Date: Thu, 9 Jul 1998 19:31:52 +0200 From: Michal Zalewski Subject: Sendmail up to 8.9.1 - mail.local instroduces new class of bugs Local, setuid mail delivery program included in recent packages - mail.local - introduces new class of local bugs, from DoS attacks to security compromises. For example, it creates unique temporary file in /tmp at UID 0 (no comments), opens and unlinks it. Then blindly writes every line read from fd 0 to this file. So, to eat whole disk space, ignoring sendmail.cf settings (because mail.local won't parse it at all), attacker should run mail.local, caught tmp file creation, hard-link it to /tmp/other_file, then redirect a lot of text junk to it's fd 0. But that's not all. Using 'mail.local -f sender recipient', local users are able to put **anything** to mailboxes of other users. This cute program simply allows creating and writing to files /var/mail with virtually no restrictions. Aliases are not expanded, so attacker can even *create* and fill with hundred megabytes of junk mailboxes for accounts like 'nobody'. It won't even put basical auth information, except 'From xxx' line at the beginning... But it can be altered with '-f' switch :-0 Arbitrary headers are allowed, opening potential security compromises with dumb mail clients. Additionally, by providing specific data as 'sender', mailbox may be left in unusable state - eg. pine won't open it, saying it's 'Not in mailbox format'. Fix: It's stupid to make any part of sendmail package setuid. It's really possible to make sendmail work with no setuid nor setgid, by arranging proper communication with sendmail daemon, if running. Also, I suggest to be at least careful with new features of recent Sendmail version :-) _______________________________________________________________________ Michal Zalewski [lcamtuf@boss.staszic.waw.pl] <= finger for pub PGP key Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch] [echo "\$0&\$0">_;chmod +x _;./_] <=------=> [tel +48 (0) 22 813 25 86]