Your message dated Sun, 12 Feb 2017 22:47:11 +0000
with message-id <e1cd2vh-000fbd...@fasolo.debian.org>
and subject line Bug#841257: fixed in sendmail 8.14.4-8+deb8u2
has caused the Debian Bug report #841257,
regarding sendmail: Privilege escalation from group smmsp to (user) root
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
841257: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=841257
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: sendmail
Version: 8.14.4-8+deb8u1
Severity: grave
Tags: patch security
Justification: user security hole
Supposing that due to some bug in sendmail, we were able to execute
commands as group smmsp, then that might be leveraged to cause root
to create any (empty) file.
The directory /var/run/sendmail/stampdir is group-smmsp-writable, so
we (as group smmsp) could create symlinks there pointing to any name.
Then when /etc/init.d/sendmail was run as root (to restart the daemon
maybe?), one or another of the symlinks
/var/run/sendmail/stampdir/reload
/var/run/sendmail/stampdir/cron_msp
/var/run/sendmail/stampdir/cron_mta
/var/run/sendmail/stampdir/cron_msp
might be followed to create an empty file.
Lines in /etc/init.d/sendmail:
...
110 SENDMAIL_ROOT='/var/run/sendmail';
...
144 STAMP_DIR="${SENDMAIL_ROOT}/stampdir";
...
246 touch $STAMP_DIR/reload;
...
367 touch $STAMP_DIR/reload;
...
900 touch $STAMP_DIR/cron_msp;
...
912 touch $STAMP_DIR/cron_mta;
...
938 touch $STAMP_DIR/cron_msp;
...
1130 if [ ! -d "${STAMP_DIR}" ]; then
1131 mkdir -p "${STAMP_DIR}";
1132 chown root:smmsp "${STAMP_DIR}";
1133 chmod 02775 "${STAMP_DIR}";
1134 fi;
...
Things missing to make a "convincing" exploit:
- a way to "get" group smmsp: there have not been such issues for some
years now;
- how to trick the sysadmin into restarting sendmail;
- under what conditions would any of those "touch" lines be run;
- a way to "get root" by creating some empty file: damage can be done
with /etc/nologin, maybe some exploitation with /etc/hosts.deny.
Seems this issue has low priority.
My suggested fix:
$ diff /etc/init.d/sendmail.bak <---> /etc/init.d/sendmail
246c246
< touch $STAMP_DIR/reload;
---
> su smmsp -s /bin/bash -c "touch $STAMP_DIR/reload";
367c367
< touch $STAMP_DIR/reload;
---
> su smmsp -s /bin/bash -c "touch $STAMP_DIR/reload";
900c900
< touch $STAMP_DIR/cron_msp;
---
> su smmsp -s /bin/bash -c "touch
> $STAMP_DIR/cron_msp";
912c912
< touch $STAMP_DIR/cron_mta;
---
> su smmsp -s /bin/bash -c "touch $STAMP_DIR/cron_mta";
938c938
< touch $STAMP_DIR/cron_msp;
---
> su smmsp -s /bin/bash -c "touch
> $STAMP_DIR/cron_msp";
Cheers, Paul
Paul Szabo p...@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
--- End Message ---
--- Begin Message ---
Source: sendmail
Source-Version: 8.14.4-8+deb8u2
We believe that the bug you reported is fixed in the latest version of
sendmail, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 841...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Beckmann <a...@debian.org> (supplier of updated sendmail package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 06 Feb 2017 00:16:03 +0100
Source: sendmail
Binary: sendmail-bin rmail sensible-mda libmilter1.0.1 libmilter1.0.1-dbg
libmilter-dev sendmail-doc sendmail sendmail-base sendmail-cf
Architecture: source all
Version: 8.14.4-8+deb8u2
Distribution: jessie
Urgency: medium
Maintainer: Debian QA Group <packa...@qa.debian.org>
Changed-By: Andreas Beckmann <a...@debian.org>
Description:
libmilter-dev - Sendmail Mail Filter API (Milter) (development files)
libmilter1.0.1 - Sendmail Mail Filter API (Milter)
libmilter1.0.1-dbg - Sendmail Mail Filter API (Milter) (debug symbols)
rmail - MTA->UUCP remote mail handler
sendmail - powerful, efficient, and scalable Mail Transport Agent (metapacka
sendmail-base - powerful, efficient, and scalable Mail Transport Agent (arch
inde
sendmail-bin - powerful, efficient, and scalable Mail Transport Agent
sendmail-cf - powerful, efficient, and scalable Mail Transport Agent (config ma
sendmail-doc - powerful, efficient, and scalable Mail Transport Agent
(documenta
sensible-mda - Mail Delivery Agent wrapper
Closes: 841257
Changes:
sendmail (8.14.4-8+deb8u2) jessie; urgency=medium
.
* QA upload.
* Only touch files as smmsp:smmsp in /var/run/sendmail/stampdir (writable by
group smmsp) to avoid possible privilege escalation. (Closes: #841257)
* Use lockfile-create (from lockfile-progs) instead of touch to manage the
cronjob lockfiles.
* sendmail-base: Add Depends: netbase for /etc/services.
Checksums-Sha1:
b8d2825bcae45db53fb5630cf450304d47a0b66b 2633 sendmail_8.14.4-8+deb8u2.dsc
f25c3c8e2805c398a9a0bf49984e85032ad9bc1f 395860
sendmail_8.14.4-8+deb8u2.debian.tar.xz
1e208e8905da4de797743d130a5c18760a87b871 860236
sendmail-doc_8.14.4-8+deb8u2_all.deb
35e2082c6efd5f8453f3098244fd0ed905a77e73 217222
sendmail_8.14.4-8+deb8u2_all.deb
5a4e80c4d95ae4b44b9ff519e0910cff7cb84fcf 339092
sendmail-base_8.14.4-8+deb8u2_all.deb
b3e2163ee38b53456ae5e064bf8f0cb5ad8b16cc 286272
sendmail-cf_8.14.4-8+deb8u2_all.deb
Checksums-Sha256:
e34ec9c55b23f130999c5fcf81d4827023c64c02f9e5555d5dfeb203f13e7a5f 2633
sendmail_8.14.4-8+deb8u2.dsc
177ffe6a2191ac2c31688a8207115e7f3ff0d537f898c56b943d000429632d30 395860
sendmail_8.14.4-8+deb8u2.debian.tar.xz
196744d13faea50d8e9b9dffb3352fa2cef10a1520f88d89b32341db76d3b4cd 860236
sendmail-doc_8.14.4-8+deb8u2_all.deb
cf536fca6d870e56628f2ddf9fe6a1f9702fd7a160f61a58a5e42a887a718ccc 217222
sendmail_8.14.4-8+deb8u2_all.deb
90f47255e974bd6f29da29a0f20bf6edac5af935f2a434a4a77826fc862382cf 339092
sendmail-base_8.14.4-8+deb8u2_all.deb
f6e61296bd8945f08d0e6a7dae92f9bd541478ef63155475e8ae15accf0cda0b 286272
sendmail-cf_8.14.4-8+deb8u2_all.deb
Files:
5fc10ba170ba4195f72700c03af7a91f 2633 mail extra sendmail_8.14.4-8+deb8u2.dsc
ff47729b84f8313fe421078b8a571aa1 395860 mail extra
sendmail_8.14.4-8+deb8u2.debian.tar.xz
c0286e4131d77ba601916580785f1d2c 860236 doc extra
sendmail-doc_8.14.4-8+deb8u2_all.deb
1fd1ed47c6cb5a36f9c49df452e923ee 217222 mail extra
sendmail_8.14.4-8+deb8u2_all.deb
257e5176dfb463c8b55912686422c488 339092 mail extra
sendmail-base_8.14.4-8+deb8u2_all.deb
d8575e3d506f85f55fb52281b0bf4a01 286272 mail extra
sendmail-cf_8.14.4-8+deb8u2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJYl7j0AAoJEF+zP5NZ6e0ITsQP/Rqh2cZTtlSL1uzDvJkV3Bfb
Au4kQ7scl4bbSGM0c0bhGsdphzs1epx8eHrVZQmWZ7Q6w5h4/YxeixIFsEq83thB
RngZuXt+8cFna3NukvROlRPLon4i1XRAB5GfP7UY/TkErrJS6ucPfIGIg4IIJZlj
7PSIk2DUK9tzrfT3LWC6RkzTbFPbUNTUQt70QZmPDIOjgRn5D3kbga0xyNX9qLFF
HZSvdqjszt5/Uc8QnW5hUEpG7vV+1efuBQeYZxXK7uwiypSssni0eKg6tcr6e5TR
Uyx09MHobEe2EgfI8M2YltvZ0vQ0hMUi2tSCCal9HUXRrI23EyGYvt9Og6KqVnfK
h7ogRyzJ2utf9B0wgwfNsk0NAN0JMtnvl+DhHMgyndXGJSBK9Vhlvzup7lT1LN51
tAoD1M4gX++NVlgu2h+VGZUo2ioXEeqUPKP9M+3ktI+mBTIx2gWCQqiDi73TaSmO
Jd64y2mKWATnwdhtR8M96xS8NHBB7bekvD8vQ58VY9fEfRMW2fA/UDirSQtlBfuU
0r9OLHIYhm5usigb3AddXx8EwzU7yaa3pRlI4CCgCOUdFrA7g0PcwZgr1dtaIV75
nOrLGDT0D19PGC3I+F52UgOVVQQUp31H1XwEszNy7yBHu7scJ0EX4/a16ZUTTNob
xQhif2GAnAOSI/KEXvvy
=3Z/x
-----END PGP SIGNATURE-----
--- End Message ---
