Bug#841257: marked as done (sendmail: Privilege escalation from group smmsp to (user) root)

To: Andreas Beckmann <anbe@debian.org>
Subject: Bug#841257: marked as done (sendmail: Privilege escalation from group smmsp to (user) root)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sun, 12 Feb 2017 22:51:14 +0000
Message-id: <[🔎] handler.841257.D841257.148693963216482.ackdone@bugs.debian.org>
References: <E1cd2vH-000FBd-3o@fasolo.debian.org> <20161019013305.25021.58985.reportbug@como.maths.usyd.edu.au>

Your message dated Sun, 12 Feb 2017 22:47:11 +0000
with message-id <E1cd2vH-000FBd-3o@fasolo.debian.org>
and subject line Bug#841257: fixed in sendmail 8.14.4-8+deb8u2
has caused the Debian Bug report #841257,
regarding sendmail: Privilege escalation from group smmsp to (user) root
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
841257: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=841257
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: sendmail: Privilege escalation from group smmsp to (user) root
From: Paul Szabo <paul.szabo@sydney.edu.au>
Date: Wed, 19 Oct 2016 12:33:05 +1100
Message-id: <20161019013305.25021.58985.reportbug@como.maths.usyd.edu.au>

Package: sendmail
Version: 8.14.4-8+deb8u1
Severity: grave
Tags: patch security
Justification: user security hole


Supposing that due to some bug in sendmail, we were able to execute
commands as group smmsp, then that might be leveraged to cause root
to create any (empty) file.

The directory /var/run/sendmail/stampdir is group-smmsp-writable, so
we (as group smmsp) could create symlinks there pointing to any name.
Then when /etc/init.d/sendmail was run as root (to restart the daemon
maybe?), one or another of the symlinks

  /var/run/sendmail/stampdir/reload
  /var/run/sendmail/stampdir/cron_msp
  /var/run/sendmail/stampdir/cron_mta
  /var/run/sendmail/stampdir/cron_msp

might be followed to create an empty file.

Lines in /etc/init.d/sendmail:

   ...
   110		SENDMAIL_ROOT='/var/run/sendmail';
   ...
   144		STAMP_DIR="${SENDMAIL_ROOT}/stampdir";
   ...
   246		touch $STAMP_DIR/reload;
   ...
   367		touch $STAMP_DIR/reload;
   ...
   900						touch $STAMP_DIR/cron_msp;
   ...
   912				touch $STAMP_DIR/cron_mta;
   ...
   938					touch $STAMP_DIR/cron_msp;
   ...
  1130		if [ ! -d "${STAMP_DIR}" ]; then
  1131			mkdir -p "${STAMP_DIR}";
  1132			chown root:smmsp "${STAMP_DIR}";
  1133			chmod 02775 "${STAMP_DIR}";
  1134			fi;
   ...


Things missing to make a "convincing" exploit:
 - a way to "get" group smmsp: there have not been such issues for some
   years now;
 - how to trick the sysadmin into restarting sendmail;
 - under what conditions would any of those "touch" lines be run;
 - a way to "get root" by creating some empty file: damage can be done
   with /etc/nologin, maybe some exploitation with /etc/hosts.deny.
Seems this issue has low priority.


My suggested fix:

$ diff /etc/init.d/sendmail.bak <---> /etc/init.d/sendmail
246c246
< 	touch $STAMP_DIR/reload;
---
> 	su smmsp -s /bin/bash -c "touch $STAMP_DIR/reload";
367c367
< 	touch $STAMP_DIR/reload;
---
> 	su smmsp -s /bin/bash -c "touch $STAMP_DIR/reload";
900c900
< 					touch $STAMP_DIR/cron_msp;
---
> 					su smmsp -s /bin/bash -c "touch $STAMP_DIR/cron_msp";
912c912
< 			touch $STAMP_DIR/cron_mta;
---
> 			su smmsp -s /bin/bash -c "touch $STAMP_DIR/cron_mta";
938c938
< 				touch $STAMP_DIR/cron_msp;
---
> 				su smmsp -s /bin/bash -c "touch $STAMP_DIR/cron_msp";


Cheers, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

--- End Message ---

--- Begin Message ---

To: 841257-close@bugs.debian.org
Subject: Bug#841257: fixed in sendmail 8.14.4-8+deb8u2
From: Andreas Beckmann <anbe@debian.org>
Date: Sun, 12 Feb 2017 22:47:11 +0000
Message-id: <E1cd2vH-000FBd-3o@fasolo.debian.org>

Source: sendmail
Source-Version: 8.14.4-8+deb8u2

We believe that the bug you reported is fixed in the latest version of
sendmail, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 841257@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Beckmann <anbe@debian.org> (supplier of updated sendmail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 06 Feb 2017 00:16:03 +0100
Source: sendmail
Binary: sendmail-bin rmail sensible-mda libmilter1.0.1 libmilter1.0.1-dbg libmilter-dev sendmail-doc sendmail sendmail-base sendmail-cf
Architecture: source all
Version: 8.14.4-8+deb8u2
Distribution: jessie
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Andreas Beckmann <anbe@debian.org>
Description:
 libmilter-dev - Sendmail Mail Filter API (Milter) (development files)
 libmilter1.0.1 - Sendmail Mail Filter API (Milter)
 libmilter1.0.1-dbg - Sendmail Mail Filter API (Milter) (debug symbols)
 rmail      - MTA->UUCP remote mail handler
 sendmail   - powerful, efficient, and scalable Mail Transport Agent (metapacka
 sendmail-base - powerful, efficient, and scalable Mail Transport Agent (arch inde
 sendmail-bin - powerful, efficient, and scalable Mail Transport Agent
 sendmail-cf - powerful, efficient, and scalable Mail Transport Agent (config ma
 sendmail-doc - powerful, efficient, and scalable Mail Transport Agent (documenta
 sensible-mda - Mail Delivery Agent wrapper
Closes: 841257
Changes:
 sendmail (8.14.4-8+deb8u2) jessie; urgency=medium
 .
   * QA upload.
   * Only touch files as smmsp:smmsp in /var/run/sendmail/stampdir (writable by
     group smmsp) to avoid possible privilege escalation.  (Closes: #841257)
   * Use lockfile-create (from lockfile-progs) instead of touch to manage the
     cronjob lockfiles.
   * sendmail-base: Add Depends: netbase for /etc/services.
Checksums-Sha1:
 b8d2825bcae45db53fb5630cf450304d47a0b66b 2633 sendmail_8.14.4-8+deb8u2.dsc
 f25c3c8e2805c398a9a0bf49984e85032ad9bc1f 395860 sendmail_8.14.4-8+deb8u2.debian.tar.xz
 1e208e8905da4de797743d130a5c18760a87b871 860236 sendmail-doc_8.14.4-8+deb8u2_all.deb
 35e2082c6efd5f8453f3098244fd0ed905a77e73 217222 sendmail_8.14.4-8+deb8u2_all.deb
 5a4e80c4d95ae4b44b9ff519e0910cff7cb84fcf 339092 sendmail-base_8.14.4-8+deb8u2_all.deb
 b3e2163ee38b53456ae5e064bf8f0cb5ad8b16cc 286272 sendmail-cf_8.14.4-8+deb8u2_all.deb
Checksums-Sha256:
 e34ec9c55b23f130999c5fcf81d4827023c64c02f9e5555d5dfeb203f13e7a5f 2633 sendmail_8.14.4-8+deb8u2.dsc
 177ffe6a2191ac2c31688a8207115e7f3ff0d537f898c56b943d000429632d30 395860 sendmail_8.14.4-8+deb8u2.debian.tar.xz
 196744d13faea50d8e9b9dffb3352fa2cef10a1520f88d89b32341db76d3b4cd 860236 sendmail-doc_8.14.4-8+deb8u2_all.deb
 cf536fca6d870e56628f2ddf9fe6a1f9702fd7a160f61a58a5e42a887a718ccc 217222 sendmail_8.14.4-8+deb8u2_all.deb
 90f47255e974bd6f29da29a0f20bf6edac5af935f2a434a4a77826fc862382cf 339092 sendmail-base_8.14.4-8+deb8u2_all.deb
 f6e61296bd8945f08d0e6a7dae92f9bd541478ef63155475e8ae15accf0cda0b 286272 sendmail-cf_8.14.4-8+deb8u2_all.deb
Files:
 5fc10ba170ba4195f72700c03af7a91f 2633 mail extra sendmail_8.14.4-8+deb8u2.dsc
 ff47729b84f8313fe421078b8a571aa1 395860 mail extra sendmail_8.14.4-8+deb8u2.debian.tar.xz
 c0286e4131d77ba601916580785f1d2c 860236 doc extra sendmail-doc_8.14.4-8+deb8u2_all.deb
 1fd1ed47c6cb5a36f9c49df452e923ee 217222 mail extra sendmail_8.14.4-8+deb8u2_all.deb
 257e5176dfb463c8b55912686422c488 339092 mail extra sendmail-base_8.14.4-8+deb8u2_all.deb
 d8575e3d506f85f55fb52281b0bf4a01 286272 mail extra sendmail-cf_8.14.4-8+deb8u2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYl7j0AAoJEF+zP5NZ6e0ITsQP/Rqh2cZTtlSL1uzDvJkV3Bfb
Au4kQ7scl4bbSGM0c0bhGsdphzs1epx8eHrVZQmWZ7Q6w5h4/YxeixIFsEq83thB
RngZuXt+8cFna3NukvROlRPLon4i1XRAB5GfP7UY/TkErrJS6ucPfIGIg4IIJZlj
7PSIk2DUK9tzrfT3LWC6RkzTbFPbUNTUQt70QZmPDIOjgRn5D3kbga0xyNX9qLFF
HZSvdqjszt5/Uc8QnW5hUEpG7vV+1efuBQeYZxXK7uwiypSssni0eKg6tcr6e5TR
Uyx09MHobEe2EgfI8M2YltvZ0vQ0hMUi2tSCCal9HUXRrI23EyGYvt9Og6KqVnfK
h7ogRyzJ2utf9B0wgwfNsk0NAN0JMtnvl+DhHMgyndXGJSBK9Vhlvzup7lT1LN51
tAoD1M4gX++NVlgu2h+VGZUo2ioXEeqUPKP9M+3ktI+mBTIx2gWCQqiDi73TaSmO
Jd64y2mKWATnwdhtR8M96xS8NHBB7bekvD8vQ58VY9fEfRMW2fA/UDirSQtlBfuU
0r9OLHIYhm5usigb3AddXx8EwzU7yaa3pRlI4CCgCOUdFrA7g0PcwZgr1dtaIV75
nOrLGDT0D19PGC3I+F52UgOVVQQUp31H1XwEszNy7yBHu7scJ0EX4/a16ZUTTNob
xQhif2GAnAOSI/KEXvvy
=3Z/x
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Bug#854987: cadabra: segmentation fault
Next by Date: sendmail_8.14.4-8+deb8u2_all.changes ACCEPTED into proposed-updates->stable-new, proposed-updates
Previous by thread: Bug#854987: cadabra: segmentation fault
Next by thread: sendmail_8.14.4-8+deb8u2_all.changes ACCEPTED into proposed-updates->stable-new, proposed-updates
Index(es):
- Date
- Thread