar 4, 2003 11:13 am | |
| Chris McCluskey | Mar 5, 2003 1:52 am | |
| Jacques A. Vidrine | Mar 5, 2003 6:21 am | |
| Geoffrey | Mar 5, 2003 12:09 pm | |
| Andrés Vargas | Mar 5, 2003 12:43 pm | |
| Jacques A. Vidrine | Mar 5, 2003 1:04 pm | |
| Andrés Vargas | Mar 5, 2003 1:43 pm |
| Subject: | Re: FreeBSD Security Advisory FreeBSD-SA-03:04.sendmail | |
|---|---|---|
| From: | Jason Stone (jaso...@shalott.net) | |
| Date: | Mar 3, 2003 1:43:07 pm | |
| List: | org.freebsd.freebsd-security | |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Question, I have a some systems that don't run any sendmail daemons, but local users that have scripts that run sendmail to send messages. I'm not familiar with how running sendmail from the command line would differ, but would this also be affected by this bug, in which case wouldn't this also make it a local compromise as well? I'm just looking for clarification.
Yes, upgrade.
Of course you should upgrade, but to answer your question more fully, I don't think that it's possible to gain root from the local exploit.
Now I'm not very familiar with sendmail (I've run only qmail for many years, as sendmail never stops getting hacked...), but when the user runs sendmail locally, I think that the sendmail process is the only process that runs, and that it reads the message and then either drops the message into the local clientmqueue for delivery by an already running root sendmail daemon, or else delivers it itself, immediately.
On a recently built -STABLE box, I see
hermione/home/jason-1005: ls -l /usr/libexec/sendmail/sendmail - -r-xr-sr-x 1 root smmsp 582520 Feb 3 20:58 /usr/libexec/sendmail/sendmail
which leads me to believe that exploiting the daemon would give you group smmsp priveleges and not root privelegs. This would allow a malicious local user to potentially read the outgoing mail of other users in the clientmqueue, but not take over the machine.
Finally, if you are running an alternate mailer like qmail (which I cannot reccommend highly enough), it's probably a good idea to "chmod 0 /usr/libexec/sendmail/sendmail", to prevent this local exploit. Even though it's not so bad in this case, users should never be able to execute code as another user/group.
-Jason
-------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg
iD8DBQE+Y8yBswXMWWtptckRAjFYAKDISZThZPrldv28ECwjesZgdSk/DQCdE+Nf GIPFe0crVvYDp3wLmaUvlq8= =jz5U -----END PGP SIGNATURE-----
To Unsubscribe: send mail to majo...@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message