The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


possible local exploit via sendmail with procmail on solaris


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Tue, 21 Dec 2004 16:30:03 -0500
From: Michael Barnes <mbarnes@compsci.wm.edu.>
To: [email protected]
Subject: possible local exploit via sendmail with procmail on solaris

I was debugging a new procmail rule and noticed some strange information
in the logfile.  It ended up to be mkdir complaining that it could not
create a directory because it existed.  I found out that this was coming
from a user's .cshrc file that had something like:

if ( ! -r /home/user/TMPDIR ) then
  mkdir /home/user/TMPDIR
endif

The TMPDIR was there but it was with mode 0700 and owned by the user, so
it was not readable by other users, so if another user was trying to
execute the .cshrc file it would attempt to execute the mkdir command.  

The problem is this.  Why is a user's .cshrc file being executed by
another user?

I put some debugging info in my account and found this:

New shell invocation: PID=18443: id=<<uid=0(root) gid=6(mail)>>
     UID   PID  PPID  C    STIME TTY      TIME CMD
    root 18440     1  0 15:01:52 ?        0:00 /usr/lib/sendmail -bd -q15m
    root 18441 18440  0 15:01:52 ?        0:00 procmail -f [email protected] -Y -a  -d mbarnes
    root 18442 18441  0 15:01:52 ?        0:00 procmail -f [email protected] -Y -a  -d mbarnes
    root 18443 18442  0 15:01:52 ?        0:00 /bin/zsh -c echo $ORGMAIL | sed s,$MAILDIR/,,

mbarnes is me.  The procmail command that invoked the shell as root but
sourced my shell's dotfiles was this:

DEST_USER=`echo $ORGMAIL | sed s,$MAILDIR/,,`

The invocation of procmail is via sendmail.cf and it is called by:

Mlocal, P=/usr/local/bin/procmail, F=ESAw5:|/@glDFMPhsfn, S=10/30, R=20/40,
        T=DNS/RFC822/X-Unix,
        A=procmail -Y -a $h -d $u


Note the the '$h' appears to be an empty string or nonexstant
alltogether, I havn't gotten any further at this time.

I am by no means a sendmail or procmail expert, and I simply may have
something misconfigured on my system, but at this time, at least for me,
this is a local root exploit.

Any comments?

Mike

-- 
/-----------------------------------------\
| Michael Barnes <mbarnes@compsci.wm.edu.> |
| UNIX Systems Administrator              |
| College of William and Mary             |
| Phone: (757) 879-3930                   |
\-----------------------------------------/


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру