SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Sendmail Vendors:   Sendmail Consortium
(Caldera Issues Fix for OpenLinux) Sendmail Security Holes Let Local Users Obtain Elevated Privileges on the System, Access the E-mail Queue, and Cause Information Loss
SecurityTracker Alert ID:  1002547
SecurityTracker URL:  http://securitytracker.com/id/1002547
CVE Reference:   CVE-2001-0713, CVE-2001-0714, CVE-2001-0715   (Links to External Site)
Updated:  Dec 1 2003
Original Entry Date:  Oct 16 2001
Impact:   Denial of service via local system, Disclosure of system information, Disclosure of user information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 8.12.0 and prior
Description:   BindView's RAZOR security team warned of multiple vulnerabilities in Sendmail. The security holes allow a local user to obtain elevated privileges on the system.

Several vulnerabilities were reported:

1) It is reported that a programming error in version 8.12.0 caused Sendmail to fail to drop extra privileges and run at the user level when processing untrusted, user-supplied configurations. The software reportedly retains the saved group id (gid) of 'smmsp'. A local user can call the setregid() function to regain these 'dropped' privileges. To do this, the local user must take control of Sendmail. RAZOR reports tht that can be done by exploiting various aspects of the configuration file parsing code, as described in the Source Message.

Once the local user has gained control of the Sendmail process, the local user can issue the setregid() system call and gain smmsp group access permissions. With these group privileges, the local user can access and modify the user-level queue (/var/spool/clientmqueue), reading or modifying the mail of other users. It may also be possible to obtain elevated privileges (root level group id of "0") via methods vaguely described in the Source Message.

2) It is reported that a programming bug in Sendmail allows a local user to specify mail delivery options that will be inadvertently processed by Sendmail. For example, the local user can force Sendmail to drop queue contents by setting initial message hop count above the limit with the following command:

sendmail -q -h1000

Specific queue entries can apparently be targeted using parameters such as -qR and -qS. This can lead to data loss.

Sendmail systems that do not permit users to run the queue (RestrictQRun option) are not affected by this vulnerability.

3) Information may reportedly be leaked in debug mode. A local user can use debugging flags to obtain the complete mail system configuration and gather potentially sensitive information about the mail queue (e.g., full message path, subject, mail software), such as with the following command:

sendmail -q -d0-nnnn.xxx

where nnnn and xxx specify debugging levels.

It is reported that Sendmail systems that do not allow users to run the queue (RestrictQRun option) are not affected by this vulnerability.

Impact:   A local user could gain elevated privileges ('smmsp' group privileges) and access the client mail queue. A local user can cause Sendmail to drop queue contents. A local user can also gain information about the sendmail configuration.
Solution:   The vendor has described a workaround to fix the issue:

For OpenLinux 2.3, OpenLinux eServer 2.3.1 and OpenLinux eDesktop 2.4:

In /etc/sendmail.cf, change the line:

O PrivacyOptions=authwarnings

to read:

O PrivacyOptions=authwarnings,restrictqrun

For OpenLinux Workstation and Server 3.1:

In /etc/mail/sendmail.cf, change the line:

O PrivacyOptions=authwarnings,noexpn,novrfy,noetrn,noverb

to read:

O PrivacyOptions=authwarnings,noexpn,novrfy,noetrn,noverb,restrictqrun

Vendor URL:  www.sendmail.org/ (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Caldera/SCO)

Message History:   This archive entry is a follow-up to the message listed below.
Oct 2 2001 Sendmail Security Holes Let Local Users Obtain Elevated Privileges on the System, Access the E-mail Queue, and Cause Information Loss



 Source Message Contents

Subject:  Security Update: [CSSA-2001-34.0] Linux: sendmail queue run privilege problem


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________
		   Caldera International, Inc.  Security Advisory

Subject:		Linux - sendmail queue run privilege problem
Advisory number: 	CSSA-2001-034.0
Issue date: 		2001, October 05
Cross reference:
______________________________________________________________________________


1. Problem Description

   There is a permission problem in the default setup of sendmail in all
   OpenLinux versions, which allows a local attacker to cause a denial
   of service attack effectively stopping delivery of all mails from
   the current system.

   This vulnerability also allows a local attacker to read the full headers
   of all mails in the mail queue.


2. Vulnerable Versions

   All sendmail versions on currently supported OpenLinux product are
   vulnerable.


3. Solution

   There are no fixed packages available.

   Workaround:

    OpenLinux 2.3, OpenLinux eServer 2.3.1 and OpenLinux eDesktop 2.4:

	In /etc/sendmail.cf, change the line:

	  O PrivacyOptions=authwarnings

	to read:

	  O PrivacyOptions=authwarnings,restrictqrun


    OpenLinux Workstation and Server 3.1:

	In /etc/mail/sendmail.cf, change the line:

	  O PrivacyOptions=authwarnings,noexpn,novrfy,noetrn,noverb

	to read:

	  O PrivacyOptions=authwarnings,noexpn,novrfy,noetrn,noverb,restrictqrun


4. References

   This and other Caldera security resources are located at:

   http://www.caldera.com/support/security/index.html

   This security fix closes Caldera's internal Problem Report 10576.


5. Disclaimer

   Caldera International, Inc. is not responsible for the misuse of
   any of the information we provide on this website and/or through our
   security advisories. Our advisories are a service to our customers
   intended to promote secure installation and use of Caldera OpenLinux.


11. Acknowledgements

   Caldera International wishes to thank Michal Zalewski for pointing out
   this problem.

______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7vXbB18sy83A/qfwRAogdAKCo3+7TxdXQjpcUlju+AH2nGZP/+QCdFj7m
S3lXcUgF2b2ihvDBYKco6x8=
=zQ4+
-----END PGP SIGNATURE-----



_______________________________________________
Linux-security mailing list
Linux-security@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-security

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC