Title: Sendfile Local Arbitrary Command Execution as Group 0 Vulnerability
Severity: MODERATE
Description:
Sendfile is an implementation of the SAFT (simple asynchronous file transfer) protocol for UNIX systems.
The daemon allows local users to supply several personal configuration values, including how they wish to be notified when new files or messages are received. The "notification" configuration option is provided for this purpose.
An input validation error exists when the "mail" suboption is given in conjunction with the "notification" option, allowing a local user to execute arbitrary code with elevated permissions and effectively gain 'root' group privileges.
The problem occurs when the daemon uses a call to popen() to invoke sendmail, using a user-supplied e-mail address given in the configuration file. Since the popen() call relies on /bin/sh to parse command strings and no input checking is done by the sendfile daemon, it is possible to insert arbitrary commands with the e-mail address. Such commands could follow a ';' or '|' character, for example.
Prior to invoking the mailer program, sendfiled attempts to drop privileges to the user's level. While user root privileges are dropped properly, only the effective groupid is set to the user's group; the child processes therefore retain the real groupid of the parent (0).
It is possible for attackers to gain group 0 privileges. Depending on the system configuration, this may lead to further compromise of the host.
Update: There is a serialization error which can result in privileges not being dropped properly. In conjunction with such behaviour, this vulnerability can be used to obtain user root privileges. If exploited, it would be a complete system compromise. Our analysis of this possibility will be released in an alert shortly.
Affected Products:
- Sendfile Sendfile 1.4.0
- Sendfile Sendfile 1.5.0
- Sendfile Sendfile 1.6.0
- Sendfile Sendfile 2.1.0
References:
- Ulli Horlacher: Sendfile Homepage (in English)
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
