Date: Thu, 9 Jul 1998 19:31:52 +0200
From: Michal Zalewski <lcamtuf@IDS.PL>
Subject: Sendmail up to 8.9.1 - mail.local instroduces new class of bugs

Local, setuid mail delivery program included in recent packages -
mail.local - introduces new class of local bugs, from DoS attacks to
security compromises.

For example, it creates unique temporary file in /tmp at UID 0 (no
comments), opens and unlinks it. Then blindly writes every line read from
fd 0 to this file. So, to eat whole disk space, ignoring sendmail.cf
settings (because mail.local won't parse it at all), attacker should run
mail.local, caught tmp file creation, hard-link it to /tmp/other_file,
then redirect a lot of text junk to it's fd 0.

But that's not all. Using 'mail.local -f sender recipient', local users
are able to put **anything** to mailboxes of other users. This cute
program simply allows creating and writing to files /var/mail with
virtually no restrictions. Aliases are not expanded, so attacker can even
*create* and fill with hundred megabytes of junk mailboxes for accounts
like 'nobody'. It won't even put basical auth information, except 'From
xxx' line at the beginning... But it can be altered with '-f' switch :-0

Arbitrary headers are allowed, opening potential security compromises with
dumb mail clients. Additionally, by providing specific data as 'sender',
mailbox may be left in unusable state - eg. pine won't open it, saying
it's 'Not in mailbox format'.

Fix:

It's stupid to make any part of sendmail package setuid. It's really
possible to make sendmail work with no setuid nor setgid, by arranging
proper communication with sendmail daemon, if running. Also, I suggest to
be at least careful with new features of recent Sendmail version :-)

_______________________________________________________________________
Michal Zalewski [lcamtuf@boss.staszic.waw.pl] <= finger for pub PGP key
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
[echo "\$0&\$0">_;chmod +x _;./_] <=------=> [tel +48 (0) 22 813 25 86]