SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Sendmail Vendors:   Sendmail Consortium
(Caldera Issues Fix for OpenLinux) Sendmail Command Line Debugging Validation Flaw Lets Local Users Execute Arbitrary Code and Gain Root Privileges
SecurityTracker Alert ID:  1002279
SecurityTracker URL:  http://securitytracker.com/id/1002279
CVE Reference:   CVE-2001-0653   (Links to External Site)
Date:  Aug 27 2001
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): versions between 8.10.0 and 8.11.5 as well as all 8.12.0.Beta versions
Description:   SecurityFocus discovered an input validation vulnerability in the Sendmail '-d' debugging facility that allows a local user to execute arbitrary code with root level privileges.

The vulnerability is reportedly due to a flaw in the use of signed integers in Sendmail's tTflag() debugging function.

A remote user can call sendmail with the '-d' command line switch and can supply a large value for the 'category' part of the arguments to be used as an index for the system's internal trace vector. The user-supplied arguments can apparently cause a signed integer overflow such that the input validation function does not detect that the size of the user-supplied trace vector data exceeds the indicated (and overflowed) length value.

It is reported that the trace vector data is written before the program drops its set user id (suid) root privileges. As a result, a local user can overwrite process memory and cause arbitrary code to be executed with root privileges.

Impact:   A local user can invoke sendmail and cause arbitrary code to be executed with root level privileges, giving the user root level access on the system.
Solution:   The vendor has released a fix for OpenLinux. See the Source Message for the vendor's advisory containing directions on how to obtain the appropriate fix.
Vendor URL:  www.sendmail.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Caldera/SCO)

Message History:   This archive entry is a follow-up to the message listed below.
Aug 21 2001 Sendmail Command Line Debugging Validation Flaw Lets Local Users Execute Arbitrary Code and Gain Root Privileges



 Source Message Contents

Subject:  Security Update [CSSA-2001-032.0] Linux - sendmail instant root exploit


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________
		   Caldera International, Inc.  Security Advisory

Subject:		Linux - sendmail instant root exploit
Advisory number: 	CSSA-2001-032.0
Issue date: 		2001, August 24
Cross reference:
______________________________________________________________________________


1. Problem Description

   Sendmail contains an input validation error, so local users may be
   able to write arbitrary data to process memory, possibly allowing the
   execution of code/commands with elevated privileges. This allows
   a local attacker to gain access to the root account.


2. Vulnerable Versions

   System                       Package
   -----------------------------------------------------------
   OpenLinux 2.3                 not vulnerable                
   
   OpenLinux eServer 2.3.1       not vulnerable                
   and OpenLinux eBuilder                                      
   
   OpenLinux eDesktop 2.4        not vulnerable                
   
   OpenLinux Server 3.1          All packages previous to      
                                 sendmail-8.11.1-4             
   
   OpenLinux Workstation 3.1     All packages previous to      
                                 sendmail-8.11.1-4             
   
3. Solution

   Workaround

     none

   The proper solution is to upgrade to the latest packages.

4. OpenLinux 2.3

    not vulnerable

5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0

    not vulnerable

6. OpenLinux eDesktop 2.4

    not vulnerable

7. OpenLinux 3.1 Server

    7.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS

   7.2 Verification

       b4fda9679325022adda547f1b3fae8dc  RPMS/sendmail-8.11.1-4.i386.rpm
       f3eaef00ae6a7cb30635baf6ad13325a  RPMS/sendmail-cf-8.11.1-4.i386.rpm
       1f17f7fa698748eb5bc6e55951948451  RPMS/sendmail-doc-8.11.1-4.i386.rpm
       c3f6af83c406174b325aa28af45c51ae  SRPMS/sendmail-8.11.1-4.src.rpm
       

   7.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh sendmail-8.11.1-4.i386.rpm \
              sendmail-cf-8.11.1-4.i386.rpm \
              sendmail-doc-8.11.1-4.i386.rpm
         

8. OpenLinux 3.1 Workstation

    8.1 Location of Fixed Packages

       The upgrade packages can be found on Caldera's FTP site at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS

       The corresponding source code package can be found at:

       ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS

   8.2 Verification

       b4fda9679325022adda547f1b3fae8dc  RPMS/sendmail-8.11.1-4.i386.rpm
       f3eaef00ae6a7cb30635baf6ad13325a  RPMS/sendmail-cf-8.11.1-4.i386.rpm
       1f17f7fa698748eb5bc6e55951948451  RPMS/sendmail-doc-8.11.1-4.i386.rpm
       c3f6af83c406174b325aa28af45c51ae  SRPMS/sendmail-8.11.1-4.src.rpm
       

   8.3 Installing Fixed Packages

       Upgrade the affected packages with the following commands:

         rpm -Fvh sendmail-8.11.1-4.i386.rpm \
              sendmail-cf-8.11.1-4.i386.rpm \
              sendmail-doc-8.11.1-4.i386.rpm
         
9. References

   This and other Caldera security resources are located at:

   http://www.caldera.com/support/security/index.html

   This security fix closes Caldera's internal Problem Report 10420.


10. Acknowledgements
   
   Caldera International wishes to thank Cade Cairns of SecurityFocus for
   spotting and reporting this bug.

11. Disclaimer

   Caldera International, Inc. is not responsible for the misuse of
   any of the information we provide on this website and/or through our
   security advisories. Our advisories are a service to our customers
   intended to promote secure installation and use of Caldera OpenLinux.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7hkR118sy83A/qfwRAhnIAKCIreoX1Q9YGckNoe+8OIV+nMQ7EgCgrTUb
IVWxs0rkZez6V45KDWZ27A8=
=4/NJ
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: announce-unsubscribe@lists.caldera.com
For additional commands, e-mail: announce-help@lists.caldera.com


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC