PMDF 5.107 debug mode vulnerability

Summary
Description:PMDF 5.1-7 sendmail (NO relation to standard sendmail) has a debugging mode that can be entered by setting environmental variable PMDF_SENDMAIL_DEBUG. This then allows a standard symlink vulnerability in which you can put arbitrary binary data into the pdmf owned file of your choosing.
Author:Jonathan Rozes <jrozes@GUMBO.TCS.TUFTS.EDU>
Compromise:quash files owned by user pmdf with arbitrary data.
Vulnerable Systems:Digital Unix 4.0B reported by the author. Probably any systems running PDMF sendmail
Date:23 May 1997
Details


Date: Fri, 23 May 1997 15:20:02 -0400
From: Jonathan Rozes <jrozes@GUMBO.TCS.TUFTS.EDU>
To: BUGTRAQ@NETSPACE.ORG
Subject: PMDF sendmail vulnerability

Hi--

I've only tested this on PMDF 5.1-7 under Digital Unix 4.0B, though I
presume it works under other flavors of Unix...

Caveat: While the name of the program is 'sendmail' it has no relation to
standard UCB sendmail.

Synopsis: The sendmail-alike utility included with the latest version of
PMDF has a vulnerability that allows any local user to overwrite any file
owned by the pmdf account. This can be blatantly exploited to trash the
mail system, or more subtly to induce a trojan horse or get around user
quota restrictions.

Detail: The sendmail program can be put into a debug mode by setting the
environment variable PMDF_SENDMAIL_DEBUG. In this mode, sendmail creates
two output files, /tmp/pmdf_sendmail.debug, which contains the command line
you ran, and /tmp/pmdf_sendmail.msg, which contains the message you gave
to sendmail. As you might have guessed, sendmail doesn't check for symlinks
before writing to the files, and thus will happily overwrite any file owned
by the pmdf user (PMDF sendmail is setuid to the pmdf account).

Fortunately, pointing one of the debug files to a setuid binary ends up
clearing the setuid bit, so you can't gain priviledges that way. You can
do other kinds of nasty stuff though, by simply replacing one of the PMDF
binaries with a program of your own choosing (the pmdf_sendmail.msg file
is whatever you give to sendmail; it isn't modified in any way).

I've notified Innosoft of this and expect a fix Real Soon Now. Alternatively,
you can su to the pmdf account and 'touch' the two output files to prevent
anybody else from symlinking them.

And for kicks, a few other PMDF gotchas: if the installer needs to create a
top level installation and/or state directory, it will leave them world
writable. It will also chown the /pmdf/www directory to UID 30 instead of
the pmdf user (they use UID 30 for pmdf in the example, but never state
that it is required or assumed to be such). Innosoft will have a fix for
these RSN as well.

Cheers,
jonathan

--
+++ Jonathan Rozes, Unix Systems Administrator, Tufts University
++  jrozes@tcs.tufts.edu, http://rozes.tcs.tufts.edu/
+   Remember, there's a difference between kneeling down and
    bending over --FZ

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: