sendmail(8)
The method used by sendmail version 5 to open a control file
is insecure. A race condition exists whereby another process
may obtain a control-file file descriptor, opened for write
access.
Local users can write their own control files, and run programs
as any user, bar root. This increases chances of obtaining root
access on the local system.
A program to exploit this vulnerability is available as of now. This program has been tested with the latest Sun patch, and should work on other platforms. To obtain this program, send mail to 8lgm-fileserver@8lgm.org, with a line in the body of the message containing:-
SEND grabfd.c
Sendmail v5, during execution, sets umask(0), which is an insecure
mask. In order not to leave open control files with mode 666,
sendmail v5 uses chmod(2) to set a secure file mode. However
this is a race condition, as we can obtain an open file descriptor
for write by opening the control file before the call to chmod(2).
Change the mode on /usr/spool/mqueue to 700. This will prevent
normal users gaining access to the queue files directly.
Contact vendor for fix.
Patch source to use a more restrictive umask.
The file:
[8lgm]-Advisory-20.UNIX.SunOS-sendmailV5.1-Aug-1995.README
will be created on www.8lgm.org. This will contain updates on any further versions which are found to be vulnerable, and any other information received pertaining to this advisory.
majordomo@8lgm.org (Mailing list requests - try 'help' for details)8lgm@8lgm.org (Everything else)
All [8LGM] advisories may be obtained via the [8LGM] fileserver.
For details, 'echo help | mail 8lgm-fileserver@8lgm.org'
[8LGM]'s web server can be reached at http://www.8lgm.org. This contains details of all 8LGM advisories and other useful information.