Date: 13 December 1996
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-96.15 AUSCERT Advisory
sendmail Group Permissions Vulnerability
3 December 1996
Last Revised: 13 December 1996
Added information about CERT/CC Advisory CA-96.25 on this
vulnerability. CA-96.15 contains specific vendor
information.
- ---------------------------------------------------------------------------
AUSCERT has received information of a security problem in sendmail
affecting version 8. This vulnerability may allow local users to run
programs with group permissions of other users. This vulnerability
requires group writable files to be available on the same file system as
a file that the attacker can convince sendmail to trust.
AUSCERT recommends that sites take the steps outlined in Section 3
as soon as possible.
- ---------------------------------------------------------------------------
1. Description
When delivering mail to a program listed in a .forward or :include: file,
that program is run with the group permissions possessed by the owner
of that .forward or :include: file. The owner of the file is used to
initialize the list of group permissions that are in force when the
program is run. This list is determined by scanning the /etc/group
file.
It is possible to attain group permissions you should not have by
linking to a file that is owned by someone else, but on which you
have group write permissions. By changing that file you can acquire
the group permissions of the owner of that file.
2. Impact
An attacker can gain group permissions of another user, if the
attacked user has a file that is group writable by the attacker on
the same filesystem as either (a) the attacker's home directory, or
(b) a :include: file that is referenced directly from the aliases
file and is in a directory writable by the attacker. The first
(.forward) attack only works against root. N.B.: this attack does
not give you root "owner" permissions, but does give you access to
the groups that list root in /etc/group.
3. Workarounds/Solution
AUSCERT recommends that sendmail 8.8.4 be installed as soon as possible
(see Section 3.1). For sites that can not install sendmail 8.8.4,
apply the workaround described in Section 3.2. Sites using vendor
versions of sendmail should review CA-96.25 (see Section 3.3).
3.1 Upgrade to sendmail 8.8.4.
Eric Allman has released sendmail 8.8.4 which fixes this
vulnerability. There is no patch for any version of sendmail prior
to 8.8.0. Sites are encouraged to upgrade to sendmail 8.8.4 as soon
as possible.
The current version of sendmail is available from:
ftp://ftp.sendmail.org/pub/sendmail/
ftp://ftp.auscert.org.au/pub/mirrors/ftp.cs.berkeley.edu/ucb/sendmail/
ftp://ftp.cert.dfn.de/pub/tools/net/sendmail/
The MD5 checksum for this distribution is:
MD5 (sendmail.8.8.4.patch) = bb0f24abdb1416748b0c7a9f9315fa59
MD5 (sendmail.8.8.4.tar.Z) = 0b4e4d09c75733ab63dde1cb6a52c615
MD5 (sendmail.8.8.4.tar.gz) = 64ce6393a6968a0dc7c6652dace127b0
3.2 Workaround
Eric Allman, the author of sendmail, has provided the following
workaround.
Set the UnsafeGroupWrites option in the sendmail.cf file. This option
tells sendmail that group-writable files should not be considered safe
for mailing to programs or files. This causes sendmail to refuse to
run any programs referenced from group-writable files. Setting this
option is a good idea in any case, but may require that your users
tighten permissions on their .forward files and :include: files.
The command "find <filesystem> -user root -type f -perm -020 -print"
will print the names of all files owned by root that are group
writable on a given <filesystem>.
In addition, group memberships should be audited regularly. Users
should not be in groups without a specific need. In particular,
root generally does not need to be listed in most groups.
As a policy matter, root should have a umask of (at least) 022 so that
group writable files are made consciously. Also, the aliases file
should not reference :include: files in writable directories.
3.3 Vendor information
CERT/CC released an advisory (CA-96.25) containing specific vendor
information that was not available when AUSCERT Advisory AA-96.15 was
first released. Sites should review this advisory for specific vendor
information. This advisory can be retrieved from:
ftp://ftp.auscert.org.au/pub/cert/cert_advisories/CA-96.25.sendmail_groups
ftp://ftp.cert.org/pub/cert_advisories/CA-96.25.sendmail_groups
4. Additional Measures
This section describes some additional measures for increasing the
security of sendmail. These measures are unrelated to the
vulnerability described in this advisory but should be followed.
Sites must apply the Workarounds/Solution described in Section 3 first,
and then optionally apply the additional measures described in this
Section.
4.1 Restrict Ability to Mail to Programs
If the ability to send electronic mail to programs (for example,
vacation programs) is not required, this feature should be disabled.
This is achieved by modifying the "Mprog" line in the configuration
file to mail to "/bin/false" rather than "/bin/sh". The following
line in the ".mc" file will achieve this:
define(`LOCAL_SHELL_PATH', `/bin/false')dnl
If mailing to programs is required, it is recommended that the sendmail
restricted shell, smrsh, be used at all times. This applies to all
versions of sendmail, including vendor versions. smrsh is supplied
with the current version of sendmail and includes documentation and
installation instructions.
5. Additional Information
Sendmail 8.8.4 also fixes a denial of service attack. If your system
relies on the TryNullMXList option in order to forward mail to third
party MX hosts, an attacker can force that option off, thereby causing
mail to bounce. As a workaround, you can use the mailertable feature
to deliver to third party MX hosts regardless of the setting of the
TryNullMXList option.
- ---------------------------------------------------------------------------
AUSCERT thanks Eric Allman for his rapid response to this vulnerability,
and for providing much of the technical content used in this advisory.
AUSCERT also thanks Terry Kyriacopoulos (Interlog Internet Services) and
Dan Bernstein (University of Illinois at Chicago) for their reporting
of these vulnerabilities. Thanks also to CERT/CC for providing
additional information.
- ---------------------------------------------------------------------------
The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate. However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures. AUSCERT takes no responsibility for the
consequences of applying the contents of this document.
If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AUSCERT is located at The University of Queensland within the Prentice
Centre. AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).
AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT
Advisories, and other computer security information.
AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld. 4072.
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
13 December 1996 Added Section 3.3 which contains a pointer to the
CERT/CC advisory CA-96.25. This advisory contains
specific vendor information that was not available at
the time of the original release of AUSCERT Advisory AA-96.15.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBMrFdYih9+71yA2DNAQFzVgP9GPuEirj9LUV9TFSDZOwassX1dGNJf5Bf
C0tFtPko5XofGaN2h7Dcid4CF8+XgpnpVQk47s3XqGo35NbF4V5NCqMn9gHKlRmc
fZRGhxU5qHyKnEka++sD7rYiFTfbHiT9EHPZY3EVHO8aOvXGuDdOA8iSkyhx2w/L
31OXeNHvYgo=
=cGPf
-----END PGP SIGNATURE-----
|