AusCERT - AA-95.09 -- SunOS 4.1.x sendmail "-oR" option vulnerability

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
AA-95.09 -- SunOS 4.1.x sendmail "-oR" option vulnerability
Date: 22 September 1995

Click here for printable version
-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
AA-95.09b		  AUSCERT Advisory
			 22 September, 1995
	    SunOS 4.1.x sendmail "-oR" option vulnerability
- -----------------------------------------------------------------------------

AUSCERT has received advice that a vulnerability exists in the SunOS 4.1.x
sendmail program that allows local users to gain root privileges. Other
versions of sendmail are not vulnerable to this problem.

** This Advisory contains updated information and supercedes AA-95.09a.

A vulnerability has been reported in sendmail_wrapper version 1.5, which was
listed as a workaround in AA-95.09a.  A new version (v1.6) of the wrapper
which removes the sendmail_wrapper vulnerability is now available.

This version also includes updated installation instructions which fix
problems which have been encountered by sites which have the /usr
filesystem NFS-mounted by diskless or dataless NFS clients.

AUSCERT recommends that sites that have any version of the sendmail
wrapper prior to version 1.6 immediately upgrade.  Details for obtaining the
latest version can be found in section 3.1.

** An exploit for the sendmail "-oR" option vulnerability has been made
** available.  AUSCERT recommends that the remedial action in Section 3 be
** performed immediately.

- -----------------------------------------------------------------------------

1.  Description

    There is a vulnerability in the way that the SunOS 4.1.x version of
    sendmail processes the "-oR" option.  This may be exploited by local
    users to gain root access.

    This vulnerability has been verified to exist for SunOS 4.1.x (sendmail
    patch levels up to and including 100377-19, 101665-04, and 102423-01).

    AUSCERT recommends that patches addressing this vulnerability for SunOS
    4.1.x sendmail be installed as soon as they are made available by Sun
    Microsystems (Section 3.3).

    In the absence of suitable patches, sites may either apply a workaround
    solution or upgrade their sendmail to Eric Allman's 8.6.12 sendmail as
    this version contains no known vulnerabilities.  Note that converting
    from SunOS sendmail to Version 8.6.12 sendmail may require significant
    effort.  The sendmail wrapper specified in Section 3.1 may be used in
    the interim period.

2.  Impact

    Local users may gain root access.

    Intruders require an account on the system to exploit this
    vulnerability.

3.  Workaround

    AUSCERT believes that either workaround provided in Sections 3.1 or
    Section 3.2 will address this vulnerability.  Vendor patches may
    address this vulnerability in the future (Section 3.3).

3.1 Install sendmail wrapper

    For sites that must continue using their existing SunOS sendmail, the
    sendmail wrapper can be used as an interim solution.  This wrapper is
    available by anonymous FTP from:

        ftp.auscert.org.au:/pub/auscert/tools/sendmail_wrapper.c
                 MD5 = f4049cc56075ddb142f5bd70a53ba341

    This wrapper will provide protection against this vulnerability, in
    addition to some older vulnerabilities.  Please note that this wrapper
    does not address all known vulnerabilities and should be considered as
    a temporary workaround to this problem.

    This wrapper will syslog possible attacks to facility LOG_MAIL with
    severity LOG_ERR.  Sites may wish to customise these values in the
    sendmail wrapper or their syslog.conf files to suit their requirements.

3.2 Replace SunOS sendmail with sendmail Version 8.6.12 (or later)

    Replace the SunOS sendmail with Eric Allman's Version 8.6.12 sendmail.
    This may require significant effort to complete.  Version 8.6.12
    sendmail contains no known security vulnerabilities.

    Sendmail version 8.6.12 can be obtained from:

    ftp://ftp.auscert.org.au/pub/mirrors/ftp.cs.berkeley.edu/ucb/sendmail/
    			sendmail.8.6.12.*

    Information to assist sites in converting from Sun's sendmail to
    Version 8 can be found in the sendmail.8.6.12.misc.tar.Z file which is
    found in the directory above.

    The existing SunOS sendmail binaries (sendmail and sendmail.mx) should
    be disabled by setting the permissions to mode 0700.

3.3 Install vendor patches

    Install vendor patches for sendmail as they become available.  Please
    note that several sendmail vulnerabilities have been reported to Sun
    Microsystems recently.  It is important to verify that all reported
    vulnerabilities are addressed when installing patches.

    Sun Microsystems are testing patches for this and all previously
    reported sendmail vulnerabilities.  Sun Microsystems report that these
    patches are expected to be available in the near future.

- ----------------------------------------------------------------------------
AUSCERT acknowledges 8lgm for reporting this problem.
- ----------------------------------------------------------------------------

If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).

AUSCERT is the Australian Computer Emergency Response Team, funded by the
Australian Academic Research Network (AARNet) for its members.  It is
located at The University of Queensland within the Prentice Centre.
AUSCERT is a full member of the Forum of Incident Response and Security
Teams (FIRST).

AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au.  This archive contains past SERT and AUSCERT
Advisories, and other computer security information.

AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au.

Internet Email:	auscert@auscert.org.au
Facsimile:	(07) 3365 4477
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AUSCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld.  4072.
AUSTRALIA

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
Comment: Finger pgp@ftp.auscert.org.au to retrieve AUSCERT's public key

iQCVAwUBMGNZBSh9+71yA2DNAQHYpwP8CabVfqFmeyhTVXjt1+Bh7i6LXoHYTWCQ
WnzhlFGc+uY6DEVPCKjSv3DBIdYk4V1PJpxlbxy0tZgq0Yf1zq69hCwIz0bAMDYs
kPvSWHO1nemeYhPfMI20AVsoBcNEWlcpsSn0wVbwg1jmt1evBCcRY7PR3db8F3ph
ez5+T9OfXrs=
=W4Mx
-----END PGP SIGNATURE-----