SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Sendmail Vendors:   Sendmail Consortium
(IBM Issues E-Fix) Re: Sendmail Prescan Flaw May Let Remote Users Execute Arbitrary Code With Root Privileges
SecurityTracker Alert ID:  1007770
SecurityTracker URL:  http://securitytracker.com/id/1007770
CVE Reference:   CVE-2003-0694   (Links to External Site)
Date:  Sep 21 2003
Impact:   Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 8.12.9 and prior versions
Description:   A vulnerability was reported in Sendmail. A local or remote user may be able to execute arbitrary code on the target system.

It is reported that the prescan() function in 'parseaddr.c' contains a flaw [that is different than previously reported prescan flaw]. The report states that various exploit methods are possible, but these exploit methods were not disclosed.

The report indicates that it is confirmed that a local user can exploit this flaw and it is believed that a remote user may also exploit this flaw.

Impact:   A local or remote user may be able to execute arbitrary code with the privileges of the sendmail process.
Solution:   IBM plans to issue the following fixes:

APAR number for AIX 4.3.3: IY48659 (available approx. 10/03/03)
APAR number for AIX 5.1.0: IY48658 (available approx. 10/15/03)
APAR number for AIX 5.2.0: IY48657 (available approx. 10/29/03)

IBM reports that fixes will not be provided for versions prior to 4.3, so affected customers using 4.3 and prior versions should upgrade to to 4.3.3, 5.1.0, or 5.2.0 with the latest maintenance level.

IBM has issued temporary fixes for AIX 4.3.3, 5.1.0, and 5.2.0, available at:

ftp://aix.software.ibm.com/aix/efixes/security/sendmail_4_efix.tar.Z

Vendor URL:  www.sendmail.org/8.12.10.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (AIX)
Underlying OS Comments:  4.3.3, 5.1.0, 5.2.0

Message History:   This archive entry is a follow-up to the message listed below.
Sep 17 2003 Sendmail Prescan Flaw May Let Remote Users Execute Arbitrary Code With Root Privileges



 Source Message Contents

Subject:  IBM SECURITY ADVISORY


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IBM SECURITY ADVISORY

First Issued: Thu Sep 18 10:14:44 CDT 2003

===========================================================================
                            VULNERABILITY SUMMARY

VULNERABILITY:      sendmail buffer overflow vulnerability.

PLATFORMS:          AIX 4.3, 5.1 and 5.2

SOLUTION:           Apply the workaround, efix or APARs as described below.

THREAT:             A remote attacker can exploit a buffer overflow to
                     cause a denial of service attack or execute
                     arbitrary code with root privileges.

CERT CA Number:     CA-2003-25
CERT VU Number:     VU# 784980
CVE Number:         CAN-2003-0964
===========================================================================
                            DETAILED INFORMATION


I.  Description
===============

Sendmail is a MTA (mail transfer agent) that routes mail for local or
network delivery. When sendmail receives a message it translates the
format of message headers to match the requirements of the destination
system. The program determines the destination via the syntax and content
of the address field in a message header. A vulnerability that exploits
how message headers are parsed has been found. This vulnerability may allow
a remote attacker to cause a denial of service attack or execute arbitrary
code with root privileges. At this time, there is no known exploit for this
issue in the wild.

The sendmail daemon runs on all versions of AIX by default. To determine
if sendmail is running on your system execute the following:

#lssrc -s sendmail

If sendmail is running, the following will be displayed:

Subsystem         Group            PID     Status
  sendmail         mail             xxxx    active

Where xxxx is the pid of the sendmail process on your system.

If sendmail is not installed, the system is not vulnerable.


II. Impact
==========

A remote attacker can cause a denial of service attack or execute arbitrary
code with root privileges.


III.  Solutions
===============

A. Official Fix
IBM provides the following fixes:

       APAR number for AIX 4.3.3: IY48659 (available approx. 10/03/03)
       APAR number for AIX 5.1.0: IY48658 (available approx. 10/15/03)
       APAR number for AIX 5.2.0: IY48657 (available approx. 10/29/03)

NOTE: Fixes will not be provided for versions prior to 4.3 as
these are no longer supported by IBM. Affected customers are
urged to upgrade to 4.3.3, 5.1.0 or 5.2.0 at the latest maintenance level.

B. E-fix
Temporary fixes for AIX 4.3.3, 5.1.0 and 5.2.0 systems are available.

The temporary fixes can be downloaded via ftp from:

      ftp://aix.software.ibm.com/aix/efixes/security/sendmail_4_efix.tar.Z

The efix compressed tarball contains three fixes: one each for
AIX 4.3.3, AIX 5.1.0 and AIX 5.2.0. It also includes this Advisory
and a README file with installation instructions.

Verify you have retrieved this efix intact:
- - -------------------------------------------------
There are 3 fix-files in this package for the 4.3.3, 5.1.0, 5.2.0
releases. The checksums below were generated using the "sum" and
"md5" commands and are as follows:

Filename       sum            md5
=================================================================
sendmail.433   04403   429    bbdb5749e1eb609dacaa7def9df6d3e6
sendmail.510   10028  1060    59ed7f536fcc51c168b8781e960a02c3
sendmail.520   31857  1008    7e94f632b294ed092e68e20c80cb117c

These sums should match exactly; if they do not, double check the
command results and the download site address. If those are OK,
contact IBM AIX Security at security-alert@austin.ibm.com and describe
the discrepancy.

IMPORTANT: Create a mksysb backup of the system and verify it is
both bootable, and readable before proceeding.

These temporary fixes have not been fully regression tested; thus,
IBM does not warrant the fully correct functioning of the efix.
Customers install the efix and operate the modified version of AIX
at their own risk.

Efix Installation Instructions:
- - -------------------------------
Detailed installation instructions can be found in the README file
supplied in the efix package. These instructions are summarized below.

You need to have the following filesets installed. This ensures that
the proper versions of co-requisite system files, such as libc.a, are
installed:

For AIX 4.3.3:
bos.net.tcp.client.4.3.3.90

For AIX 5.1.0:
bos.net.tcp.client.5.1.0.55

For AIX 5.2.0:
bos.net.tcp.client.5.2.0.14

You can determine which fileset is installed by executing
the following:

    # lslpp -L bos.net.tcp.client


1. Create a temporary efix directory and move to that directory.
    # mkdir /tmp/efix
    # cd /tmp/efix

2. Move the efix to /tmp/efix, uncompress it and un-tar the resulting
    tarfile. Move to the fix directory.
    # cp PATH_TO_EFIX /tmp/efix     # where PATH_TO_EFIX is the fully
                                    # qualified path to the efix package.
    # uncompress sendmail_4_efix.tar.Z
    # tar xvf sendmail_4_efix.tar
    # cd sendmail_4_efix

3. Rename the patched binary files appropriate for your system and set
    ownership and permissions.
    # mv sendmail.xxx sendmail      # where xxx is 433, 510 or 520
    # chown root.system sendmail
    # chmod 6551 sendmail

4. Create a backup copy of original binary. Remove all
    permissions from the backup copy.
    # cd /usr/sbin
    # cp sendmail sendmail.orig
    # chmod 0 sendmail.orig

5. Stop sendmail.
    # stopsrc -s sendmail

6. Replace the current system binary with the patched
    binary. Use the -p option to preserve the file
    permissions set in step 3.
    # cp -p /tmp/efix/sendmail_4_efix/sendmail /usr/sbin/sendmail

7. Restart sendmail.
    # startsrc -s sendmail -a "-bd -q15"

    The -bd flag starts sendmail as a daemon running in the
    background as a Simple Mail Transfer Protocol (SMTP) mail router.

    The -q15 flag tells the sendmail daemon to process the queue every
    15 minutes.

    It may be desirable to initialize sendmail differently on the
    system being patched. Modify the flags accordingly.

C. Workaround
Turn sendmail off. You can do this by executing the following:
    # stopsrc -s sendmail

Note that legitimate requests to sendmail will fail. If this is not feasible
in your environment, please apply the efix as described in Section III B.


IV. Obtaining Fixes
===================

IBM AIX APARs may be ordered using Electronic Fix Distribution (via the
FixDist program), or from the IBM Support Center.  For more information
on FixDist, and to obtain fixes via the Internet, please reference

         http://techsupport.services.ibm.com/rs6k/fixes.html

or send email to "aixserv@austin.ibm.com" with the word "FixDist" in the
"Subject:" line.

AIX APARs may also be downloaded from the web from the following URLs.

For 4.3.3 APARs:
           http://techsupport.services.ibm.com/rs6k/fixdb.html

For 5.1.0 APARs:
           http://techsupport.services.ibm.com/server/aix.fdc

For 5.2.0 APARs:
           http://techsupport.services.ibm.com/server/aix.fdc

To facilitate ease of ordering all security related APARs for each AIX
release, security fixes are periodically bundled into a cumulative APAR.
For more information on these cumulative APARs including last update and
list of individual fixes, send email to "aixserv@austin.ibm.com" with
the word "subscribe Security_APARs" in the "Subject:" line.


V. Acknowledgments
==================

This document was written by Shiva Persaud.


VI.  Contact Information
========================
If you would like to receive AIX Security Advisories via email, please visit:
      https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs.

Comments regarding the content of this announcement can be directed to:

      security-alert@austin.ibm.com

To request the PGP public key that can be used to encrypt new AIX
security vulnerabilities, send email to security-alert@austin.ibm.com
with a subject of "get key".

Please contact your local IBM AIX support center for any assistance.

IBM and AIX are a registered trademark of International Business
Machines Corporation.  All other trademarks are property of their
respective holders.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)

iD8DBQE/acyCcnMXzUg7txIRAoU5AKChhOW++sagHpMiRWQf5LrmGV7anQCdF/NM
JR9oODRC3HpygewC1EefMo0=
=9v4F
-----END PGP SIGNATURE-----
		


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC