Home page logo

bugtraq logo Bugtraq mailing list archives

Re: sendmail -C: Known? Patches? (AIX 4.1.5)
From: spaf () CS PURDUE EDU (Gene Spafford)
Date: Sat, 9 Aug 1997 19:31:41 -0500

I had mail from Matt Bishop saying that he documented this problem
in a RIACS memo in approximately 1984.  I did some more digging and
found that this was indeed a problem in sendmail, fixed in version
4.31 on August 5, 1984.  Pretty shocking if anyone is still running
a version that old.

Yup, it is an old hole.  Here is the first mention I found of it in my
archives (in the old denelcor security list).  However, I recall using
it myself sometime before this, perhaps in 1983, to read protected
files.  I seem to vaguely recall that there was a semi-public problem
in mid 1984 with some other program that used config files, and this
led several people to independently discover the problem in sendmail.

Note that we keep seeing similar problems pop up in other places
because programmers don't pay attention to past security mistakes.
For instance, the problem with "passwd" that we had a few years back
reading in an alternate password file.

Old bugs never quite seem to die....  If the problem is in a recent
version of AIX I think it would be very interesting to find how & why
it got there.


From:     ihnp4!denelvx!lmc (Lyle McElhaney)
Message-Id: <8503180623.AA12253 () denelvx UUCP>
Date:     17 Mar 1985 2323-MST (Sunday)
To:       sec-dist
Subject:  Security Mailing List, # 10

                     Admin and new people on the list
               SUID shell scripts --and-- mesg [ y ] [ n ]
                              sendmail bugs
                    Re: Checking for trivial passwords
            Re: Can you mail me the password-guessing program?
                       Re: Treatise on uucp needed


[stuff elided]

Date: Tue, 12 Mar 85 18:54:37 est
From: ihnp4!watmath!sunybcs!loverso (John Robert LoVerso)
Subject: Re: addition to unix security list

Enclosed is the stuff on sendmail as mailed to me by Keith Muller:
Date: Wed, 12 Sep 84 20:16:10 pdt
From: rocksvax!amd!ihnp4!sdcsvax!sdcc3!muller (Keith Muller)
Subject: sendmail bugs

[some stuff elided]

There are two VERY SERIOUS security holes in sendmail. If sendmail runs
with the setuid root bit on, ANY user can get a root shell. The other
problem allows any user to read ANY file in the system.

Problem 1) Reading any file in the system.

To see if you have this problem:
        cd /tmp
        /usr/lib/sendmail -Cno_READ_file >& OUTPUT&

        Where file is some file that the user who executes this
        command SHOULD NOT be able to read. If you have the contents
        of no_READ_file in the file OUTPUT you have the bug.

The -C flag allows you to specify a configuration file other than the
default sendmail.cf. The routines in readcf.c blindly opens the file and
start parsing it. If the file is NOT a proper sendmail.cf file,
sendmail complains and ECHOS the offending file to standard output. The
fix requires placing an access call before the fopen(cfname. "r") in

[more stuff elided]

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]