Bug#841257: marked as done (sendmail: Privilege escalation from group smmsp to (user) root)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Wed, 30 Nov 2016 19:41:15 +0000
with message-id <E1cCAkl-0005wo-70@fasolo.debian.org>
and subject line Bug#841257: fixed in sendmail 8.15.2-7
has caused the Debian Bug report #841257,
regarding sendmail: Privilege escalation from group smmsp to (user) root
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
841257: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=841257
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: sendmail: Privilege escalation from group smmsp to (user) root
• From: Paul Szabo <paul.szabo@sydney.edu.au>
• Date: Wed, 19 Oct 2016 12:33:05 +1100
• Message-id: <20161019013305.25021.58985.reportbug@como.maths.usyd.edu.au>

Package: sendmail
Version: 8.14.4-8+deb8u1
Severity: grave
Tags: patch security
Justification: user security hole


Supposing that due to some bug in sendmail, we were able to execute
commands as group smmsp, then that might be leveraged to cause root
to create any (empty) file.

The directory /var/run/sendmail/stampdir is group-smmsp-writable, so
we (as group smmsp) could create symlinks there pointing to any name.
Then when /etc/init.d/sendmail was run as root (to restart the daemon
maybe?), one or another of the symlinks

  /var/run/sendmail/stampdir/reload
  /var/run/sendmail/stampdir/cron_msp
  /var/run/sendmail/stampdir/cron_mta
  /var/run/sendmail/stampdir/cron_msp

might be followed to create an empty file.

Lines in /etc/init.d/sendmail:

   ...
   110		SENDMAIL_ROOT='/var/run/sendmail';
   ...
   144		STAMP_DIR="${SENDMAIL_ROOT}/stampdir";
   ...
   246		touch $STAMP_DIR/reload;
   ...
   367		touch $STAMP_DIR/reload;
   ...
   900						touch $STAMP_DIR/cron_msp;
   ...
   912				touch $STAMP_DIR/cron_mta;
   ...
   938					touch $STAMP_DIR/cron_msp;
   ...
  1130		if [ ! -d "${STAMP_DIR}" ]; then
  1131			mkdir -p "${STAMP_DIR}";
  1132			chown root:smmsp "${STAMP_DIR}";
  1133			chmod 02775 "${STAMP_DIR}";
  1134			fi;
   ...


Things missing to make a "convincing" exploit:
 - a way to "get" group smmsp: there have not been such issues for some
   years now;
 - how to trick the sysadmin into restarting sendmail;
 - under what conditions would any of those "touch" lines be run;
 - a way to "get root" by creating some empty file: damage can be done
   with /etc/nologin, maybe some exploitation with /etc/hosts.deny.
Seems this issue has low priority.


My suggested fix:

$ diff /etc/init.d/sendmail.bak <---> /etc/init.d/sendmail
246c246
< 	touch $STAMP_DIR/reload;
---
> 	su smmsp -s /bin/bash -c "touch $STAMP_DIR/reload";
367c367
< 	touch $STAMP_DIR/reload;
---
> 	su smmsp -s /bin/bash -c "touch $STAMP_DIR/reload";
900c900
< 					touch $STAMP_DIR/cron_msp;
---
> 					su smmsp -s /bin/bash -c "touch $STAMP_DIR/cron_msp";
912c912
< 			touch $STAMP_DIR/cron_mta;
---
> 			su smmsp -s /bin/bash -c "touch $STAMP_DIR/cron_mta";
938c938
< 				touch $STAMP_DIR/cron_msp;
---
> 				su smmsp -s /bin/bash -c "touch $STAMP_DIR/cron_msp";


Cheers, Paul

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

--- End Message ---

--- Begin Message ---

• To: 841257-close@bugs.debian.org
• Subject: Bug#841257: fixed in sendmail 8.15.2-7
• From: Andreas Beckmann <anbe@debian.org>
• Date: Wed, 30 Nov 2016 19:41:15 +0000
• Message-id: <E1cCAkl-0005wo-70@fasolo.debian.org>

Source: sendmail
Source-Version: 8.15.2-7

We believe that the bug you reported is fixed in the latest version of
sendmail, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 841257@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Beckmann <anbe@debian.org> (supplier of updated sendmail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 30 Nov 2016 12:32:49 +0100
Source: sendmail
Binary: sendmail-bin rmail sensible-mda libmilter1.0.1 libmilter-dev sendmail-doc sendmail sendmail-base sendmail-cf
Architecture: source
Version: 8.15.2-7
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Andreas Beckmann <anbe@debian.org>
Description:
 libmilter-dev - Sendmail Mail Filter API (Milter) (development files)
 libmilter1.0.1 - Sendmail Mail Filter API (Milter)
 rmail      - MTA->UUCP remote mail handler
 sendmail   - powerful, efficient, and scalable Mail Transport Agent (metapacka
 sendmail-base - powerful, efficient, and scalable Mail Transport Agent (arch inde
 sendmail-bin - powerful, efficient, and scalable Mail Transport Agent
 sendmail-cf - powerful, efficient, and scalable Mail Transport Agent (config ma
 sendmail-doc - powerful, efficient, and scalable Mail Transport Agent (documenta
 sensible-mda - Mail Delivery Agent wrapper
Closes: 840837 841257 843682
Changes:
 sendmail (8.15.2-7) unstable; urgency=medium
 .
   * QA upload.
   * Fix openssl argument order.  (Closes: #843682)
   * sendmail-bin: Add missing Depends: lsb-base.
   * Stop using dh_buildinfo in favor of dpkg-buildinfo.
   * Enable more hardening flags.
   * debian/examples/db/access: Comment out localhost entries, may be forged.
     (Closes: #840837)
   * Only touch files as smmsp:smmsp in /var/run/sendmail/stampdir (writable by
     group smmsp) to avoid possible privilege escalation.  (Closes: #841257)
Checksums-Sha1:
 6797e584e083de8c29518b33e71193cce0f71f6f 2522 sendmail_8.15.2-7.dsc
 77c866ff57a0c3f06b7021cc257db1662166bfcc 406764 sendmail_8.15.2-7.debian.tar.xz
Checksums-Sha256:
 fc58d44f3e7c0ae863d6b0cef33080cc5455d8c42aca1dbc5f7fb00a58e46429 2522 sendmail_8.15.2-7.dsc
 b0506ba4b2e55de2c4ac2e5b64ae0659fdc1ad781f3be6111eec6f50e4294fdc 406764 sendmail_8.15.2-7.debian.tar.xz
Files:
 9fb79c6cfb122920429619b7055978e5 2522 mail extra sendmail_8.15.2-7.dsc
 d6eaa8111c7fa4ff5a4e64ef6a0d4dbd 406764 mail extra sendmail_8.15.2-7.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYPr+WAAoJEF+zP5NZ6e0I0moQAJCnkejDRxLtziHp5D1vgy3V
DkHiBv8hqqN7DmkCAf7AjbyloyhLAyE/t2PAM3+knyAoL6ZCkWAgdXo/0/kSGjph
n7Je7TfebbbaB6odUVkThbEgLF5j1aetzz5sAt9N010Wk0Y2MzTYvK66igqX5X1D
YZyzK3g64BRDSReJDCFZ5VArvcbMII03VEKovfFr2W7Urg9+h8NHGA5eYYGkc7/c
CrdOTjLez/rpm+rQRyCJWQIZN10XP8RUt+o6llievNCC4mib/0nIn4tNp0b75g5H
3LzW0pXaWbwWt4+Mk6B+fWNpD6zFTVLB3AG2wCjOTbvkhoAIjX4cDYKTGNxrEPet
EjZgn7INBQXRjCF5ExbOJGxJehaJcLD8Ce/xzyIvcRCsM9HbIZ3Y1Lq3dPcRnXay
BV1o/kLbaNzuuHnR2knEMt+CxPCgwNRmcMMCSyzggKJbZK2dppZgX/sk/Bcr2qQ9
BMXFJmZ1NSU+RHfMX3qobsdgguvk6XDusgtLa/E44VJ8g2ICxEz5pbHtDW47Lymt
gkgD+VpS17QQoY2EQk5fmhA8Y02dd44mjfUoCKs7un1rpRQkqCLbEMDXl/Dyh8k2
6rM+Uhl/sXbRSZh/RoReIK7C20wy9+E94XtI5vbyTRBSmwXZMWuJnDyJ9ZjD2dNf
Ng917IsHThQta3UG2Uoi
=LbHI
-----END PGP SIGNATURE-----

--- End Message ---