Home page logo
/

bugtraq logo Bugtraq mailing list archives

possible local exploit via sendmail with procmail on solaris
From: Michael Barnes <mbarnes () compsci wm edu>
Date: Tue, 21 Dec 2004 16:30:03 -0500

I was debugging a new procmail rule and noticed some strange information
in the logfile.  It ended up to be mkdir complaining that it could not
create a directory because it existed.  I found out that this was coming
from a user's .cshrc file that had something like:

if ( ! -r /home/user/TMPDIR ) then
  mkdir /home/user/TMPDIR
endif

The TMPDIR was there but it was with mode 0700 and owned by the user, so
it was not readable by other users, so if another user was trying to
execute the .cshrc file it would attempt to execute the mkdir command.  

The problem is this.  Why is a user's .cshrc file being executed by
another user?

I put some debugging info in my account and found this:

New shell invocation: PID=18443: id=<<uid=0(root) gid=6(mail)>>
     UID   PID  PPID  C    STIME TTY      TIME CMD
    root 18440     1  0 15:01:52 ?        0:00 /usr/lib/sendmail -bd -q15m
    root 18441 18440  0 15:01:52 ?        0:00 procmail -f somebodyelse () example com -Y -a  -d mbarnes
    root 18442 18441  0 15:01:52 ?        0:00 procmail -f somebodyelse () example com -Y -a  -d mbarnes
    root 18443 18442  0 15:01:52 ?        0:00 /bin/zsh -c echo $ORGMAIL | sed s,$MAILDIR/,,

mbarnes is me.  The procmail command that invoked the shell as root but
sourced my shell's dotfiles was this:

DEST_USER=`echo $ORGMAIL | sed s,$MAILDIR/,,`

The invocation of procmail is via sendmail.cf and it is called by:

Mlocal, P=/usr/local/bin/procmail, F=ESAw5:|/@glDFMPhsfn, S=10/30, R=20/40,
        T=DNS/RFC822/X-Unix,
        A=procmail -Y -a $h -d $u


Note the the '$h' appears to be an empty string or nonexstant
alltogether, I havn't gotten any further at this time.

I am by no means a sendmail or procmail expert, and I simply may have
something misconfigured on my system, but at this time, at least for me,
this is a local root exploit.

Any comments?

Mike

-- 
/-----------------------------------------\
| Michael Barnes <mbarnes () compsci wm edu> |
| UNIX Systems Administrator              |
| College of William and Mary             |
| Phone: (757) 879-3930                   |
\-----------------------------------------/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault