-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
AA-95.08      AUSCERT Advisory
         25 August, 1995
    Sendmail V5 temporary file race condition
- -----------------------------------------------------------------------------

AUSCERT has received advice that a vulnerability exists in many versions of
sendmail that allows local users to read any file on the system, overwrite
or destroy files, or execute programs as any user (except root).  This can
provide an avenue of attack to gain root privileges.

** An exploit for this vulnerability has been made available.  AUSCERT
** recommends that the remedial action in Section 3 be performed immediately.

- -----------------------------------------------------------------------------

1.  Description

    There is a vulnerability in the way that some versions of sendmail
    create temporary files.  A race condition exists which allows users to
    gain write privileges to the temporary files.

    The vulnerable versions of sendmail have an incorrect umask setting
    which causes temporary files to be created with insufficient
    permissions.  Sendmail then restricts permission using chmod(2),
    creating the race condition which allows users to gain write access to
    the temporary files.

    Many Version 5 based sendmails are susceptible to this vulnerability.
    This may include many vendor versions.  This vulnerability has been
    verified for SunOS 4.1.x (patches 100377-19, 101665-04, and 102423-01).

    Sites which have source code for their version of sendmail can check
    for this vulnerability by examining the source code as described in
    Section 3.2.

    For sites which do not have source code available, it is suggested that
    they assume that this vulnerability exists and follow the instructions
    listed in Section 3.1.

2.  Impact

    By exploiting the vulnerabilities, intruders may be able to read any
    file on the system, overwrite or destroy files, or run programs on the
    system as any user (except root).  This may ultimately lead to root
    compromise.

    Intruders require an account on the system to exploit this
    vulnerability.

3.  Workarounds

    AUSCERT believes that any one of the workarounds in Sections 3.1, 3.2,
    or 3.3 is sufficient to remove this vulnerability.  Vendor patches may
    address this vulnerability in the future (Section 3.4).

3.1 Protecting the sendmail mail queue directory

    The sendmail control files are created in the mail queue directory
    (generally /usr/spool/mqueue) as defined by the "OQ" configuration
    option.  The vulnerability may be removed by restricting general user
    access to this directory.  For example, as root:

  # /bin/chmod 700 /usr/spool/mqueue

    This action provides increased security for the mail subsystem.  More
    information concerning sendmail can be obtained from:

    Bryan Costales, Sendmail, O'Reilly & Associates Inc., 1994 (Page 203).

    and:

    Evi Nemeth et al, Unix System Administration Handbook, 2nd Edition,
    Prentice Hall, 1995 (Page 460).

3.2 Modifying the source code

    Sites which have source code available for their version of sendmail
    should check the umask setting currently used by sendmail.

    Typically, the umask setting is found in main.c and looks like:

   OldUmask = umask(0);

    If the call to umask() specifies an argument of "0", then a race
    condition may be exploited.  To prevent this race condition, the
    umask() setting should at least deny group and world write permissions
    as the default setting.  Sites should change the setting in the source
    code to:

   OldUmask = umask(022);

    After modification, sendmail should be rebuilt and re-installed, and
    all running instances of sendmail restarted.

3.3 Install sendmail Version 8.6.12 (or later)

    The only versions of sendmail verified as not containing this
    vulnerability are Eric Allman's sendmail Versions 8.6.10 to 8.6.12.
    Sites should consider converting their sendmail to Version 8.6.12.

    Versions of sendmail prior to 8.6.10 contain serious security
    vulnerabilities and should be upgraded immediately to 8.6.12.

    Sendmail version 8.6.12 can be obtained from:

    ftp://ftp.auscert.org.au/pub/mirrors/ftp.cs.berkeley.edu/ucb/sendmail/
          sendmail.8.6.12.*

    Information to assist sites in converting from Sun's sendmail to
    Version 8 can be found in the sendmail.8.6.12.misc.tar.Z file which is
    found in the directory above.

    Information to assist sites in converting from IDA sendmail to Version
    8 has been released by Ben Golding and can be found in:

    ftp://ftp.connect.com.au/pub/mail/sendmail.8.6.12.ida.tar.Z

3.4 Install vendor patches

    Install vendor patches for sendmail as they become available.  Please
    note that several sendmail Version 5 vulnerabilities have been reported
    to vendors recently.  It is important to verify that all reported
    vulnerabilities are addressed when installing patches.


- ----------------------------------------------------------------------------
AUSCERT acknowledges 8lgm for reporting this problem.
- ----------------------------------------------------------------------------

If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).

AUSCERT is the Australian Computer Emergency Response Team, funded by the
Australian Academic Research Network (AARNet) for its members.  It is
located at The University of Queensland within the Prentice Centre.
AUSCERT is a full member of the Forum of Incident Response and Security
Teams (FIRST).

AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au.

This archive contains past SERT and AUSCERT Advisories, and other computer
security information.

AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au.

Internet Email:  auscert@auscert.org.au
Facsimile:  (07) 3365 4477
Telephone:  (07) 3365 4417 (International: +61 7 3365 4417)
    AUSCERT personnel answer during Queensland business hours
    which are GMT+10:00 (AEST).
    On call after hours for emergencies.

Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld.  4072.
AUSTRALIA

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
Comment: Finger pgp@ftp.auscert.org.au to retrieve AUSCERT's public key

iQCVAwUBMD4/Iih9+71yA2DNAQF70wP/eyWFYNZ1hcMqMMzBM2z2tz8FXOxPtKFN
g7ANEgZxrxnJ8wemjTbWjfNpw7xLvre9kSbE3fq5w80wDoYYHco1r9RyDST7UxcI
qc5EA4j+vvEIQb58T19wBBi4KlIR8wjKTchAvXqTD/WSYtUDSJxBz3d5ULdD53Ki
wkukB6T9vfw=
=ORI2
-----END PGP SIGNATURE-----