AusCERT - AA-96.15 -- sendmail Group Permissions Vulnerability

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
AA-96.15 -- sendmail Group Permissions Vulnerability
Date: 13 December 1996

Click here for printable version
-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
AA-96.15                        AUSCERT Advisory
                     sendmail Group Permissions Vulnerability
                                3 December 1996

Last Revised: 13 December 1996
		Added information about CERT/CC Advisory CA-96.25 on this
		vulnerability.  CA-96.15 contains specific vendor
		information.

- ---------------------------------------------------------------------------
AUSCERT has received information of a security problem in sendmail
affecting version 8.  This vulnerability may allow local users to run
programs with group permissions of other users.  This vulnerability
requires group writable files to be available on the same file system as
a file that the attacker can convince sendmail to trust.

AUSCERT recommends that sites take the steps outlined in Section 3
as soon as possible.
- ---------------------------------------------------------------------------

1.  Description

    When delivering mail to a program listed in a .forward or :include: file,
    that program is run with the group permissions possessed by the owner
    of that .forward or :include: file.  The owner of the file is used to
    initialize the list of group permissions that are in force when the
    program is run.  This list is determined by scanning the /etc/group
    file.

    It is possible to attain group permissions you should not have by
    linking to a file that is owned by someone else, but on which you
    have group write permissions.  By changing that file you can acquire
    the group permissions of the owner of that file.

2.  Impact

    An attacker can gain group permissions of another user, if the
    attacked user has a file that is group writable by the attacker on
    the same filesystem as either (a) the attacker's home directory, or
    (b) a :include: file that is referenced directly from the aliases
    file and is in a directory writable by the attacker.  The first
    (.forward) attack only works against root.  N.B.: this attack does
    not give you root "owner" permissions, but does give you access to
    the groups that list root in /etc/group.

3.  Workarounds/Solution

    AUSCERT recommends that sendmail 8.8.4 be installed as soon as possible
    (see Section 3.1).  For sites that can not install sendmail 8.8.4,
    apply the workaround described in Section 3.2.  Sites using vendor
    versions of sendmail should review CA-96.25 (see Section 3.3).

3.1 Upgrade to sendmail 8.8.4.

    Eric Allman has released sendmail 8.8.4 which fixes this
    vulnerability.  There is no patch for any version of sendmail prior
    to 8.8.0.  Sites are encouraged to upgrade to sendmail 8.8.4 as soon
    as possible.

    The current version of sendmail is available from:

	ftp://ftp.sendmail.org/pub/sendmail/
	ftp://ftp.auscert.org.au/pub/mirrors/ftp.cs.berkeley.edu/ucb/sendmail/
	ftp://ftp.cert.dfn.de/pub/tools/net/sendmail/

    The MD5 checksum for this distribution is:

        MD5 (sendmail.8.8.4.patch) = bb0f24abdb1416748b0c7a9f9315fa59
        MD5 (sendmail.8.8.4.tar.Z) = 0b4e4d09c75733ab63dde1cb6a52c615
        MD5 (sendmail.8.8.4.tar.gz) = 64ce6393a6968a0dc7c6652dace127b0

3.2 Workaround

    Eric Allman, the author of sendmail, has provided the following
    workaround.

    Set the UnsafeGroupWrites option in the sendmail.cf file.  This option
    tells sendmail that group-writable files should not be considered safe
    for mailing to programs or files. This causes sendmail to refuse to
    run any programs referenced from group-writable files.  Setting this
    option is a good idea in any case, but may require that your users
    tighten permissions on their .forward files and :include: files.

    The command "find <filesystem> -user root -type f -perm -020 -print"
    will print the names of all files owned by root that are group
    writable on a given <filesystem>.

    In addition, group memberships should be audited regularly.  Users
    should not be in groups without a specific need.  In particular,
    root generally does not need to be listed in most groups.

    As a policy matter, root should have a umask of (at least) 022 so that
    group writable files are made consciously.  Also, the aliases file
    should not reference :include: files in writable directories.

3.3 Vendor information

    CERT/CC released an advisory (CA-96.25) containing specific vendor
    information that was not available when AUSCERT Advisory AA-96.15 was
    first released.  Sites should review this advisory for specific vendor
    information.  This advisory can be retrieved from:

    ftp://ftp.auscert.org.au/pub/cert/cert_advisories/CA-96.25.sendmail_groups
    ftp://ftp.cert.org/pub/cert_advisories/CA-96.25.sendmail_groups

4.  Additional Measures

    This section describes some additional measures for increasing the
    security of sendmail.  These measures are unrelated to the
    vulnerability described in this advisory but should be followed.
    Sites must apply the Workarounds/Solution described in Section 3 first,
    and then optionally apply the additional measures described in this
    Section.

4.1 Restrict Ability to Mail to Programs

    If the ability to send electronic mail to programs (for example,
    vacation programs) is not required, this feature should be disabled.
    This is achieved by modifying the "Mprog" line in the configuration
    file to mail to "/bin/false" rather than "/bin/sh".  The following
    line in the ".mc" file will achieve this:

	define(`LOCAL_SHELL_PATH', `/bin/false')dnl

    If mailing to programs is required, it is recommended that the sendmail
    restricted shell, smrsh, be used at all times.  This applies to all
    versions of sendmail, including vendor versions.  smrsh is supplied
    with the current version of sendmail and includes documentation and
    installation instructions.

5.  Additional Information

    Sendmail 8.8.4 also fixes a denial of service attack.  If your system
    relies on the TryNullMXList option in order to forward mail to third
    party MX hosts, an attacker can force that option off, thereby causing
    mail to bounce.  As a workaround, you can use the mailertable feature
    to deliver to third party MX hosts regardless of the setting of the
    TryNullMXList option.

- ---------------------------------------------------------------------------
AUSCERT thanks Eric Allman for his rapid response to this vulnerability,
and for providing much of the technical content used in this advisory.
AUSCERT also thanks Terry Kyriacopoulos (Interlog Internet Services) and
Dan Bernstein (University of Illinois at Chicago) for their reporting
of these vulnerabilities.  Thanks also to CERT/CC for providing
additional information.
- ---------------------------------------------------------------------------

The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate.  However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures.  AUSCERT takes no responsibility for the
consequences of applying the contents of this document.

If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AUSCERT is located at The University of Queensland within the Prentice
Centre.  AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).

AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT and AUSCERT
Advisories, and other computer security information.

AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 4477
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AUSCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld.  4072.
AUSTRALIA


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History

13 December 1996 Added Section 3.3 which contains a pointer to the 
		CERT/CC advisory CA-96.25.  This advisory contains
		specific vendor information that was not available at
		the time of the original release of AUSCERT Advisory AA-96.15.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBMrFdYih9+71yA2DNAQFzVgP9GPuEirj9LUV9TFSDZOwassX1dGNJf5Bf
C0tFtPko5XofGaN2h7Dcid4CF8+XgpnpVQk47s3XqGo35NbF4V5NCqMn9gHKlRmc
fZRGhxU5qHyKnEka++sD7rYiFTfbHiT9EHPZY3EVHO8aOvXGuDdOA8iSkyhx2w/L
31OXeNHvYgo=
=cGPf
-----END PGP SIGNATURE-----