AusCERT - AA-96.06 -- sendmail 8.8.0-8.8.1 Vulnerability

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
AA-96.06 -- sendmail 8.8.0-8.8.1 Vulnerability
Date: 20 October 1996

Click here for printable version
-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
AA-96.06a                        AUSCERT Advisory
		 	sendmail 8.8.0-8.8.1 Vulnerability
                                18 October 1996

Last Revised:
20-Oct-1996	Updated to include Version 8.8.1 Vulnerability

- ---------------------------------------------------------------------------

**  This Advisory contains updated information.  The new version of
**  sendmail released to fix the vulnerability in sendmail Version 8.8.0
**  did not address the problem.  A new version of sendmail, Version 8.8.2,
**  has now been released.

AUSCERT has received information that sendmail Versions 8.8.0 and 8.8.1
contain a serious security vulnerability.  This vulnerability allows remote
users to execute arbitrary commands on systems running the vulnerable
sendmail by sending a carefully crafted electronic mail message.  Note
that this vulnerability may be exploited on systems despite the presence
of firewalls or other boundary protective measures.

- ---------------------------------------------------------------------------

1.  Description

    A serious security vulnerability in sendmail Versions 8.8.0 and 8.8.1
    has been discovered that allows remote users to execute arbitrary
    commands with root privileges.  Versions prior to Version 8.8.0 do
    not contain this vulnerability.  Versions prior to 8.7.6 contain other
    unrelated vulnerabilities.  The vulnerability described in this
    Advisory is exploited by sending a carefully crafted electronic mail
    message to the system running the vulnerable version of sendmail.
    This vulnerability may be exploited on systems despite the presence
    of firewalls and other boundary protective measures.

    System are vulnerable to this attack if both of the following
    conditions are true:

    1.  The version of sendmail is 8.8.0 or 8.8.1.  To determine the
	version of sendmail, use the following command:

	% sendmail -d0 -bt | grep Version

	If the string returned is "Version 8.8.0" or "Version 8.8.1", then
	this version of sendmail contains the vulnerability.  Note you
	can type ^D to exit this command.

    2.  Examine the sendmail configuration file (usually, /etc/sendmail.cf).
	If the '9' flag is set in the "F=" (Flags) section for any Mailer
	specifications (Sections starting with 'M' in the first column,
	such as "Mprog" or "Mlocal"), then this configuration is
	vulnerable.  Use of the '9' flag can usually be determined using
	the following command (depending on your sendmail configuration):

        % grep '^M' /etc/sendmail.cf | grep '9'

	If any lines are output from this command, then the sendmail
	configuration may be vulnerable.

    The use of the '9' flag in the sendmail configuration is documented
    only in the Release Notes.  This flag is set by default if the
    sendmail.cf file was generated from the sendmail Version 8.8.x
    distribution files using m4(1).  Previous versions of sendmail did
    not set this flag by default when the sendmail.cf file was generated.
    The '9' flag is also set by default in the precompiled example
    configuration files found in the cf/cf/obj/ subdirectory of the
    sendmail Version 8.8.x distribution.

2.  Impact

    Remote users may execute arbitrary commands as root on systems using
    the vulnerable sendmail.  This may be leveraged to gain root access.

3.  Workarounds/Solution

    AUSCERT recommends that sendmail Version 8.8.2 be installed immediately
    (see Section 3.1).  For sites that can not install sendmail Version
    8.8.2 immediately, apply the workaround described in Section 3.2.

3.1 Upgrade to sendmail version 8.8.2.

    Eric Allman has released a new version of sendmail which fixes this
    vulnerability.  This can be obtained from the following locations:

	ftp://ftp.sendmail.org/ucb/src/sendmail/
	ftp://ftp.auscert.org.au/pub/mirrors/ftp.cs.berkeley.edu/ucb/sendmail/
	ftp://ftp.cert.dfn.de/pub/tools/net/sendmail/
	ftp://ftp.cert.org/pub/tools/sendmail/

    The MD5 checksum for this distribution is:

	MD5 (sendmail.8.8.2.patch) = a3fdf7ea9967064e2b00f7796a87dfd9
	MD5 (sendmail.8.8.2.tar.gz) = 7ba82d2008a40337bc5828a77694f66e
	MD5 (sendmail.8.8.2.tar.sig) = 3b1765110818cf1ab3cec33e825479cb
	MD5 (sendmail.8.8.2.tar.Z) = 183b7d3461af7735bf2f9b2c17526476

3.2 Workaround for existing sendmail Version 8.8.0 and 8.8.1 installations

    AUSCERT has been advised that the following workaround removes the
    vulnerability described in this Advisory.

    The /etc/sendmail.cf file should be modified to remove the use of the
    '9' flag for all Mailer specifications (lines starting with 'M').

    For example, the sendmail.cf file should look similar to (depending
    on your system and configuration):

Mlocal,         P=/usr/libexec/mail.local, F=lsDFMAw5:/|@qrmn, S=10/30, R=20/40,
		T=DNS/RFC822/X-Unix,
		A=mail -d $u
Mprog,          P=/bin/sh, F=lsDFMoqeu, S=10/30, R=20/40,
		D=$z:/,
		T=X-Unix,
		A=sh -c $u

    This can be achieved for the "Mlocal" and "Mprog" Mailers by modifying
    the ".mc" file to include the following lines:

	define(`LOCAL_MAILER_FLAGS',
		ifdef(`LOCAL_MAILER_FLAGS',
			`translit(LOCAL_MAILER_FLAGS, `9')',
			`rmn'))
	define(`LOCAL_SHELL_FLAGS',
		ifdef(`LOCAL_SHELL_FLAGS',
			`translit(LOCAL_SHELL_FLAGS, `9')',
			`eu'))

    and then rebuilding the sendmail.cf file using m4(1).

    It is possible to directly edit the sendmail.cf file to resolve this
    vulnerability.  However, caution must be taken to ensure that the
    sendmail.cf file is not replaced in the future with a new version
    rebuilt from configuration files that include the '9' flag.

    Once the configuration file has been modified, all running versions
    of sendmail should be killed and the sendmail daemon restarted, or
    the system rebooted, for these changes to take effect.

4.  Additional Measures

    This section describes some additional measures for increasing the
    security of sendmail in general.  It is unrelated to the vulnerability
    described in this Advisory.  Sites must apply the Workarounds/Solution
    described in Section 3 first, and then optionally apply additional
    measures described in this Section.

4.1 Restrict Ability to Mail to Programs

    If the ability to send electronic mail to programs (for example,
    vacation programs) is not required, this feature should be disabled.
    This is achieved by modifying the "Mprog" line in the configuration
    file to mail to "/bin/false" rather than "/bin/sh".  The following
    line in the ".mc" file will achieve this:

	define(`LOCAL_SHELL_PATH', `/bin/false')dnl

    If mailing to programs is required, it is recommended that the sendmail
    restricted shell, smrsh, be used at all times.  This applies to all
    versions of sendmail, including vendor versions.  smrsh is supplied
    with the sendmail 8.8.2 distribution and includes documentation and
    installation instructions.

- ---------------------------------------------------------------------------
AUSCERT thanks Eric Allman for his rapid response to this vulnerability,
and Wolfgang Ley from the DFN-CERT team for technical input to this
Advisory.
- ---------------------------------------------------------------------------

The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate.  However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures.  AUSCERT takes no responsibility for the
consequences of applying the contents of this document.

If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AUSCERT is located at The University of Queensland within the Prentice
Centre.  AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).

AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT and AUSCERT
Advisories, and other computer security information.

AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 4477
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AUSCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld.  4072.
AUSTRALIA


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History

20-Oct-1996.  Revision a.  Sendmail Version 8.8.1 did not adequately
    address the problem.  A new version (8.8.2) has now been released.
    Advisory updated to reflect these changes.  Added ftp.cert.org to
    mirror site as Version 8.8.2 is now there.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBMmoAYyh9+71yA2DNAQEomAP/dmfNJFhF5mG8WgVjVEVfNzqN94IF5lfX
WL1haADOd9Tp+4d5Zf2gwJUOrHTfMBGqUxf2r4EUQqMLVMTmuMQp7Ob8XNbRBNZc
i/jGA19DRfNWnbhEbGXqC9oY5Ev5Phx+OYI2ItBn4ppt2ljsluTZCeQdycjfJig+
Et25ix0c378=
=WgTX
-----END PGP SIGNATURE-----