SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (E-mail Server)  >   Sendmail Vendors:   Sendmail Consortium
(Slackware Issues Fix) Re: Sendmail Command Line Debugging Validation Flaw Lets Local Users Execute Arbitrary Code and Gain Root Privileges
SecurityTracker Alert ID:  1002289
SecurityTracker URL:  http://securitytracker.com/id/1002289
CVE Reference:   CVE-2001-0653   (Links to External Site)
Date:  Aug 27 2001
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): versions between 8.10.0 and 8.11.5 as well as all 8.12.0.Beta versions
Description:   SecurityFocus discovered an input validation vulnerability in the Sendmail '-d' debugging facility that allows a local user to execute arbitrary code with root level privileges.

The vulnerability is reportedly due to a flaw in the use of signed integers in Sendmail's tTflag() debugging function.

A remote user can call sendmail with the '-d' command line switch and can supply a large value for the 'category' part of the arguments to be used as an index for the system's internal trace vector. The user-supplied arguments can apparently cause a signed integer overflow such that the input validation function does not detect that the size of the user-supplied trace vector data exceeds the indicated (and overflowed) length value.

It is reported that the trace vector data is written before the program drops its set user id (suid) root privileges. As a result, a local user can overwrite process memory and cause arbitrary code to be executed with root privileges.
Impact:   A local user can invoke sendmail and cause arbitrary code to be executed with root level privileges, giving the user root level access on the system.
Solution:   Slackware has issued a fix. Locations of the new packages are listed in the Source Message.
Vendor URL:  www.sendmail.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:   Linux (Slackware)

Message History:   This archive entry is a follow-up to the message listed below.
Aug 21 2001 Sendmail Command Line Debugging Validation Flaw Lets Local Users Execute Arbitrary Code and Gain Root Privileges


 Source Message Contents
Date:  Sun, 26 Aug 2001 19:11:57 -0700 (PDT)
Subject:  [slackware-security] sendmail and procmail update




An input validation error in sendmail has been discovered by Cade Cairns of
SecurityFocus.  This problem can be exploited by local users to gain root
access.  It is not exploitable by remote attackers without shell access.
New packages based on sendmail.8.11.6 have been prepared for Slackware 7.1
and 8.0.

Detailed information about this security problem may be found here:
   http://www.securityfocus.com/bid/3163

New procmail packages have been prepared as well, based on procmail-3.21.
The ChangeLog notes that these problems were fixed as of procmail-3.20,
but it's not known how serious they really are:
     - SECURITY: don't do unsafe things from signal handlers:
       - ignore TRAP when terminating because of a signal
       - resolve the host and protocol of COMSAT when it is set
       - save the absolute path form of $LASTFOLDER for the comsat
         message when it is set
       - only use the log buffer if it's safe


WHERE TO FIND THE NEW PACKAGES:
-------------------------------

Updated packages for Slackware 8.0:
ftp://ftp1.sourceforge.net/pub/slackware/slackware-8.0/patches/packages/procmail.tgz
ftp://ftp1.sourceforge.net/pub/slackware/slackware-8.0/patches/packages/sendmail.tgz
ftp://ftp1.sourceforge.net/pub/slackware/slackware-8.0/patches/packages/smailcfg.tgz

Updated packages for Slackware 7.1:
ftp://ftp1.sourceforge.net/pub/slackware/slackware-7.1/patches/packages/procmail.tgz
ftp://ftp1.sourceforge.net/pub/slackware/slackware-7.1/patches/packages/sendmail.tgz
ftp://ftp1.sourceforge.net/pub/slackware/slackware-7.1/patches/packages/smailcfg.tgz


MD5 SIGNATURES:
---------------

Here are the md5sums for the packages:

Slackware 8.0 packages:
56099f1bce9643e44342711878a7ceb0  ./packages/procmail.tgz
3d03fd648ecf40eed56ff915780fb8ab  ./packages/sendmail.tgz
1a13d98a11d0af853893a640909d8958  ./packages/smailcfg.tgz

Slackware 7.1 packages:
121f13cecaaac0efdc1b510b68e6c147  ./packages/procmail.tgz
7c0e57969057ba72e6b59e26aa39de04  ./packages/sendmail.tgz
9e30e9e07fce4001bbf7f330cb2f9d71  ./packages/smailcfg.tgz


INSTALLATION INSTRUCTIONS:
--------------------------

First, kill any existing sendmail processes:

killall -9 sendmail

Then, as root, upgrade the sendmail package with upgradepkg:

upgradepkg sendmail.tgz

Then, restart sendmail:

/usr/sbin/sendmail -bd -q15m



- Slackware Linux Security Team
  http://www.slackware.com


+------------------------------------------------------------------------+
| HOW TO REMOVE YOURSELF FROM THIS MAILING LIST:                         |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back.  Follow the instructions to  |
| complete the unsubscription.  Do not reply to this message to          |
| unsubscribe!                                                           |
+------------------------------------------------------------------------+


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC