jac@doc.ic.ac.uk (Jim Crammond) (11/08/88)
The following patch has appeared in a few places like sun-spots digest; I'm posting here for those who haven't yet seen it. If you don't have source, apply the following patch to your sendmail binary. SAVE A COPY OF IT FIRST, IN CASE YOU MESS UP! This is mildly tricky -- note, some versions of strings(1), which we're going to use to find the offset of the string "debug" in the binary print out the offsets in octal, not decimal. Run the following shell line to decide how your version of strings(1) works: /bin/echo 'abcd' | /usr/ucb/strings -o Note, make sure the eight control 'G's are preserved in this line. If this command results in something like: 0000008 abcd your strings(1) command prints out locations in decimal, else it's octal. [ NB I tried this on my sun but it didn't work. However doing a strings -o of sendmail soon told me that on Suns strings(1) prints in decimal -Jim. ] The patch script for sendmail. NOTE, YOUR OFFSETS MAY VARY!! [ Sendmail 3.2 had the offset 124362 -Jim. ] This script assumes that your strings(1) command prints out the offsets in decimal. Script started on Thu Nov 3 02:08:14 1988 okeeffe:tmp {2} strings -o -a /usr/lib/sendmail | egrep debug 0096972 debug okeeffe:tmp {3} adb -w /usr/lib/sendmail ?m 0 0xffffffff 0 0t10$d radix=10 base ten 96972?s 96972: debug 96972?w 65536 96972: 25701 = 65536 okeeffe:tmp {4} ^D script done on Thu Nov 3 02:09:31 1988 If your strings(1) command prints out the offsets in octal, change the line "0t10$d" to "0t8$d". [ I use the debug option for testing, therefore rather than disable it I changed the "debug" command to a 3 letter command which does not show up with strings(1). The sendmail binary is not readable by ordinary users so I think this is reasonably safe. -Jim. ]
jac@doc.ic.ac.uk (Jim Crammond) (11/08/88)
The previous fix prevents remote users mailing getting a local shell, however it is still possible for a local user to run sendmail by hand and exploit the hole (and get a non-root shell). Those who are worried by this may wish to take advantage of the following: From: Andrew Findlay <Andrew.Findlay@brunel.ac.uk> Date: Mon, 7 Nov 88 16:57:35 BST It may be worth making a safe Sun binary available by anon Blue-Book FTP and putting a uuencoded version in an info-server too. I have put two binaries in the 'guest' file area on uk.ac.brunel.me: (Username guest, any passwd) <FTP>sun-sendmail-IDA <FTP>pyr-sendmail-IDA Both are IDA-sendmail, compiled without DEBUG or WIZ. The Sun version was compiled under SunOs 3.3 and also runs under 4.0. Vanilla versions would be more useful to most people though. Andrew -Jim.
admin@cs.exeter.ac.uk (System Administrator) (11/11/88)
If the strings finds the debug symbol, does that mean that the sendmail was compiled with the debug option? I have tried applying the patch on a copy of sendmail, however when I do <offset>?w 65536 get <offset>: 25701 = 0 and not 65526. Any reason why?
jac@doc.ic.ac.uk (Jim Crammond) (11/15/88)
From: System Administrator <admin@cs.ex.ac.uk> Date: Fri, 11 Nov 88 14:50:25 GMT Sender: uk-sendmail-workers-request@cs.hw.ac.uk If the strings finds the debug symbol, does that mean that the sendmail was compiled with the debug option? Yes. I have tried applying the patch on a copy of sendmail, however when I do <offset>?w 65536 get <offset>: 25701 = 0 and not 65526. Any reason why? Try 65535 (!) (Sorry, a typo in my original message)
merlyn@intelob.biin.com (Randal L. Schwartz @ Stonehenge) (11/22/88)
In article <16970.8811071716@sophocles.doc.ic.ac.uk>, jac@doc (Jim Crammond) writes: | | [ I use the debug option for testing, therefore rather than disable it | I changed the "debug" command to a 3 letter command which does not | show up with strings(1). The sendmail binary is not readable by | ordinary users so I think this is reasonably safe. -Jim. ] Eeek. Any newsreader/creative-hacker on your system (or any system that can open your smtp port) can just try a quick-and-dirty program to cycle through all 26**3 three-alpha-char commands with very little time between tries. Not smart. Not only that, but the tries won't be logged. At one second per try (very slow system, it'll be better than that), you're looking at only 5 hours of attempts. And you just told them that it is there. Beefing up security should not be attempted by the uninformed. -- Randal L. Schwartz, Stonehenge Consulting Services (503)777-0095 on contract to BiiN Technical Information Services (for now :-), in a former Intel building in Hillsboro, Oregon, USA. <merlyn@intelob.biin.com> or ...!tektronix!inteloa[!intelob]!merlyn SOME MAILERS REQUIRE <merlyn@intelob.intel.com> GRRRRR! Standard disclaimer: I *am* my employer!