copyright
|
disclaimer
|
privacy
|
contact
HOME
About
AusCERT
Membership
Contact Us
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
Login »
Become a member »
Home
»
Security Bul...
» AA-95.09 -- SunOS 4.1.x sendmail "-oR" option vulner...
AA-95.09 -- SunOS 4.1.x sendmail "-oR" option vulnerability
Date:
22 September 1995
Click here for printable version
-----BEGIN PGP SIGNED MESSAGE----- ============================================================================= AA-95.09b AUSCERT Advisory 22 September, 1995 SunOS 4.1.x sendmail "-oR" option vulnerability - ----------------------------------------------------------------------------- AUSCERT has received advice that a vulnerability exists in the SunOS 4.1.x sendmail program that allows local users to gain root privileges. Other versions of sendmail are not vulnerable to this problem. ** This Advisory contains updated information and supercedes AA-95.09a. A vulnerability has been reported in sendmail_wrapper version 1.5, which was listed as a workaround in AA-95.09a. A new version (v1.6) of the wrapper which removes the sendmail_wrapper vulnerability is now available. This version also includes updated installation instructions which fix problems which have been encountered by sites which have the /usr filesystem NFS-mounted by diskless or dataless NFS clients. AUSCERT recommends that sites that have any version of the sendmail wrapper prior to version 1.6 immediately upgrade. Details for obtaining the latest version can be found in section 3.1. ** An exploit for the sendmail "-oR" option vulnerability has been made ** available. AUSCERT recommends that the remedial action in Section 3 be ** performed immediately. - ----------------------------------------------------------------------------- 1. Description There is a vulnerability in the way that the SunOS 4.1.x version of sendmail processes the "-oR" option. This may be exploited by local users to gain root access. This vulnerability has been verified to exist for SunOS 4.1.x (sendmail patch levels up to and including 100377-19, 101665-04, and 102423-01). AUSCERT recommends that patches addressing this vulnerability for SunOS 4.1.x sendmail be installed as soon as they are made available by Sun Microsystems (Section 3.3). In the absence of suitable patches, sites may either apply a workaround solution or upgrade their sendmail to Eric Allman's 8.6.12 sendmail as this version contains no known vulnerabilities. Note that converting from SunOS sendmail to Version 8.6.12 sendmail may require significant effort. The sendmail wrapper specified in Section 3.1 may be used in the interim period. 2. Impact Local users may gain root access. Intruders require an account on the system to exploit this vulnerability. 3. Workaround AUSCERT believes that either workaround provided in Sections 3.1 or Section 3.2 will address this vulnerability. Vendor patches may address this vulnerability in the future (Section 3.3). 3.1 Install sendmail wrapper For sites that must continue using their existing SunOS sendmail, the sendmail wrapper can be used as an interim solution. This wrapper is available by anonymous FTP from: ftp.auscert.org.au:/pub/auscert/tools/sendmail_wrapper.c MD5 = f4049cc56075ddb142f5bd70a53ba341 This wrapper will provide protection against this vulnerability, in addition to some older vulnerabilities. Please note that this wrapper does not address all known vulnerabilities and should be considered as a temporary workaround to this problem. This wrapper will syslog possible attacks to facility LOG_MAIL with severity LOG_ERR. Sites may wish to customise these values in the sendmail wrapper or their syslog.conf files to suit their requirements. 3.2 Replace SunOS sendmail with sendmail Version 8.6.12 (or later) Replace the SunOS sendmail with Eric Allman's Version 8.6.12 sendmail. This may require significant effort to complete. Version 8.6.12 sendmail contains no known security vulnerabilities. Sendmail version 8.6.12 can be obtained from: ftp://ftp.auscert.org.au/pub/mirrors/ftp.cs.berkeley.edu/ucb/sendmail/ sendmail.8.6.12.* Information to assist sites in converting from Sun's sendmail to Version 8 can be found in the sendmail.8.6.12.misc.tar.Z file which is found in the directory above. The existing SunOS sendmail binaries (sendmail and sendmail.mx) should be disabled by setting the permissions to mode 0700. 3.3 Install vendor patches Install vendor patches for sendmail as they become available. Please note that several sendmail vulnerabilities have been reported to Sun Microsystems recently. It is important to verify that all reported vulnerabilities are addressed when installing patches. Sun Microsystems are testing patches for this and all previously reported sendmail vulnerabilities. Sun Microsystems report that these patches are expected to be available in the near future. - ---------------------------------------------------------------------------- AUSCERT acknowledges 8lgm for reporting this problem. - ---------------------------------------------------------------------------- If you believe that your system has been compromised, contact AUSCERT or your representative in FIRST (Forum of Incident Response and Security Teams). AUSCERT is the Australian Computer Emergency Response Team, funded by the Australian Academic Research Network (AARNet) for its members. It is located at The University of Queensland within the Prentice Centre. AUSCERT is a full member of the Forum of Incident Response and Security Teams (FIRST). AUSCERT maintains an anonymous FTP service which is found on: ftp://ftp.auscert.org.au. This archive contains past SERT and AUSCERT Advisories, and other computer security information. AUSCERT also maintains a World Wide Web service which is found on: http://www.auscert.org.au. Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 4477 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. Postal: Australian Computer Emergency Response Team c/- Prentice Centre The University of Queensland Brisbane Qld. 4072. AUSTRALIA -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Finger pgp@ftp.auscert.org.au to retrieve AUSCERT's public key iQCVAwUBMGNZBSh9+71yA2DNAQHYpwP8CabVfqFmeyhTVXjt1+Bh7i6LXoHYTWCQ WnzhlFGc+uY6DEVPCKjSv3DBIdYk4V1PJpxlbxy0tZgq0Yf1zq69hCwIz0bAMDYs kPvSWHO1nemeYhPfMI20AVsoBcNEWlcpsSn0wVbwg1jmt1evBCcRY7PR3db8F3ph ez5+T9OfXrs= =W4Mx -----END PGP SIGNATURE-----
Comments? Click here
http://www.auscert.org.au/render.html?cid=1&it=1853