Sun Solaris mail(1) Utility Lets Programs Pass Command Line Options to Sendmail that Could Give a Local or Remote User Elevated Privileges on the System - SecurityTracker

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (E-mail Client) > mail (/usr/bin/mail)

Sun Solaris mail(1) Utility Lets Programs Pass Command Line Options to Sendmail that Could Give a Local or Remote User Elevated Privileges on the System

SecurityTracker Alert ID: 1003523

SecurityTracker URL: http://securitytracker.com/id/1003523

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Feb 12 2002

Impact: Execution of arbitrary code via network, Modification of system information, Root access via network, User access via network

Fix Available: Yes Vendor Confirmed: Yes

Description: Sun issued an alert warning of a vulnerability in mail. A remote user may be able to gain elevated privileges on the system.

Sun reports that a vulnerability in mail(1) regarding the interaction of mail and sendmail(1M) may allow a privileged program to call mail and pass configuration options to sendmail. This was reported earlier with in.lpd, where a remote usre could send data to the network print daemon to cause sendmail to be invoked with an alternate configuration file with root privileges (leading to remote root access). According to Sun, in.lpd is the only privileged file that Sun ships that can use mail in an unsafe fashion. However, Sun warns that there may be proprietary or 3rd party applications that use mail and could trigger this flaw.

Impact: A local or remote user could gain elevated privileges on the system.

Solution: This vulnerability is reportedly fixed in the following releases:

SPARC

Solaris 2.5.1 with patch 109275-03 or later
Solaris 2.6 with patch 109266-03 or later
Solaris 7 with patch 109253-04 or later
Solaris 8 with patch 111874-04 or later

Intel

Solaris 2.5.1 with patch 109276-03 or later
Solaris 2.6 with patch 109267-03 or later
Solaris 7 with patch 109254-04 or later
Solaris 8 with patch 111875-04 or later

Sun notes that above patches address Bug ID 4502850 and most issues described in Sun Alert 41664, "Security Vulnerability with the in.lpd(1M) Daemon Allowing Options to be Passed to Sendmail". However, a final solution for Sun Alert 41664 is reported to be pending completion.

Vendor URL: www.sun.com/ (Links to External Site)

Cause: Input validation error

Underlying OS: UNIX (Solaris - SunOS)

Message History: None.

Source Message Contents

Date: Tue, 12 Feb 2002 09:23:30 -0500
Subject: mail(1) Vulnerability May Allow Options to be Passed to Sendmail


The following information is based on a Sun Alert ID: 42774 

Sun reports that mail(1) Vulnerability May Allow Options to be Passed to
Sendmail (on Solaris).

Sun reports that an unprivileged local or remote user may be able to
gain elevated privileges due to a vulnerability involving the
interaction of mail(1) and sendmail(1M) when mail(1) is invoked from a
privileged program. 

The only such privileged program that Sun reportedly ships is
in.lpd(1M).  With in.lpd, unauthorized root access is possible.

Sun reports that this specific instance is already described in SunAlert
41664 and is related to CERT Vulnerability Note VU#39001, 'lpd allows
options to be passed to sendmail' described at
http://www.kb.cert.org/vuls/id/39001 which is referenced in CA-2001-30
(see http://www.cert.org/advisories/CA-2001-30.html). 

However, Sun cautions that some proprietary or third-party applications
may also affected by this issue. 


This vulnerability affects the following releases: 

SPARC 

     Solaris Solaris 2.5.1 without patch 109275-03 
     Solaris 2.6 without patch 109266-03 
     Solaris 7 without patch 109253-04 
     Solaris 8 without patch 111874-04 

Intel 

     Solaris 2.5.1 without patch 109276-03 
     Solaris 2.6 without patch 109267-03 
     Solaris 7 without patch 109254-04 
     Solaris 8 without patch 111875-04 

This vulnerability is reportedly fixed in the following releases: 

SPARC 

     Solaris 2.5.1 with patch 109275-03 or later 
     Solaris 2.6 with patch 109266-03 or later 
     Solaris 7 with patch 109253-04 or later 
     Solaris 8 with patch 111874-04 or later 

Intel 

     Solaris 2.5.1 with patch 109276-03 or later 
     Solaris 2.6 with patch 109267-03 or later 
     Solaris 7 with patch 109254-04 or later 
     Solaris 8 with patch 111875-04 or later 

Note: The above patches address Bug ID 4502850 and most issues described
in Sun Alert 41664, "Security Vulnerability with the in.lpd(1M) Daemon
Allowing Options to be Passed to Sendmail". A final solution for Sun
Alert 41664 is pending completion. 

Product: Solaris 
BugIDs: 4502850 

State: Resolved 
Date Released: 31-Jan-2002 
Date Closed: 31-Jan-2002

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2013, SecurityGlobal.net LLC