COMMAND

    PMDF sendmail

SYSTEMS AFFECTED

    Digital UNIX 4.0B (PMDF 5.1-7)

PROBLEM

    The following  has been  tested on  PMDF 5.1-7  under Digital Unix
    4.0B, though could work under other flavors of Unix...  Originally
    it was found by Jonathan Rozes.

    While the name of the program is 'sendmail' it has no relation  to
    standard UCB sendmail.

    The sendmail-alike  utility included  with the  latest version  of
    PMDF has a vulnerability that  allows any local user to  overwrite
    any  file  owned  by  the  pmdf  account.  This  can  be blatantly
    exploited to  trash the  mail system,  or more  subtly to induce a
    trojan horse or get around user quota restrictions.

    The sendmail program can be put  into a debug mode by setting  the
    environment variable PMDF_SENDMAIL_DEBUG.  In this mode,  sendmail
    creates   two   output   files,   /tmp/pmdf_sendmail.debug,  which
    contains  the  command  line  you ran, and /tmp/pmdf_sendmail.msg,
    which contains  the message  you gave  to sendmail.  As you  might
    have guessed, sendmail doesn't  check for symlinks before  writing
    to the files,  and thus will  happily overwrite any  file owned by
    the pmdf user (PMDF sendmail is setuid to the pmdf account).

    Fortunately, pointing one  of the debug  files to a  setuid binary
    ends up  clearing the  setuid bit,  so you  can't gain priviledges
    that  way.   You  can  do  other  kinds  of nasty stuff though, by
    simply replacing one of the  PMDF binaries with a program  of your
    own choosing (the pmdf_sendmail.msg  file is whatever you  give to
    sendmail; it isn't modified in any way).

    And for kicks,  a few other  PMDF gotchas: if  the installer needs
    to  create  a  top  level  installation and/or state directory, it
    will leave them world writable.  It will also chown the  /pmdf/www
    directory to UID 30 instead of the pmdf user (they use UID 30  for
    pmdf  in  the  example,  but  never  state  that it is required or
    assumed to be such).

SOLUTION

    You can su to  the pmdf account and  'touch' the two output  files
    to prevent anybody else from symlinking them.  Patch is available.
    For patch check:

        http://www.innosoft.com/517patches/aa_sendmail_patches.html

    There  are  versions  available  for  each UNIX platform that PMDF
    supports.