Vulnerability with -C in *IBM's* version of sendmail

Summary
Description:Supposedly, /usr/lib/sendmail -C <anyfile> while display the file specified regardless of permissions. This is also true on versions of sendmail prior to 8.8.7 if they are installed setgid. They shouldn't be setgid, but an errant makefile sets them that way.
Author:"DI. Dr. Klaus Kusche" <Klaus.Kusche@OOE.GV.AT>
Compromise:Read files beyond your permissiosn.
Vulnerable Systems:the IBM sendmail on AIX 4.1.5 and sendmail prior to 8.8.7 which is installed setgid.
Date:6 August 1997
Notes:A post from Troy Bollinger at IBM clarified that you have to be in the "system" group (gid 0) in order to use the -C trick. This limits the exploit potential A LOT! Also, A post by Eric Allman is appended to Dr. Kusche's post.
Details

: From:  "DI. Dr. Klaus Kusche" <Klaus.Kusche@OOE.GV.AT>
: Subject:       sendmail -C: Known? Patches? (AIX 4.1.5)
: Date:         Wed, 6 Aug 1997 08:07:36 PDT

: On several not-so-official WWW pages, I found a hint that
:
: /usr/lib/sendmail -C <any-file-you-want-to-read>
:
: produces "interesting" output.
:
: I tried that on our AIX 4.1.5 (as an ordinary user!) with
: "/etc/security/passwd", and it indeed displayed all the
: shadow passwords.
:
: I checked IBM's and CERT's archives about it and found nothing.
:
: Questions:
: 1.) Is the problem known?
: 2.) Does IBM have a fix for it?
: 3.) Is it fixed in the latest (non-IBM) sendmail releases?
:
: DI. Dr. Klaus Kusche
: Oberoesterreichische Landesregierung / Government of Upper Austria
: Rechenzentrum / Computing Centre
: Smail: Kaerntnerstrasse 16, A-4020 Linz, Austria (Europe)
: Phone: +43 732 7720 - 3394   Fax: +43 732 7720 - 3198
: Email: Klaus.Kusche@ooe.gv.at

----



Date: Thu, 7 Aug 1997 12:15:39 -0700
From: Eric Allman <eric@SENDMAIL.ORG>
To: BUGTRAQ@NETSPACE.ORG
Subject: sendmail -C problem: explained

OK, after some searching, it turns out that there was a problem -- of
sorts -- in sendmail prior to 8.8.7, on some architectures.  Basically,
on kernels with group sets, where groupset[0] is not equivalent to
getegid(), and if sendmail has the setgid bit set, this problem can
occur.  In general, BSD-based systems do NOT have the problem, but
System V-based systems DO.  Linux apparently uses System V semantics.

There are two solutions.  Either do not run sendmail setgid (there is
absolutely no reason for it to need the setgid bit), or upgrade to
8.8.7, which does not have the problem even if it is setgid.

The Makefiles that come with sendmail mistakenly install sendmail
setgid, for reasons lost in antiquity.

eric

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault