SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (E-mail Server)  >   Sendmail Vendors:   Sendmail Consortium
(NetBSD Issues Fix) Sendmail Command Line Debugging Validation Flaw Lets Local Users Execute Arbitrary Code and Gain Root Privileges
SecurityTracker Alert ID:  1002342
SecurityTracker URL:  http://securitytracker.com/id/1002342
CVE Reference:   CVE-2001-0653   (Links to External Site)
Date:  Sep 7 2001
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): versions between 8.10.0 and 8.11.5 as well as all 8.12.0.Beta versions
Description:   SecurityFocus discovered an input validation vulnerability in the Sendmail '-d' debugging facility that allows a local user to execute arbitrary code with root level privileges.

The vulnerability is reportedly due to a flaw in the use of signed integers in Sendmail's tTflag() debugging function.

A remote user can call sendmail with the '-d' command line switch and can supply a large value for the 'category' part of the arguments to be used as an index for the system's internal trace vector. The user-supplied arguments can apparently cause a signed integer overflow such that the input validation function does not detect that the size of the user-supplied trace vector data exceeds the indicated (and overflowed) length value.

It is reported that the trace vector data is written before the program drops its set user id (suid) root privileges. As a result, a local user can overwrite process memory and cause arbitrary code to be executed with root privileges.
Impact:   A local user can invoke sendmail and cause arbitrary code to be executed with root level privileges, giving the user root level access on the system.
Solution:   The vendor has released a fix. See the Source Message for the vendor's advisory containing directions on how to obtain the appropriate fix.
Vendor URL:  www.sendmail.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:   UNIX (NetBSD)

Message History:   This archive entry is a follow-up to the message listed below.
Aug 21 2001 Sendmail Command Line Debugging Validation Flaw Lets Local Users Execute Arbitrary Code and Gain Root Privileges


 Source Message Contents
Date:  Thu, 6 Sep 2001 10:01:32 -0700
Subject:  NetBSD Security Advisory 2001-017: sendmail(8) incorrect command line argument check


-----BEGIN PGP SIGNED MESSAGE-----


                 NetBSD Security Advisory 2001-017
                 =================================

Topic:		sendmail(8) incorrect command line argument check leads to
		local root privilege compromise

Version:	NetBSD-current:		source prior to August 22, 2001
		NetBSD-1.5.1:		affected
		NetBSD-1.5:		affected
		NetBSD-1.4 branch:	not-affected
		pkgsrc:		        sendmail prior to 8.11.6

Severity:	Local root compromise

Fixed:		NetBSD-current:		August 21, 2001
		NetBSD-1.5 branch:	August 22, 2001
		pkgsrc:		        sendmail-8.11.6


Abstract
========

The following text is from sendmail 8.11.6 release note:

SECURITY: Fix a possible memory access violation when specifying
out-of-bounds debug parameters.  Problem detected by
Cade Cairns of SecurityFocus.


Technical Details
=================

Certain variables were treated as signed values, but should have been
unsigned.  Bounds checking was not done when incrementing an index.

Combined with supplied command-line arguments, a local user could
exploit the setuid-root sendmail binary and the lack of bounds checking
to perform a root compromise.


Solutions and Workarounds
=========================

If your system is running a sendmail version between 8.10.0 to 8.11.5,
your system is vulnerable.  Sendmail 8.11.6 is safe.  Check
/usr/libexec/sendmail/sendmail.

After the upgrade of the binary file, be sure to restart any instances
of a sendmail daemon running on your system.

* All NetBSD releases using sendmail from pkgsrc between 8.10.0 and 8.11.5:

	If you are using sendmail from pkgsrc, upgrade to the
	following, or later:
                sendmail-8.11.6


* NetBSD-current:

	Systems running NetBSD-current dated from before 2001-08-21
	should be upgraded to NetBSD-current dated 2001-08-22 or later.

        The following directory needs to be updated from the
        netbsd-current CVS branch (aka HEAD):
                gnu/dist/sendmail
		gnu/usr.sbin/sendmail

        To update from CVS, re-build, and re-install sendmail:
                # cd /usr/src/gnu
                # cvs update -d -P dist/sendmail usr.sbin/sendmail
		# cd usr.sbin/sendmail
                # make cleandir all install


        Alternatively, apply the following patch (with potential offset 
        differences) and rebuild & re-install sendmail:
                ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-017-sendmail.patch

        To patch, re-build and re-install sendmail
                # cd /usr/src
                # patch < /path/to/SA2001-017-sendmail.patch
		# cd gnu/usr.sbin/sendmail
                # make cleandir all install    


* NetBSD 1.5, 1.5.1

        Systems running NetBSD releases on netbsd 1.5 branch (1.5 and 1.5.1)
        should be upgraded to NetBSD 1.5 branch dated 2001-08-23 or later.

        The following directories need to be updated from the
        netbsd-1-5 CVS branch:
                gnu/dist/sendmail
		gnu/usr.sbin/sendmail

        To update from CVS, re-build, and re-install sendmail:
                # cd /usr/src/gnu
                # cvs update -d -P -r netbsd-1-5 dist/sendmail usr.sbin/sendmail
		# cd usr.sbin/sendmail
                # make cleandir all install


        Alternatively, apply the following patch (with potential offset
        differences):
                ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2001-017-sendmail.patch

        To patch, re-build and re-install sendmail
                # cd /usr/src
                # patch < /path/to/SA2001-017-sendmail.patch
		# cd gnu/usr.sbin/sendmail
                # make cleandir all install    


Thanks To
=========

Jun-ichiro itojun Hagino for patches.

Cade Cairns of SecurityFocus for discovering the issue.


Revision History
================

	2001-09-06      Initial release


More Information
================

An up-to-date PGP signed copy of this release will be maintained at
  ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-017.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 2001, The NetBSD Foundation, Inc.  All Rights Reserved.

$NetBSD: NetBSD-SA2001-017.txt,v 1.8 2001/09/06 14:46:04 david Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBO5eQbD5Ru2/4N2IFAQHh7wP6AoAVVkseqJCW0ig3n1RGOOGRHWyJ4Je/
qgRO6x0vWEJpIp32fIILQtTLAl2dimrJSi6ApBdl0/7d4EBo4l+rnELbI0sKJaj2
vcxgrhsL6rtUfhW8/qH9Gwr106sy78OMTuHrElEBrwuoy+T1XqTcXJGOwR1Rp1py
BWbKwI4jGws=
=1y/j
-----END PGP SIGNATURE-----


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC