jac@doc.ic.ac.uk (Jim Crammond) (11/08/88)
The following patch has appeared in a few places like sun-spots digest;
I'm posting here for those who haven't yet seen it.
If you don't have source, apply the following patch to your
sendmail binary. SAVE A COPY OF IT FIRST, IN CASE YOU MESS
UP! This is mildly tricky -- note, some versions of strings(1),
which we're going to use to find the offset of the string
"debug" in the binary print out the offsets in octal, not
decimal. Run the following shell line to decide how your
version of strings(1) works:
/bin/echo 'abcd' | /usr/ucb/strings -o
Note, make sure the eight control 'G's are preserved in this
line. If this command results in something like:
0000008 abcd
your strings(1) command prints out locations in decimal, else
it's octal.
[ NB I tried this on my sun but it didn't work. However doing a strings -o
of sendmail soon told me that on Suns strings(1) prints in decimal -Jim. ]
The patch script for sendmail. NOTE, YOUR OFFSETS MAY VARY!!
[ Sendmail 3.2 had the offset 124362 -Jim. ]
This script assumes that your strings(1) command prints out
the offsets in decimal.
Script started on Thu Nov 3 02:08:14 1988
okeeffe:tmp {2} strings -o -a /usr/lib/sendmail | egrep debug
0096972 debug
okeeffe:tmp {3} adb -w /usr/lib/sendmail
?m 0 0xffffffff 0
0t10$d
radix=10 base ten
96972?s
96972: debug
96972?w 65536
96972: 25701 = 65536
okeeffe:tmp {4} ^D
script done on Thu Nov 3 02:09:31 1988
If your strings(1) command prints out the offsets in octal,
change the line "0t10$d" to "0t8$d".
[ I use the debug option for testing, therefore rather than disable it
I changed the "debug" command to a 3 letter command which does not
show up with strings(1). The sendmail binary is not readable by
ordinary users so I think this is reasonably safe. -Jim. ]jac@doc.ic.ac.uk (Jim Crammond) (11/08/88)
The previous fix prevents remote users mailing getting a local shell, however it is still possible for a local user to run sendmail by hand and exploit the hole (and get a non-root shell). Those who are worried by this may wish to take advantage of the following: From: Andrew Findlay <Andrew.Findlay@brunel.ac.uk> Date: Mon, 7 Nov 88 16:57:35 BST It may be worth making a safe Sun binary available by anon Blue-Book FTP and putting a uuencoded version in an info-server too. I have put two binaries in the 'guest' file area on uk.ac.brunel.me: (Username guest, any passwd) <FTP>sun-sendmail-IDA <FTP>pyr-sendmail-IDA Both are IDA-sendmail, compiled without DEBUG or WIZ. The Sun version was compiled under SunOs 3.3 and also runs under 4.0. Vanilla versions would be more useful to most people though. Andrew -Jim.
admin@cs.exeter.ac.uk (System Administrator) (11/11/88)
If the strings finds the debug symbol, does that mean that the sendmail was compiled with the debug option? I have tried applying the patch on a copy of sendmail, however when I do <offset>?w 65536 get <offset>: 25701 = 0 and not 65526. Any reason why?
jac@doc.ic.ac.uk (Jim Crammond) (11/15/88)
From: System Administrator <admin@cs.ex.ac.uk> Date: Fri, 11 Nov 88 14:50:25 GMT Sender: uk-sendmail-workers-request@cs.hw.ac.uk If the strings finds the debug symbol, does that mean that the sendmail was compiled with the debug option? Yes. I have tried applying the patch on a copy of sendmail, however when I do <offset>?w 65536 get <offset>: 25701 = 0 and not 65526. Any reason why? Try 65535 (!) (Sorry, a typo in my original message)
merlyn@intelob.biin.com (Randal L. Schwartz @ Stonehenge) (11/22/88)
In article <16970.8811071716@sophocles.doc.ic.ac.uk>, jac@doc (Jim Crammond) writes: | | [ I use the debug option for testing, therefore rather than disable it | I changed the "debug" command to a 3 letter command which does not | show up with strings(1). The sendmail binary is not readable by | ordinary users so I think this is reasonably safe. -Jim. ] Eeek. Any newsreader/creative-hacker on your system (or any system that can open your smtp port) can just try a quick-and-dirty program to cycle through all 26**3 three-alpha-char commands with very little time between tries. Not smart. Not only that, but the tries won't be logged. At one second per try (very slow system, it'll be better than that), you're looking at only 5 hours of attempts. And you just told them that it is there. Beefing up security should not be attempted by the uninformed. -- Randal L. Schwartz, Stonehenge Consulting Services (503)777-0095 on contract to BiiN Technical Information Services (for now :-), in a former Intel building in Hillsboro, Oregon, USA. <merlyn@intelob.biin.com> or ...!tektronix!inteloa[!intelob]!merlyn SOME MAILERS REQUIRE <merlyn@intelob.intel.com> GRRRRR! Standard disclaimer: I *am* my employer!