TUCoPS :: Unix :: General
:: ciacl133.txt
Sendmail Debugger Arbitrary Code Execution Vulnerability
__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Center
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Sendmail Debugger Arbitrary Code Execution Vulnerability
[Security Focus Security Alert]
August 22, 2001 18:00 GMT Number L-133
______________________________________________________________________________
PROBLEM: Sendmail contains an input validation error.
PLATFORM: Sendmail Consortium Sendmail 8.11.0 - 8.11.5 Sendmail
Consortium Sendmail 8.12beta10 Sendmail Consortium Sendmail
8.12beta12 Sendmail Consortium Sendmail 8.12beta16 Sendmail
Consortium Sendmail 8.12beta5 Sendmail Consortium Sendmail
8.12beta7
DAMAGE: A local user could execute code and obtain elevated
privileges.
SOLUTION: If using sendmail 8.11.0 - 8.11.5 upgrade to sendmail 8.11.6.
If using sendmail 8.12.0Beta upgrade to 8.12.0Beta19
______________________________________________________________________________
VULNERABILITY The risk is MEDIUM: A local attacker could gain root
ASSESSMENT: privileges.
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/l-133.shtml
ORIGINAL BULLETIN: http://www.securityfocus.com/bid/3163
______________________________________________________________________________
[***** Start Security Focus Security Alert *****]
---------------------------------------------------------------------------
Security Alert
Subject Sendmail Debugger Arbitrary Code Execution Vulnerability
BUGTRAQ ID 3163 CVE ID CAN-2001-0653
Published August 17, 2001 MT Updated August 20, 2001 MT
Remote No Local Yes
Availability Always Authentication Not Required
Credibility Vendor Confirmed Ease No Exploit Available
Class Input Validation Error
Impact 10.00 Severity 7.50 Urgency 6.58
Last Change Updated packages that rectify this issue are now available
from Sendmail.
---------------------------------------------------------------------------
Vulnerable Systems
Sendmail Consortium Sendmail 8.12beta7
Sendmail Consortium Sendmail 8.12beta5
Sendmail Consortium Sendmail 8.12beta16
Sendmail Consortium Sendmail 8.12beta12
Sendmail Consortium Sendmail 8.12beta10
Sendmail Consortium Sendmail 8.11.5
Sendmail Consortium Sendmail 8.11.4
Sendmail Consortium Sendmail 8.11.3
Sendmail Consortium Sendmail 8.11.2
Sendmail Consortium Sendmail 8.11.1
Sendmail Consortium Sendmail 8.11
Non-Vulnerable Systems
Summary
Sendmail contains an input validation error, may lead to the execution
of arbitrary code with elevated privileges.
Impact
Local users may be able to write arbitrary data to process memory,
possibly allowing the execution of code/commands with elevated
privileges.
Technical Description
An input validation error exists in Sendmail's debugging functionality.
The problem is the result of the use of signed integers in the
program's tTflag() function, which is responsible for processing
arguments supplied from the command line with the '-d' switch and
writing the values to it's internal "trace vector." The vulnerability
exists because it is possible to cause a signed integer overflow by
supplying a large numeric value for the 'category' part of the debugger
arguments. The numeric value is used as an index for the trace vector.
Before the vector is written to, a check is performed to ensure that
the supplied index value is not greater than the size of the vector.
However, because a signed integer comparison is used, it is possible to
bypass the check by supplying the signed integer equivalent of a
negative value. This may allow an attacker to write data to anywhere
within a certain range of locations in process memory.
Because the '-d' command-line switch is processed before the program
drops its elevated privileges, this could lead to a full system
compromise. This vulnerability has been successfully exploited in a
laboratory environment.
Attack Scenarios
An attacker with local access must determine the memory offsets of the
program's internal tTdvect variable and the location to which he or she
wishes to have data written.
The attacker must craft in architecture specific binary code the
commands (or 'shellcode') to be executed with higher privilege. The
attacker must then run the program, using the '-d' flag to overwrite a
function return address with the location of the supplied shellcode.
Exploits
Currently the SecurityFocus staff are not aware of any exploits for
this issue. If you feel we are in error or are aware of more recent
information, please mail us at vuldb@securityfocus.com
<mailtovuldb@securityfocus.com>.
Mitigating Strategies
Restrict local access to trusted users only.
Solutions
Below is a statement from the Sendmail Consortium regarding this issue
--------------------
This vulnerability, present in sendmail open source versions between
8.11.0 and 8.11.5 has been corrected in 8.11.6. sendmail 8.12.0.Beta
users should upgrade to 8.12.0.Beta19. The problem was not present in
8.10 or earlier versions. However, as always, we recommend using the
latest version. Note that this problem is not remotely exploitable.
Additionally, sendmail 8.12 will no longer uses a set-user-id root
binary by default.
--------------------
Updated packages that rectify this issue are available from the vendor
For Sendmail Consortium Sendmail 8.11
Sendmail Consortium upgrade sendmail 8.11.6
ftp//ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz
For Sendmail Consortium Sendmail 8.11.1
Sendmail Consortium upgrade sendmail 8.11.6
ftp//ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz
For Sendmail Consortium Sendmail 8.11.2
Sendmail Consortium upgrade sendmail 8.11.6
ftp//ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz
For Sendmail Consortium Sendmail 8.11.3
Sendmail Consortium upgrade sendmail 8.11.6
ftp//ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz
For Sendmail Consortium Sendmail 8.11.4
Sendmail Consortium upgrade sendmail 8.11.6
ftp//ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz
For Sendmail Consortium Sendmail 8.11.5
Sendmail Consortium upgrade sendmail 8.11.6
ftp//ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz
For Sendmail Consortium Sendmail 8.12beta10
Sendmail Consortium upgrade sendmail 8.12.0 Beta19
ftp//ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz
For Sendmail Consortium Sendmail 8.12beta12
Sendmail Consortium upgrade sendmail 8.12.0 Beta19
ftp//ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz
For Sendmail Consortium Sendmail 8.12beta16
Sendmail Consortium upgrade sendmail 8.12.0 Beta19
ftp//ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz
For Sendmail Consortium Sendmail 8.12beta5
Sendmail Consortium upgrade sendmail 8.12.0 Beta19
ftp//ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz
For Sendmail Consortium Sendmail 8.12beta7
Sendmail Consortium upgrade sendmail 8.12.0 Beta19
ftp//ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz
Credit
Discovered by Cade Cairns <cairnsc@securityfocus.com> of the Security
Focus SIA Threat Analysis Team.
References
web page
Sendmail Homepage (Sendmail)
http//www.sendmail.org/
ChangeLog
Aug 20, 2001 Updated packages that rectify this issue are now
available from Sendmail.
Aug 20, 2001 Updated versions of Sendmail will be available today at
400 PDT.
Aug 09, 2001 Initial analysis.
---------------------------------------------------------------------------
HOW TO INTERPRET THIS ALERT
BUGTRAQ ID This is a unique identifier assigned to the
vulnerability by SecurityFocus.com.
CVE ID This is a unique identifier assigned to the
vulnerability by the CVE.
Published The date the vulnerability was first made public.
Updated The date the information was last updated.
Remote Whether this is a remotely exploitable
vulnerability.
Local Whether this is a locally exploitable
vulnerability.
Credibility Describes how credible the information about the
vulnerability is. Possible values are
Conflicting Reports The are multiple conflicting
about the existance of the vulnerability.
Single Source There is a single non-reliable
source reporting the existence of the
vulnerability.
Reliable Source There is a single reliable source
reporting the existence of the vulnerability.
Conflicting Details There is consensus on the
existence of the vulnerability but not it's
details.
Multiple Sources There is consensus on the
existence and details of the vulnerability.
Vendor Confirmed The vendor has confirmed the
vulnerability.
Class The class of vulnerability. Possible values are
Boundary Condition Error, Access Validation Error,
Origin Validation Error, Input Valiadtion Error,
Failure to Handle Exceptional Conditions, Race
Condition Error, Serialization Error, Atomicity
Error, Environment Error, and Configuration Error.
Ease Rates how easiliy the vulnerability can be
exploited. Possible values are No Exploit
Available, Exploit Available, and No Exploit
Required.
Impact Rates the impact of the vulnerability. It's range
is 1 through 10.
Severity Rates the severity of the vulnerability. It's range
is 1 through 10. It's computed from the impact
rating and remote flag. Remote vulnerabiliteis with
a high impact rating receive a high severity
rating. Local vulnerabilities with a low impact
rating receive a low severity rating.
Urgency Rates how quickly you should take action to fix or
mitigate the vulnerability. It's range is 1 through
10. It's computed from the severity rating, the
ease rating, and the credibility rating. High
severity vulnerabilities with a high ease rating,
and a high confidence rating have a higher urgency
rating. Low severity vulnerabilities with a low
ease rating, and a low confidence rating have a
lower urgency rating.
Last Change The last change made to the vulnerability
information.
Vulnerable Systems The list of vulnerable systems. A '+' preceding a
system name indicates that one of the system
components is vulnerable vulnerable. For example,
Windows 98 ships with Internet Explorer. So if a
vulnerability is found in IE you may see something
like Microsoft Internet Explorer + Microsoft
Windows 98
Non-Vulnerable Systems The list of non-vulnerable systems.
Summary A concise summary of the vulnerability.
Impact The impact of the vulnerability.
Technical Description The in-depth description of the vulnerability.
Attack Scenarios Ways an attacker may make use of the vulnerability.
Exploits Exploit intructions or programs.
Mitigating Strategies Ways to mitigate the vulnerability.
Solutions Solutions to the vulnerability.
Credit Information about who disclosed the vulnerability.
References Sources of information on the vulnerability.
Related Resources Resources that might be of additional value.
ChangeLog History of changes to the vulnerability record.
---------------------------------------------------------------------------
Copyright 2001 SecurityFocus.com
https//alerts.securityfocus.com/
[***** End Security Focus Security Alert *****]
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of Security Focus for the
information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Center, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
L-123: AIX libi18n Library Vulnerability
L-124: Remote Buffer Overflow in telnetd
L-125: SGI netprint Dynamic Shared Objects (DSO) Exploit
L-126: Microsoft Remote Procedure Call (RPC) Server Vulnerability
L-127: Sun BIND Vulnerabilities
L-128: MIT Kerberos 5 telnetd Buffer Overflows
L-129: Sun in.ftpd Filename Expansion Vulnerability
L-130: Multiple DoS Vulnerabilities in Cisco Broadband Operating Sy
L-131: IBM AIX telnetd Buffer Overflow
L-132: Microsoft Cumulative Patch for IIS
Site design & layout copyright © 1986-2025 AOH