SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Sendmail Vendors:   Sendmail Consortium
(SCO Issues Fix for UnixWare) Sendmail Race Condition in Signal Handler May Let Remote Users Trigger a Buffer Overflow to Execute Arbitrary Code
SecurityTracker Alert ID:  1016140
SecurityTracker URL:  http://securitytracker.com/id/1016140
CVE Reference:   CVE-2006-0058   (Links to External Site)
Date:  May 23 2006
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 8.13.6
Description:   A vulnerability was reported in Sendmail. A remote user may be able to execute arbitrary code on the target system.

Under certain specific timing conditions, a remote user can send specially crafted e-mail data to the target system to exploit a race condition in a signal handler and trigger a buffer overflow. This may allow the remote user to execute arbitrary code on the target system with the privileges of the sendmail process.

ISS discovered this vulnerability.

The original advisory is available at:

http://xforce.iss.net/xforce/xfdb/24584

Impact:   A remote user can execute arbitrary code on the target system with the privileges of the sendmail process (typically root privileges).
Solution:   SCO has issued a fix for UnixWare 7.1.3 and 7.1.4.

The SCO advisory is available at:

ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2006.24

Vendor URL:  www.sendmail.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (Open UNIX-SCO)
Underlying OS Comments:  UnixWare 7.1.3, 7.1.4

Message History:   This archive entry is a follow-up to the message listed below.
Mar 22 2006 Sendmail Race Condition in Signal Handler May Let Remote Users Trigger a Buffer Overflow to Execute Arbitrary Code



 Source Message Contents

Subject:  [Full-disclosure] SCOSA-2006.24 Sendmail Arbitrary Code Execution


--------------060607040301010603080703
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit


-- 
Dr. Ronald Joe Record
SCO Security Officer
rr@sco.com

--------------060607040301010603080703
Content-Type: text/plain;
 name="SCOSA-2006.24.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="SCOSA-2006.24.txt"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________


                        SCO Security Advisory


Subject:                Sendmail Arbitrary Code Execution Vulnerability
Advisory number:        SCOSA-2006.24
Issue date:             2006 May 21
Cross reference:        fz533700
                        CVE-2006-0058
______________________________________________________________________________


1. Problem Description

        Sendmail could allow a remote attacker to execute arbitrary code as
        root, caused by a signal race vulnerability. 
	
        The Common Vulnerabilities and Exposures project
        (cve.mitre.org) has assigned the name CVE-2006-0058 to
        this issue.


2. Vulnerable Supported Versions

        System                          Binaries
        ----------------------------------------------------------------------
        UnixWare 7.1.3                  sendmail
                                        mailstats
                                        praliiases
                                        rmail
                                        smrsh
                                        makemap
        UnixWare 7.1.4                  sendmail
                                        mailstats
                                        praliiases
                                        rmail
                                        smrsh
                                        makemap


3. Solution

        The proper solution is to install the latest packages.


4. UnixWare 7.1.3

        4.1 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2006.24


        4.2 Verification

        MD5 (p533700.713.image) = 2c33879a5f676c79efe1e78cadb2aeb8

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools


        4.3 Installing Fixed Binaries

        The following packages should be installed on your system before
        you install this fix:

                UnixWare 7.1.3 Maintenance Pack 5
                http://www.sco.com/support/update/download/release.php?rid=96

        Upgrade the affected binaries with the following sequence:

        Download p533700.713.image to the /var/spool/pkg directory

        # pkgadd -d /var/spool/pkg/p533700.713.image


5. UnixWare 7.1.4

        5.1 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2006.24


        5.2 Verification

        MD5 (p533700.714.image) = 0a3a7c95a68e1ca3e5916e40e9dfa0ae

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools


        5.3 Installing Fixed Binaries

        The following packages should be installed on your system before
        you install this fix:

                UnixWare 7.1.4 Maintenance Pack 3
                http://www.sco.com/support/update/download/release.php?rid=126

        Upgrade the affected binaries with the following sequence:

        Download p533700.714.image to the /var/spool/pkg directory

        # pkgadd -d /var/spool/pkg/p533700.714.image


6. References

        Specific references for this advisory:
                http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0058
                http://www.securityfocus.com/archive/1/428536/100/0/threaded
                http://www.sendmail.org/

        SCO security resources:
                http://www.sco.com/support/security/index.html

        SCO security advisories via email
                http://www.sco.com/support/forums/security.html

        This security fix closes SCO incidents fz533700.


7. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers intended
        to promote secure installation and use of SCO products.


8. Acknowledgments

        Marc Bejarano is credited with the discovery of this vulnerability.


______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (SCO_SV)

iD8DBQFEcSxeaqoBO7ipriERAtnOAJ4l8SWkkFxTYf8T8iD9P4UFQBqX0QCfZld8
m4gPf3unHlkCKdp/9PbXL9Y=
=vpKs
-----END PGP SIGNATURE-----

--------------060607040301010603080703
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--------------060607040301010603080703--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC