(Apple Issues Fix) Re: Sendmail Command Line Debugging Validation Flaw Lets Local Users Execute Arbitrary Code and Gain Root Privileges
|
|
SecurityTracker Alert ID: 1004472 |
|
SecurityTracker URL: http://securitytracker.com/id/1004472
|
|
CVE Reference:
CVE-2001-0653
(Links to External Site)
|
Date: Jun 5 2002
|
Impact:
Execution of arbitrary code via local system, Root access via local system
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): versions between 8.10.0 and 8.11.5 as well as all 8.12.0.Beta versions
|
Description:
SecurityFocus discovered an input validation vulnerability in the Sendmail '-d' debugging facility that allows a local user to execute arbitrary code with root level privileges.
The vulnerability is reportedly due to a flaw in the use of signed integers in Sendmail's tTflag() debugging function.
A remote user can call sendmail with the '-d' command line switch and can supply a large value for the 'category' part of the arguments to be used as an index for the system's internal trace vector. The user-supplied arguments can apparently cause a signed integer overflow such that the input validation function does not detect that the size of the user-supplied trace vector data exceeds the indicated (and overflowed) length value.
It is reported that the trace vector data is written before the program drops its set user id (suid) root privileges. As a result, a local user can overwrite process memory and cause arbitrary code to be executed with root privileges.
|
Impact:
A local user can invoke sendmail and cause arbitrary code to be executed with root level privileges, giving the user root level access on the system.
|
Solution:
Apple has issued a fix. Mac OS X Update 10.1.5 is available at:
- The Software Update pane in System Preferences
- Apple's Software Downloads web page: http://www.info.apple.com/support/downloads.html
Further details are available via the Apple Product Security web site:
http://www.apple.com/support/security/security_updates.html
|
Vendor URL: www.sendmail.org/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
UNIX (OS X)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Wed, 5 Jun 2002 11:26:57 -0700
Subject: Security enhancements in Mac OS X 10.1.5
|
-----BEGIN PGP SIGNED MESSAGE-----
Mac OS X Update 10.1.5 is now available and includes the following
security enhancements for your system:
* sudo - Fixes CAN-2002-0184, where a heap overflow in sudo may
allow local users to gain root privileges via special characters in
the -p (prompt) argument.
* sendmail - Fixes CVE-2001-0653, where an input validation error
exists in Sendmail's debugging functionality which could lead to a
system compromise.
Mac OS X Update 10.1.5 may be obtained via: the Software Update pane
in System Preferences and will also be posted to Apple's Software
Downloads web page: http://www.info.apple.com/support/downloads.html
Further details are available via the Apple Product Security web site:
http://www.apple.com/support/security/security_updates.html
This message is signed with Apple's Product Security PGP key, and
details are available at:
http://www.apple.com/support/security/security_pgp.html
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.3
iQEVAwUBPP5XICFlYNdE6F9oAQFBWAf/bkmo5lbMoHKfUyBMx4xS6WJ2Okq8FqBX
hqCnXrhbfAGbAjtGF7QqgcrJa9cjliJonFwxi6bSKgKdUEWlP8sXeBbUb+uMLe7b
JCL4isMTZnN0atkYq9YjrlIWYIh56GW3bUjKLANUR7IN0K0AWl11ARVw2zmz7KLm
ysWAHdZVOOJDqDQTqB0jze02BVggMi9sSkWz7G9xqY7Nnkuq/kxHi9FrjUhqs5To
JKpJxE0+w4A+VCaqlVaZvpHFt/BPzLBdhjNCBXCo4lXYFPuGzP+wogS4lHCFXDsE
rivSNxOdtXHePqSVce6hs+bHVckvAkQtivCd7rAnOlyiO4K/ZTi0qg==
=hQ72
-----END PGP SIGNATURE-----
_______________________________________________
security-announce mailing list | security-announce@lists.apple.com
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/security-announce
Do not post admin requests to the list. They will be ignored.
|
|
