[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Sendmail v.5 Vulnerability

Title: Sendmail v.5 Vulnerability
Released by: CERT
Date: 17th August 1995
Printable version: Click here
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1





=============================================================================

CERT(*) Advisory CA-95:08

Original issue date: August 17, 1995

Last revised: September 23, 1997

                Updated copyright statement



              A complete revision history is at the end of this file.



Topic:  Sendmail v.5 Vulnerability

- -----------------------------------------------------------------------------



The CERT Coordination Center has received reports of a vulnerability in

sendmail version 5. Although this version is several years old, it is still

in use. The vulnerability enables intruders to gain unauthorized privileges,

including root. We recommend installing all patches from your vendor or

moving to the current version of Eric Allman's sendmail (version 8.6.12).



The vulnerability is currently present in all versions of IDA sendmail and in

some vendors' releases of sendmail. The vendors who have reported to us are

listed in Section I.



We will update this advisory as we receive additional information.

Please check advisory files regularly for updates that relate to your site.



- -----------------------------------------------------------------------------



I.   Description



     In sendmail version 5, there is a vulnerability that intruders can

     exploit to create files, append to existing files, or execute programs.



     The vulnerability is currently present in all versions of IDA sendmail

     and in some vendors' releases of sendmail.



     Many vendors have previously installed upgrades or developed patches to

     address the problem; some are working on patches now. Here is a summary

     of vendors who reported to us as of the date of this advisory.



     More details can be found in the appendix of this advisory, which we will

     update as we receive additional information.



     If you do not see your vendor's name or if you have questions about the

     version of sendmail at your site, please contact your vendor directly.



     Source or Vendor

     ----------------

     Eric Allman

     Apple Computer, Inc.

     Berkeley SW. Design

     Cray Research, Inc.

     Data General Corp.

     Digital Equipment Corp.

     Harris Computer Systems

     Hewlett-Packard Company

     IBM Corporation



     NEC Corporation

     NeXT Computer, Inc.

     Open Software Foundation

     The Santa Cruz Operation

     Silicon Graphics Inc.

     Solbourne (Grumman)

     Sun Microsystems, Inc.



     Freely available and distributable software:

     Users of the freely available operating systems Linux (systems using

     sendmail rather than smail), NetBSD, and FreeBSD should upgrade to

     sendmail 8.6.12.



II.  Impact



     Local and remote users can create files, append to existing files or run

     programs on the system. Exploitation can lead to root access.



III. Solution



     A. What to do



        IDA users: Convert to sendmail 8.6.12.



        Other users: Check the vendor information in the appendix of this

          advisory.



          Ensure that you have kept current with upgrades and patches from

          your vendor.



          If no patch is currently available, an alternative is to

          install sendmail 8.6.12.





     B. What you need to know about sendmail



        1. Location

           Sendmail is available by anonymous FTP from



          http://ftp.cs.berkeley.edu/ucb/sendmail

          http://info.cert.org/pub/tools/sendmail/sendmail.8.6.12

          http://ftp.auscert.org.au/pub/mirrors/ftp.cs.berkeley.edu/ucb/sendmail

          http://ftp.cert.dfn.de/pub/tools/net/sendmail/



           The checksums are



           MD5 (sendmail.8.6.12.base.tar.Z) = 31591dfb0dacbe0a7e06147747a6ccea

           MD5 (sendmail.8.6.12.cf.tar.Z) = c60becd7628fad715df8f7e13dcf3cc6

           MD5 (sendmail.8.6.12.misc.tar.Z) = 6212390ca0bb4b353e29521f1aab492f

           MD5 (sendmail.8.6.12.patch) = 10961687c087ef30920b13185eef41e8

           MD5 (sendmail.8.6.12.xdoc.tar.Z) = 8b2252943f365f303b6302b71ef9a841





        2. Additional security



           To restrict sendmail's program mailer facility, obtain

           and install the sendmail restricted shell program (smrsh)

           by Eric Allman (the original author of sendmail), following the

            directions included with the program.



            You should run smrsh with any UNIX system that is running sendmail,

            regardless of vendor or version. Even with Eric Allman's sendmail

            version 8.6.12, it is necessary for security-conscious sites to use

            the smrsh program, as this carries out preprocessing of mail

            headers and adds an extra layer of defense by controlling what

            programs can be spawned by the incoming mail message. Note that

            smrsh has now been included as part of the sendmail distribution

            (effective with 8.7).



            We also urge you to ensure that all patches are installed for the

            distribution of sendmail you are using. Regardless of the vendor or

            version of your UNIX systems and sendmail, the general advice to

            "run the smrsh tool in conjunction with the most recently patched

            version of sendmail for your system" holds true.



            Copies of smrsh may be obtained via anonymous FTP from



              http://info.cert.org/pub/tools/smrsh

              http://ftp.uu.net/pub/security/smrsh



              Checksum information

              --------------------

              BSD Sum

              30114 5 README

              25757 2 smrsh.8

              46786 5 smrsh.c



              System V Sum

              56478 10 README

              42281 4 smrsh.8

              65517 9 smrsh.c



              MD5 Checksum

              MD5 (README)  = fc4cf266288511099e44b664806a5594

              MD5 (smrsh.8) = 35aeefba9714f251a3610c7b1714e355

              MD5 (smrsh.c) = d4822ce7c273fc8b93c68e39ec67739c





         3. Notes on installation



            Depending upon the currently installed sendmail program, switching

            to a different sendmail may require significant effort (such as

            rewriting the sendmail.cf file.)



 ...........................................................................



 Appendix: Vendor Information



 Below is information we have received from vendors about the vulnerability in

 sendmail version 5. If you do not see your vendor's name below, contact the

 vendor directly for information.



 -------------

 Eric Allman



 Sendmail 8.6.10 and later are not vulnerable. The current version is 8.6.12.

 Because the current version addresses vulnerabilities that appear in earlier

 versions, it is a good idea to use 8.6.12.



 Sendmail is available by anonymous FTP from



    http://ftp.cs.berkeley.edu/ucb/sendmail

    http://info.cert.org/pub/tools/sendmail/sendmail.8.6.12

    http://ftp.auscert.org.au/pub/mirrors/ftp.cs.berkeley.edu/ucb/sendmail

    http://ftp.cert.dfn.de/pub/tools/net/sendmail/



 The checksums are



     MD5 (sendmail.8.6.12.base.tar.Z) = 31591dfb0dacbe0a7e06147747a6ccea

     MD5 (sendmail.8.6.12.cf.tar.Z) = c60becd7628fad715df8f7e13dcf3cc6

     MD5 (sendmail.8.6.12.misc.tar.Z) = 6212390ca0bb4b353e29521f1aab492f

     MD5 (sendmail.8.6.12.patch) = 10961687c087ef30920b13185eef41e8

     MD5 (sendmail.8.6.12.xdoc.tar.Z) = 8b2252943f365f303b6302b71ef9a841



 -------------

 Apple Computer, Inc.



 [The following information also appeared in CERT advisory

 CA-95:05, "Sendmail Vulnerabilities."]



 An upgrade to A/UX version 3.1 (and 3.1.1) for these vulnerabilities is

 available.  The upgrade replaces the sendmail binary with the 8.6.10

 version.  It is available via anonymous FTP from ftp.support.apple.:



         pub/apple_sw_updates/US/Unix/A_UX/supported/3.x/sendmail/



 It is also available via anonymous FTP from abs.apple.com:



         pub/abs/aws95/patches/sendmail/



 In both cases the compressed binary has the following signature:



         MD5 (sendmail.Z) = 31bb15604517630f46d7444a6cfab3f1



 Uncompress(1) this file and replace the existing version in /usr/lib;

 be sure to preserve the hard links to /usr/ucb/newaliases and

 /usr/ucb/mailq, kill the running sendmail and restart.



 Earlier versions of A/UX are not supported by this patch.  Users of

 previous versions are encouraged to update their system or compile

 the latest version of sendmail available from ftp.cs.berkeley.edu.



 Customers should contact their reseller for any additional information.



 -------------

 Berkeley Software Design, Inc. (BSDI)



 BSD/OS V2.0.1 is not vulnerable.



 BSD/OS V2.0 users should install patch U200-011, available from

 ftp.bsdi.com in bsdi/patches/U200-011.



 BSDI Support contact information:

     Phone: +1 719 536 9346

     EMail: support@bsdi.com



 -------------

 Cray Research, Inc.

 not vulnerable



 -------------

 Data General Corporation



 DG/UX 5.4R3.00 and 5.4R3.10 (and associated Trusted version) are

 vulnerable.  Patches in progress now.



 The upcoming release (R4.10 and R4.11) will not have this vulnerability

 since these releases ship sendmail version 8.



 -------------

 Digital Equipment Corp.



 A patch for SENDMAIL (ULTSENDMAIL_EO1044 & OSFSENDMAIL_E01032) has been

 available for some time, so if you have kept current with patches you are not

 vulnerable to this particular reported problem.



 If you have not applied the kits above, Digital Equipment Corporation strongly

 urges customers to upgrade to the latest versions of ULTRIX V4.4 or DIGITAL

 DEC OSF/1 V3.2, then apply the appropriate sendmail solution kit.



 The above kits can be obtained through your normal Digital support channels or

 by access (kit) request via DSNlink, DSIN, or DIA.



 -------------

 Grumman Systems Support Corporation (GSSC)



 GSSC now performs all Solbourne software and hardware support.



 We recommend running sendmail 8.6.10 (or later revision.)

 8.6.12 has proven reliable in production use on Solbourne systems.



 We plan to release the Solbourne version of the Sun patch

 when it becomes available.



 Contact info:



         ftp: ftp.nts.gssc.com

         phone: 1-800-447-2861

         email: support@nts.gssc.com



 -------------

 Harris Computer Systems

 not vulnerable



 -------------

 Hewlett-Packard Company



 Hewlett-Packard issued security bulletin #25 on April 2, 1995 announcing

 patches and describing a fix. The patches are



                  PHNE_5402 (series 700/800, HP-UX 9.x), or

                  PHNE_5401 (series 700/800, HP-UX 8.x), or

                  PHNE_5384 (series 300/400, HP-UX 9.x), or

                  PHNE_5383 (series 300/400, HP-UX 8.x), or

                  PHNE_5387 (series 700, HP-UX 9.09), or

                  PHNE_5388 (series 700, HP-UX 9.09+), or

                  PHNE_5389 (series 800, HP-UX 9.08)



 The bulletin is available from the HP SupportLine and from http://www.hp.com

 in the HPSL category and from http://support.mayfield.hp.com.



 Patches may be obtained from HP via FTP (this is NOT anonymous FTP) or the HP

 SupportLine.  To obtain HP security patches, you must first register with the

 HP SupportLine.  The registration instructions are available via anonymous FTP

 at info.cert.org in the file "pub/vendors/hp/supportline_and_patch_retrieval".



 HP SupportLine: 1-415-691-3888

 phone: 1-415-691-3680

 telnet/ftp: support.mayfield.hp.com

 WWW: http://www.hp.com

      http://support.mayfield.hp.com.



 -------------

 IBM Corporation



 A patch (ptf U425863) has been available for AIX 3.2 for some time.

 To determine if you have this ptf on your system, run the following command:

      % lslpp -lB U425863



 If you have not already applied the patch, you can order it from IBM as APAR

 ix40304 To order APARs from IBM in the U.S., call 1-800-237-5511. To obtain

 APARs outside of the U.S., contact your local IBM representative.



 -------------

 NEC Corporation



        OS                 Version           Status

 ------------------     ------------     ------------------------------

 EWS-UX/V(Rel4.0)       R1.x - R6.x      vulnerable



 EWS-UX/V(Rel4.2)       R7.x - R10.x     vulnerable

                                         patch available



 EWS-UX/V(Rel4.2MP)     R10.x            vulnerable

                                         patch available



 UP-UX/V                R1.x - R4.x      vulnerable



 UP-UX/V(Rel4.2MP)      R5.x - R7.2      vulnerable

                                         patch available except for R5.x



 UX/4800                R11.x            not vulnerable





 Contacts for further information:

 e-mail:UXcert-CT@d2.bsd.nes.nec.co.jp



 -------------

 NeXT Computer, Inc.



 The sendmail executables included with all versions of NEXTSTEP up

 to and including release 3.3 are vulnerable to this problem.  The

 SendmailPatch previously released for NEXTSTEP 3.1 and 3.2 is also

 vulnerable.



 An updated patch is planned which will address this vulnerability.

 The availability of this patch will be indicated in the NeXTanswers

 section of http://www.next.com/.  For further information you may

 contact NeXT's Technical Support Hotline at (+1-800-955-NeXT) or

 via email to ask_next@NeXT.com.



 -------------

 Open Software Foundation

 not vulnerable



 -------------

 The Santa Cruz Operation



 Support Level Supplement (SLS) net382e, contains a patched version of

 sendmail for the following releases:



         SCO TCP/IP Runtime System Release 1.2.1

         SCO Open Desktop Lite Release 3.0

         SCO Open Desktop Release 3.0

         SCO Open Server Network System Release 3.0

         SCO Open Server Enterprise System Release 3.0



 SCO OpenServer 5 contains Sendmail version 8.6.8, and contains fixes

 to all problems reported in this and previous sendmail advisories.

 Users of previous releases should consider updating.



 NOTE: The MMDF (M)ulti-Channel (M)emorandum (D)istribution

 (F)acility is the default mail system on SCO systems.  The MMDF mail

 system is not affected by any of the problems mentioned in these

 advisories.  Administrators who wish to use sendmail must specifically

 configure the system to do so during or after installation.



 To acquire SLS net382e:



 Anonymous ftp on the Internet:

 ==============================



 http://ftp.sco.COM/SLS/net382e.Z         (disk image)

 http://ftp.sco.COM/SLS/net382e.ltr.Z     (documentation)



 Anonymous uucp:

 ===============



 United States:

 --------------

 sosco!/usr/spool/uucppublic/SLS/net382e.Z (disk image)

 sosco!/usr/spool/uucppublic/SLS/net382e.ltr.Z (documentation)



 United Kingdom:

 ---------------

 scolon!/usr/spool/uucppublic/SLS/net382e.Z (disk image)

 scolon!/usr/spool/uucppublic/SLS/net382e.ltr.Z (documentation)





 The telephone numbers and login names for the machines sosco and scolon

 are provided with the default /usr/lib/uucp/Systems file shipped with

 every SCO system.



 The checksums for the files listed above are as follows:



 file                 sum -r                     md5

 ===========================     ================================

 net382e.Z:      29715  1813     41efeaaa855e4716ed70c12018014092

 net382e.ltr.Z   52213    14     287ba6131519cba351bc58cb32880fda





 The Support Level Supplement is also available on floppy media from SCO

 Support at the following telephone numbers:



         USA/Canada: 6am-5pm Pacific Daylight Time (PDT)

         -----------

         1-408-425-4726  (voice)

         1-408-427-5443  (fax)



         Pacific Rim, Asia, and Latin American customers: 6am-5pm Pacific

         ------------------------------------------------ Daylight Time

                                                          (PDT)

         1-408-425-4726  (voice)

         1-408-427-5443  (fax)



         Europe, Middle East, Africa: 9am-5:00pm Greenwich Mean Time (GMT)

         ----------------------------

         +44 1923 816344 (voice)

         +44 1923 817781 (fax)



 For further information, contact SCO at one of the above numbers,

 send electronic mail to support@sco.COM, or see the SCO Web Page at:

 http://www.sco.COM.



 -------------

 Silicon Graphics Inc.



 On February 22, 1995, Silicon Graphics issued security advisory 19950201

 addressing sendmail issues being raised at the time and previous older

 version sendmail issues.   Patches are still available and as part of these

 patches, sendmail version 8.6.12 is provided as standard.  At the time

 of this writing here is the patch information.



 **** IRIX 3.x ****



 Unfortunately, Silicon Graphics Inc, no longer supports the IRIX 3.x

 operating system and therefore has no patches or binaries to provide.



 However, two possible actions still remain: 1) upgrade the system to a

 supported version of IRIX (see below) and then install the binary/patch

 or 2) obtain the sendmail source code from anonymous FTP at

 ftp.cs.berkeley.edu and compile the program manually.



 **** IRIX 4.x ****



 For the IRIX operating system version 4.x, a manually installable

 binary replacement has been generated and made available via anonymous

 ftp and/or your service/support provider.  The binary is sendmail.new.Z

 and is installable on all 4.x platforms.



 Binaries can be found at http://ftp.sgi.com/ftp/Patches/4.x

 but not at the alternative location, ~ftp/Security.



   ##### Checksums as of August 17, 1995, 5 p.m. EDT ####



 Filename:                 sendmail.new.Z

 Algorithm #1 (sum -r):    30749 422 sendmail.new.Z

 Algorithm #2 (sum):       62511 422 sendmail.new.Z



 MD5 checksum:             AB327D85D40085D74E9C230EB1A002C3





 Note: SGI plans to upgrade the IRIX 4.x patch soon. If there is a difference

 between the checksums of the file you obtain and those reported here, you

 should rely on SGI's .pgp.and.chksums file.



 After obtaining the binary, it may be installed with the instructions

 below:



         1) Become the root user on the system.



                 % /bin/su -

                 Password:

                 #



         2) Stop the current mail processes.



                 # /etc/init.d/mail stop



         3) Rename the current sendmail binary to a temporary

            name.



                 # mv /usr/lib/sendmail /usr/lib/sendmail.stock



         4) Change permissions on the old sendmail binary so it can not

            be used anymore.



                 # chmod 0400 /usr/lib/sendmail.stock



         5) Uncompress the binary.



                 # uncompress /tmp/sendmail.new.Z



         6) Put the new sendmail binary into place (in the example

            here the binary was retrieved via anonymous ftp and put

            in /tmp)



                 # mv /tmp/sendmail.new /usr/lib/sendmail



         7) Insure the correct permissions and ownership on the new

            sendmail.



                 # chown root.sys /usr/lib/sendmail

                 # chmod 4755 /usr/lib/sendmail



         8) Restart the mail system with the new sendmail binary in place.



                 # /etc/init.d/mail start



         9) Return to normal user level.



                 # exit



 **** IRIX 5.0.x, 5.1.x ****



 For the IRIX operating systems versions 5.0.x, 5.1.x, an upgrade

 to 5.2 or better is required first.  When the upgrade is completed,

 then the patch described in the next section "**** IRIX 5.2, 5.3, 6.0,

 6.0.1 ***"  can be applied.



 **** IRIX 5.2, 5.3, 6.0, 6.0.1 ****



 For the IRIX operating system versions 5.2, 5.3, 6.0 and 6.0.1, an

 inst-able patch has been generated and made available via anonymous

 ftp and/or your service/support provider.  The patch is number 332

 and will install on IRIX 5.2, 5.3, 6.0 and 6.0.1 .



 The SGI anonymous ftp site is ftp.sgi.com (192.48.153.1).   Patch

 332 can be found in the following directories on the ftp server:



         ~ftp/Security

                 or

         ~ftp/Patches/5.2

         ~ftp/Patches/5.3

         ~ftp/Patches/6.0

         ~ftp/Patches/6.0.1



 For obtaining security information, patches or assistance, please

 contact your SGI support provider.



 If there are questions about this patch information, email can be

 sent to cse-security-alert@csd.sgi.com .



 For reporting new SGI security issues, email can be sent to

 security-alert@sgi.com .



 -------------

 Solbourne

 see Grumman Systems Support Corporation



 -------------

 Sun Microsystems, Inc.



 Solaris 2.x is not vulnerable.



 Sun OS 4.1.3, 4.1.37_u1, and 4.1.4 are vulnerable, and a patch will be

 available soon.



 This patch can be obtained from local Sun Answer Centers and through anonymous

 FTP from ftp.uu.net in the /systems/sun/sun-dist directory. In Europe, the

 patch is available from mcsun.eu.net (192.16.202.1) in the /sun/fixes

 directory.





 ---------------------------------------------------------------------------

 The CERT Coordination Center staff thanks the vendors listed in this

 advisory, along with Karl Strickland and Neil Woods for their support

 in the development of this advisory.

 ---------------------------------------------------------------------------



 If you believe that your system has been compromised, contact the CERT

 Coordination Center or your representative in the Forum of Incident

 Response and Security Teams (FIRST).



 If you wish to send sensitive incident or vulnerability information to

 CERT staff by electronic mail, we strongly advise that the email be

 encrypted.  The CERT Coordination Center can support a shared DES key, PGP

 (public key available via anonymous FTP on info.cert.org), or PEM (contact

 CERT staff for details).



 Internet email: cert@cert.org

 Telephone: +1 412-268-7090 (24-hour hotline)

            CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),

            and are on call for emergencies during other hours.

 Fax: +1 412-268-6989



 Postal address:  CERT Coordination Center

                  Software Engineering Institute

                  Carnegie Mellon University

                  Pittsburgh, PA 15213-3890

                  USA



 CERT advisories and bulletins are posted on the USENET newsgroup

 comp.security.announce. If you would like to have future advisories and

 bulletins mailed to you or to a mail exploder at your site, please send mail

 to cert-advisory-request@cert.org.



 Past advisories, CERT bulletins, information about FIRST representatives, and

 other information related to computer security are available for anonymous

 FTP from info.cert.org.



- ------------------------------------------------------------------------------



Copyright 1995, 1996 Carnegie Mellon University. Conditions for use,

disclaimers, and sponsorship information can be found in

http://www.cert.org/legal_stuff.html and http://ftp.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.



CERT is registered in the U.S. Patent and Trademark Office.





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Revision history



Sep. 23, 1997  Updated copyright statement

Aug. 07, 1996  Information previously in the README was inserted

                into the advisory.

Nov. 07, 1995  Sec. III.B.2 - emphasized that smrsh should be run with all

                versions of sendmail.

Sep. 20, 1995  Sec. I - changed "public domain" to "freely available."

               Appendix -  added an entry for Data General.

Aug. 21, 1995  Sec. III.B and appendix, Eric Allman - added a German FTP site

                for sendmail and corrected the URL for Australia.

               Appendix, Silicon Graphics - corrected information for 4.x

               Appendix, Sun - corrected a typo in the OS number



-----BEGIN PGP SIGNATURE-----

Version: PGP for Personal Privacy 5.0

Charset: noconv



iQA/AwUBOBTArFr9kb5qlZHQEQLPRgCfXJvNNSFmIspl9fhB7vDMPuiszYYAoOPO

Bfao1CM276P3mWM9yRwp0k3/

=8vJg

-----END PGP SIGNATURE-----








(C) 1999-2000 All rights reserved.