Click here to find books related to 'network security'.
 



                       L0pht Security Advisory

                     Application: Sendmail 8.7.5
                           Platforms: All
                   Severity: any local user can gain
                             root priveledges.
                       Author: mudge@l0pht.com

Scenario:

Due to a problem with the code in sendmail a buffer overflow condition
exists that allows a user to overwrite the information in a saved
stack frame. When the function returns, the saved frame is popped off of
the stack and user code can be executed.

An exploit script will be made public upon the actual release of
Sendmail 8.8 which fixes this particular exploitable code segment.

Example:

  > id
  uid=621(mudge) gid=200(users)
  > ./sploit.sh 3883
  chfn: rebuilding the database...
  chfn: done
  using arg of [0x-------- (hex) + 3883(dec)]
  # id
  uid=621(mudge) euid=0(root) gid=200(users)
  # ./up
  # id
  uid=0(root) gid=200(users)

If a user is able to alter his/her gecos field then that user can
exploit a coding flaw in sendmail to elevate their effective UID to 0.

Various operating systems ship with chfn(1) which enables users to
change their gecos field. Some of the operating systems that ship with
this program are NetBSD, FreeBSD, BSDI, OpenBSD, and Linux. It has
not been extensively researched as to what others come out of the
box with this functionality. Even if your operating system does not
ship with this functionality, it has been witnessed that many service
providers offering shell accounts add these, or equivalent utils,
in order to minimize their administrative tasks and to facilitate
user functionality. No matter, the flaw is a coding problem in sendmail and
not the fact that these other programs exist.

The actual problem in the code is quite apparent.

  Inside recipient.c we find the following:

  char nbuf[MAXNAME + 1];
  ...
  buildfname(pw->pw_gecos, pw->pw_name, nbuf);

The problem is that nbuf[MAXNAME + 1] is a fixed length buffer and as
we will soon see, buildfname() does not honor this.

from util.c:

void
buildfname(gecos, login, buf)
        register char *gecos;
        char *login;
        char *buf;
{
        register char *p;
        register char *bp = buf;
        int l;
        ...
        /* now fill in buf */
        for (p = gecos; *p != '\0' && *p != ',' && *p != ';' && *p != '%'; p++)
        {
                if (*p == '&')
                {
                        (void) strcpy(bp, login);
                        *bp = toupper(*bp);
                        while (*bp != '\0')
                                bp++;
                }
                else
                        *bp++ = *p;
        }
        *bp = '\0';
}

Here we see that buildfname() happily copies whatever size we can hand
it into nbuf[MAXNAME +1]. The function is even nice enough to append
a null to the string in case we wanted to put our machine opcodes and
operands inside the gecos field. Though this is one way of doing it,
we opted for another method that enabled us more freedom with the
various methods of altering ones gecos field.

Solution:

This particular problem has been fixed in Sendmail 8.8 beta.

A temporary fix is to remove the ability for users on a local system
to change their gecos (commonly referred to as 'real-name') field.




This page was created Wed Aug 11 12:58:04 EDT 1999


Using Linux
 version 2.0.32
 on an i586
Main Page @ Matarese.com Acquiring Account Information @ Matarese.com       Act2! by Symantec @ Matarese.com      

All hacks / Annoyance @ Matarese.com       Alt 2600 Group FAQ @ Matarese.com      

Hacking Angelfire @ Matarese.com       Anonymous E-Mail @ Matarese.com      

Hacking BBS's @ Matarese.com       List of Common Bugs @ Matarese.com      

Things that go Bump on the Internet @ Matarese.com       Expanding the capacity of Caller ID Boxes @ Matarese.com      

The Matarese Circle @ Matarese.com       Cops and Robbers | UNIX Security @ Matarese.com      

Credit Carding Part I @ Matarese.com       Exploits FAQ @ Matarese.com      

Making Free Calls @ Matarese.com       FTP Bouncing @ Matarese.com      

Hackers Encyclopedia @ Matarese.com       Hacking from Windows9x FTP @ Matarese.com      

Hacking Tripod @ Matarese.com       Hacking Web Pages @ Matarese.com      

How to crack a UNIX password file. @ Matarese.com       Hacking Servers : A Begginners Guide @ Matarese.com      

Hacking Tutorial @ Matarese.com       Hacking UNIX @ Matarese.com      

How to Hack the WWWboard Message Board 2.0 @ Matarese.com       Hackers Handbook @ Matarese.com      

Guide to Harmless-Hacking @ Matarese.com       All about security holes @ Matarese.com      

Hacking Hotmail @ Matarese.com       ]How to Hack from from Harlequin and Archangel @ Matarese.com      

Improve security by breaking into your site @ Matarese.com       Internet Security @ Matarese.com      

IRC Hacking FAQ by Lord Somer @ Matarese.com       Lan Technology Scorecard @ Matarese.com      

Harmless Hacking - Linux @ Matarese.com       Mail Spoofing Explained @ Matarese.com      

Microsoft IIS Vulnerability @ Matarese.com       Microsoft(Yuk) Index Server exposes IDs and Passwords @ Matarese.com      

Intresting Microsoft Access 7.0 Trick @ Matarese.com       MS Money 2.0 Back Door @ Matarese.com      

Mind Your Own Business (MYOB) @ Matarese.com       This Hack is for the OptiChat Original Chat Room @ Matarese.com      

Internet Outdials @ Matarese.com       Introduction to the Internet Protocols @ Matarese.com      

Analysis of QueSO Performance @ Matarese.com       Finger - ATTACKING FROM THE OUTSIDE @ Matarese.com      

     

unix   linux   networking   c   c++   operating systems     Copyright (C) 1999 - Matarese.com