copyright
|
disclaimer
|
privacy
|
contact
HOME
About
AusCERT
Membership
Contact Us
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
Login »
Become a member »
Home
»
Security Bul...
» AA-96.10 -- smtpd-SIGHUP sendmail vulnerability
AA-96.10 -- smtpd-SIGHUP sendmail vulnerability
Date:
07 February 1997
Click here for printable version
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AA-96.10 AUSCERT Advisory smtpd-SIGHUP sendmail vulnerability 18 November 1996 Last Revised: 7 February 1997 Added vendor information pointer - --------------------------------------------------------------------------- AUSCERT has received information that sendmail versions 8.7.x to 8.8.2 (inclusive) contain a serious security vulnerability. This vulnerability may allow local users to gain root privileges. Exploit details involving this vulnerability have been widely distributed. AUSCERT recommends that sites takes the steps outlined in Section 3 as soon as possible. - --------------------------------------------------------------------------- 1. Description A vulnerability exists in all versions of sendmail from 8.7.x to 8.8.2 that allows local users to gain root privileges. A user can invoke sendmail in "daemon" mode by naming it to be "smtpd". Due to a coding error, this bypasses the usual check that only root can start the daemon. As of 8.7, sendmail will restart itself when it gets a SIGHUP signal. By manipulating the environment in which sendmail is run it is possible to force sendmail into executing an arbitrary program with root privileges. AUSCERT has been informed that sendmail versions prior to 8.8.x are no longer supported. Sites using older versions of sendmail will need to upgrade to the current version of sendmail. Sites can determine their version of sendmail by executing: % cat /dev/null | sendmail -d0 -bt | grep Version 2. Impact Local users can gain root privileges. 3. Workarounds/Solution AUSCERT recommends that sites upgrade to the current version of sendmail (see Section 3.1). CERT/CC have also released an advisory on this problem (CA-96.24). This advisory contains specific vendor information and an additional workaround that was not available at the original time of writing this advisory. To obtain this vendor information, sites are encouraged to retrieve CA-96.24 titled CA-96.24.sendmail.daemon.mode from: ftp://info.cert.org/pub/cert_advisories/ ftp://ftp.auscert.org.au/pub/cert/cert_advisories/ 3.1 Upgrade to current version of sendmail Eric Allman has released a new version of sendmail (8.8.3) which fixes this vulnerability. There is no patch for 8.7.6. Sites running 8.7.x or previous versions will need to upgrade to 8.8.3. Sendmail 8.8.3 can be obtained from the following locations. ftp://ftp.sendmail.org/ucb/src/sendmail/ ftp://ftp.cert.dfn.de/pub/tools/net/sendmail/ ftp://ftp.auscert.org.au/pub/mirrors/ftp.cs.berkeley.edu/ucb/sendmail/ The MD5 checksum for this distribution is: MD5 (sendmail.8.8.3.patch) = 5b550b509b98912bea453b7a2c25d378 MD5 (sendmail.8.8.3.tar.gz) = 0cb58caae93a19ac69ddd40660e01646 MD5 (sendmail.8.8.3.tar.Z) = 7f7c5463012f8d7af368a79d417c72de - --------------------------------------------------------------------------- AUSCERT thanks Eric Allman for his rapid response to this vulnerability and his assistance in the preparation of this advisory. - --------------------------------------------------------------------------- The AUSCERT team have made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The appropriateness of this document for an organisation or individual system should be considered before application in conjunction with local policies and procedures. AUSCERT takes no responsibility for the consequences of applying the contents of this document. If you believe that your system has been compromised, contact AUSCERT or your representative in FIRST (Forum of Incident Response and Security Teams). AUSCERT is located at The University of Queensland within the Prentice Centre. AUSCERT is a full member of the Forum of Incident Response and Security Teams (FIRST). AUSCERT maintains an anonymous FTP service which is found on: ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT Advisories, and other computer security information. AUSCERT also maintains a World Wide Web service which is found on: http://www.auscert.org.au/. Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 4477 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. Postal: Australian Computer Emergency Response Team c/- Prentice Centre The University of Queensland Brisbane Qld. 4072. AUSTRALIA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision History 7 Feb 1997 Added a pointer to CERT advisory CA-96.24 which contained specific vendor information not previously available. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBMvsytyh9+71yA2DNAQHeRQP/ZS8ppGN9+Us+OTvzkBESSNfjKZESmxxP jSR64+6NR831HPgDVrAt5wsvREp9CcGy9QYV27vMgF8NUp9jtH+iAL1D02210yh4 8Ko1YiAfBQvCj0HNZyOchvLTcxRwT/5lh7RENgYFc4TknwxR+UtVYCIs0/z5a3zB IvqBTRkw8gc= =clQy -----END PGP SIGNATURE-----
Comments? Click here
http://www.auscert.org.au/render.html?cid=1&it=1863