SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Sendmail Vendors:   Sendmail Consortium
(OpenBSD Issues Fix) Re: Sendmail Command Line Debugging Validation Flaw Lets Local Users Execute Arbitrary Code and Gain Root Privileges
SecurityTracker Alert ID:  1002231
SecurityTracker URL:  http://securitytracker.com/id/1002231
CVE Reference:   CVE-2001-0653   (Links to External Site)
Date:  Aug 22 2001
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): versions between 8.10.0 and 8.11.5 as well as all 8.12.0.Beta versions
Description:   SecurityFocus discovered an input validation vulnerability in the Sendmail '-d' debugging facility that allows a local user to execute arbitrary code with root level privileges.

The vulnerability is reportedly due to a flaw in the use of signed integers in Sendmail's tTflag() debugging function.

A remote user can call sendmail with the '-d' command line switch and can supply a large value for the 'category' part of the arguments to be used as an index for the system's internal trace vector. The user-supplied arguments can apparently cause a signed integer overflow such that the input validation function does not detect that the size of the user-supplied trace vector data exceeds the indicated (and overflowed) length value.

It is reported that the trace vector data is written before the program drops its set user id (suid) root privileges. As a result, a local user can overwrite process memory and cause arbitrary code to be executed with root privileges.

Impact:   A local user can invoke sendmail and cause arbitrary code to be executed with root level privileges, giving the user root level access on the system.
Solution:   OpenBSD has issued patches:

OpenBSD 2.9:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/013_sendmail.patch
NOTE: also requires 001_sendmail.patch

OpenBSD 2.8:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.8/common/031_sendmail.patch
NOTE: also requires 028_sendmail.patch

The vendor reports that these patches have already been applied to the 2.9 and 2.8 stable branches. (cvs tags OPENBSD_2_9 and OPENBSD_2_8 respectively).

Vendor URL:  www.sendmail.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  UNIX (OpenBSD)

Message History:   This archive entry is a follow-up to the message listed below.
Aug 21 2001 Sendmail Command Line Debugging Validation Flaw Lets Local Users Execute Arbitrary Code and Gain Root Privileges



 Source Message Contents

Subject:  Re: Patch for sendmail vulnerability available


The patch prerequisite info was swapped, it should be:

Patches:
    OpenBSD 2.9:
	ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/013_sendmail.patch
	NOTE: also requires 001_sendmail.patch

    OpenBSD 2.8:
	ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.8/common/031_sendmail.patch
	NOTE: also requires 028_sendmail.patch

 - todd

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC