[Secure-testing-team] Bug#841257: sendmail: Privilege escalation from group smmsp to (user) root

Paul Szabo paul.szabo at sydney.edu.au
Wed Oct 19 01:33:05 UTC 2016 

Package: sendmail
Version: 8.14.4-8+deb8u1
Severity: grave
Tags: patch security
Justification: user security hole


Supposing that due to some bug in sendmail, we were able to execute
commands as group smmsp, then that might be leveraged to cause root
to create any (empty) file.

The directory /var/run/sendmail/stampdir is group-smmsp-writable, so
we (as group smmsp) could create symlinks there pointing to any name.
Then when /etc/init.d/sendmail was run as root (to restart the daemon
maybe?), one or another of the symlinks

  /var/run/sendmail/stampdir/reload
  /var/run/sendmail/stampdir/cron_msp
  /var/run/sendmail/stampdir/cron_mta
  /var/run/sendmail/stampdir/cron_msp

might be followed to create an empty file.

Lines in /etc/init.d/sendmail:

   ...
   110		SENDMAIL_ROOT='/var/run/sendmail';
   ...
   144		STAMP_DIR="${SENDMAIL_ROOT}/stampdir";
   ...
   246		touch $STAMP_DIR/reload;
   ...
   367		touch $STAMP_DIR/reload;
   ...
   900						touch $STAMP_DIR/cron_msp;
   ...
   912				touch $STAMP_DIR/cron_mta;
   ...
   938					touch $STAMP_DIR/cron_msp;
   ...
  1130		if [ ! -d "${STAMP_DIR}" ]; then
  1131			mkdir -p "${STAMP_DIR}";
  1132			chown root:smmsp "${STAMP_DIR}";
  1133			chmod 02775 "${STAMP_DIR}";
  1134			fi;
   ...


Things missing to make a "convincing" exploit:
 - a way to "get" group smmsp: there have not been such issues for some
   years now;
 - how to trick the sysadmin into restarting sendmail;
 - under what conditions would any of those "touch" lines be run;
 - a way to "get root" by creating some empty file: damage can be done
   with /etc/nologin, maybe some exploitation with /etc/hosts.deny.
Seems this issue has low priority.


My suggested fix:

$ diff /etc/init.d/sendmail.bak <---> /etc/init.d/sendmail
246c246
< 	touch $STAMP_DIR/reload;
---
> 	su smmsp -s /bin/bash -c "touch $STAMP_DIR/reload";
367c367
< 	touch $STAMP_DIR/reload;
---
> 	su smmsp -s /bin/bash -c "touch $STAMP_DIR/reload";
900c900
< 					touch $STAMP_DIR/cron_msp;
---
> 					su smmsp -s /bin/bash -c "touch $STAMP_DIR/cron_msp";
912c912
< 			touch $STAMP_DIR/cron_mta;
---
> 			su smmsp -s /bin/bash -c "touch $STAMP_DIR/cron_mta";
938c938
< 				touch $STAMP_DIR/cron_msp;
---
> 				su smmsp -s /bin/bash -c "touch $STAMP_DIR/cron_msp";


Cheers, Paul

Paul Szabo   psz at maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

More information about the Secure-testing-team mailing list