Title: Sendfile Forced Privilege Lowering Failure Vulnerability
Severity: MODERATE
Description:
Sendfile is an implementation of the SAFT (simple asynchronous file transfer) protocol for UNIX systems.
Because of a serialization problem found in the Sendfile daemon, sendfiled, it may be possible for a local user to gain elevated privileges if the problem is exploited in conjunction with other bugs also found in sendfiled.
The serialization error occurs as a result of how notification messages are sent to file recipients. When a file is received by the daemon, a flag is set to indicate that a notification request is pending. This notification is not sent to the file recipient until the sender specifies an alternate recipient or terminates the session. In itself, this behaviour is not flawed; the mechanism is used to limit the number of notification messages sent. Under certain circumstances, however, this could be used to an attacker's advantage.
After transmitting a file, it is possible for an attacker to initiate another file transfer without using any of the commands which cause the flag to be unset.
When a file transfer is initiated, the effective user and group id of the daemon are set to those of the file recipient. Should the attacker cause an error during the transfer, the subsequent call to the routine used to send notifications and in some cases protocol-related messages will cause a notification to be sent. Because the euid and egid have already been set, the daemon will fail to drop its privileges correctly before invoking the mailer.
By combining this behaviour with another vulnerability (Bugtraq ID 2631), an attacker may be able to locally obtain superuser privileges on the host.
No input validation is performed on values supplied in user configuration files. It is possible for a user to insert arbitrary commands into their configuration file when the "mail" option is specified as the notification action. When a notification is pending, the daemon uses the value supplied with the "mail" option, generally the recipient user's e-mail address, and calls popen() to invoke sendmail. By appending commands to the e-mail address, each prepended by word seperation metacharacters recognized by the shell, arbitrary commands can be executed after the mailer exits. A full discussion of this problem can be found in Bugtraq ID 2631.
Because the attacker causes the setuid() call to fail (which sendfiled does not catch), 'sendmail' and any following commands are executed with root privileges. It is therefore possible to exploit this vulnerability in conjunction with Bugtraq ID 2631 to gain root access on the victim host.
Successful exploitation would result in a complete compromise.
Affected Products:
- Sendfile Sendfile 1.4.0
- Sendfile Sendfile 1.5.0
- Sendfile Sendfile 1.6.0
- Sendfile Sendfile 2.1.0
References:
- SecurityFocus: Bugtraq ID: 2613 - Sendfile Local Arbitrary Command Execution as Group 0 Vulnera
- Ulli Horlacher: Sendfile Homepage (in English)
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
