SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Sendmail Vendors:   Sendmail Consortium
(IBM Issues Fix) Re: Sendmail Prescan Flaw May Let Remote Users Execute Arbitrary Code With Root Privileges
SecurityTracker Alert ID:  1008266
SecurityTracker URL:  http://securitytracker.com/id/1008266
CVE Reference:   CVE-2003-0694   (Links to External Site)
Date:  Nov 21 2003
Impact:   Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 8.12.9 and prior versions
Description:   A vulnerability was reported in Sendmail. A local or remote user may be able to execute arbitrary code on the target system.

It is reported that the prescan() function in 'parseaddr.c' contains a flaw [that is different than previously reported prescan flaw]. The report states that various exploit methods are possible, but these exploit methods were not disclosed.

The report indicates that it is confirmed that a local user can exploit this flaw and it is believed that a remote user may also exploit this flaw.

Impact:   A local or remote user may be able to execute arbitrary code with the privileges of the sendmail process.
Solution:   IBM has released the following fixes:

APAR number for AIX 4.3.3: IY48659 (available)
APAR number for AIX 5.1.0: IY48658 (available)
APAR number for AIX 5.2.0: IY48657 (available)

AIX APARs are available at:

http://techsupport.services.ibm.com/server/aix.fdc

Vendor URL:  www.sendmail.org/8.12.10.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (AIX)
Underlying OS Comments:  AIX 4.3, 5.1 and 5.2

Message History:   This archive entry is a follow-up to the message listed below.
Sep 17 2003 Sendmail Prescan Flaw May Let Remote Users Execute Arbitrary Code With Root Privileges



 Source Message Contents

Subject:  IBM SECURITY ADVISORY


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IBM SECURITY ADVISORY

First Issued: Thu Sep 18 10:14:44 CDT 2003
| Updated: Fri Sep 26 15:31:02 CDT 2003
| Changed CVE Number.
| Updated APAR availability.
| Removed efix information for AIX 4.3.3.
| Removed aixserv information.
| Added eServer to trademark information.
| Updated: Tue Nov 18 16:51:37 CST 2003
| Updated Solution information.
| Updated APAR availability.
| Removed efix information for AIX 5.1.0 and 5.2.0.

===========================================================================
                            VULNERABILITY SUMMARY

VULNERABILITY:      sendmail buffer overflow vulnerability.

PLATFORMS:          AIX 4.3, 5.1 and 5.2

| Updated: Tue Nov 18 16:51:37 CST 2003
| SOLUTION:           Apply the APARs as described below.

THREAT:             A remote attacker can exploit a buffer overflow to
                     cause a denial of service attack or execute
                     arbitrary code with root privileges.

CERT CA Number:     CA-2003-25
CERT VU Number:     VU# 784980
| Updated: Fri Sep 26 15:31:02 CDT 2003
| CVE Number:       CAN-2003-0694

===========================================================================
                            DETAILED INFORMATION


I.  Description
===============

Sendmail is a MTA (mail transfer agent) that routes mail for local or
network delivery. When sendmail receives a message it translates the
format of message headers to match the requirements of the destination
system. The program determines the destination via the syntax and content
of the address field in a message header. A vulnerability that exploits
how message headers are parsed has been found. This vulnerability may allow
a remote attacker to cause a denial of service attack or execute arbitrary
code with root privileges. At this time, there is no known exploit for this
issue in the wild.

The sendmail daemon runs on all versions of AIX by default. To determine
if sendmail is running on your system execute the following:

#lssrc -s sendmail

If sendmail is running, the following will be displayed:

Subsystem         Group            PID     Status
  sendmail         mail             xxxx    active

Where xxxx is the pid of the sendmail process on your system.

If sendmail is not installed, the system is not vulnerable.


II. Impact
==========

A remote attacker can cause a denial of service attack or execute arbitrary
code with root privileges.


III.  Solutions
===============

A. Official Fix
IBM provides the following fixes:

| Updated: Fri Sep 26 15:31:02 CDT 2003
| Updated APAR availability
| Updated: Tue Nov 18 16:51:37 CST 2003
| Updated APAR availability
       APAR number for AIX 4.3.3: IY48659 (available)
       APAR number for AIX 5.1.0: IY48658 (available)
       APAR number for AIX 5.2.0: IY48657 (available)

NOTE: Fixes will not be provided for versions prior to 4.3 as
these are no longer supported by IBM. Affected customers are
urged to upgrade to 4.3.3, 5.1.0 or 5.2.0 at the latest maintenance level.

B. E-fix
| Updated: Fri Sep 26 15:31:02 CDT 2003
| Removed efix information for AIX 4.3.3.
| Updated: Tue Nov 18 16:51:37 CST 2003
| Removed efix information for AIX 5.1.0 and 5.2.0.

C. Workaround
Turn sendmail off. You can do this by executing the following:
    # stopsrc -s sendmail

Note that legitimate requests to sendmail will fail. If this is not
feasible in your environment, please apply the APARs as described in
Section III A.


IV. Obtaining Fixes
===================
| Updated: Fri Sep 26 15:31:02 CDT 2003
| Removed aixserv information.

AIX APARs may be downloaded from the following URL:
           http://techsupport.services.ibm.com/server/aix.fdc

V. Acknowledgments
==================

This document was written by Shiva Persaud.


VI.  Contact Information
========================
If you would like to receive AIX Security Advisories via email, please
visit:
      https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs.

Comments regarding the content of this announcement can be directed to:

      security-alert@austin.ibm.com

To request the PGP public key that can be used to encrypt new AIX
security vulnerabilities, send email to security-alert@austin.ibm.com
with a subject of "get key".

Please contact your local IBM AIX support center for any assistance.

| Added eServer to trademark information.
| Updated: Fri Sep 26 15:31:02 CDT 2003
eServer is a trademark of International Business Machines Corporation.
IBM, AIX and pSeries are registered trademarks of International Business
Machines Corporation.  All other trademarks are property of their
respective holders.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)

iD8DBQE/uqSTcnMXzUg7txIRAtJcAJ9xVX0/mFAZDIoHvGAIv+gn7exkVwCguWrH
7aRcgJcp3ZOVIaA7Wf10YrI=
=3qKA
-----END PGP SIGNATURE-----


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC