95-09b
a2c24b51ec46c5311c6b28dee8ed9d7e67693120686135ef49638cafd6242a07
-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
AA-95.09b AUSCERT Advisory
22 September, 1995
SunOS 4.1.x sendmail "-oR" option vulnerability
- -----------------------------------------------------------------------------
AUSCERT has received advice that a vulnerability exists in the SunOS 4.1.x
sendmail program that allows local users to gain root privileges. Other
versions of sendmail are not vulnerable to this problem.
** This Advisory contains updated information and supercedes AA-95.09a.
A vulnerability has been reported in sendmail_wrapper version 1.5, which was
listed as a workaround in AA-95.09a. A new version (v1.6) of the wrapper
which removes the sendmail_wrapper vulnerability is now available.
This version also includes updated installation instructions which fix
problems which have been encountered by sites which have the /usr
filesystem NFS-mounted by diskless or dataless NFS clients.
AUSCERT recommends that sites that have any version of the sendmail
wrapper prior to version 1.6 immediately upgrade. Details for obtaining the
latest version can be found in section 3.1.
** An exploit for the sendmail "-oR" option vulnerability has been made
** available. AUSCERT recommends that the remedial action in Section 3 be
** performed immediately.
- -----------------------------------------------------------------------------
1. Description
There is a vulnerability in the way that the SunOS 4.1.x version of
sendmail processes the "-oR" option. This may be exploited by local
users to gain root access.
This vulnerability has been verified to exist for SunOS 4.1.x (sendmail
patch levels up to and including 100377-19, 101665-04, and 102423-01).
AUSCERT recommends that patches addressing this vulnerability for SunOS
4.1.x sendmail be installed as soon as they are made available by Sun
Microsystems (Section 3.3).
In the absence of suitable patches, sites may either apply a workaround
solution or upgrade their sendmail to Eric Allman's 8.6.12 sendmail as
this version contains no known vulnerabilities. Note that converting
from SunOS sendmail to Version 8.6.12 sendmail may require significant
effort. The sendmail wrapper specified in Section 3.1 may be used in
the interim period.
2. Impact
Local users may gain root access.
Intruders require an account on the system to exploit this
vulnerability.
3. Workaround
AUSCERT believes that either workaround provided in Sections 3.1 or
Section 3.2 will address this vulnerability. Vendor patches may
address this vulnerability in the future (Section 3.3).
3.1 Install sendmail wrapper
For sites that must continue using their existing SunOS sendmail, the
sendmail wrapper can be used as an interim solution. This wrapper is
available by anonymous FTP from:
ftp.auscert.org.au:/pub/auscert/tools/sendmail_wrapper.c
MD5 = f4049cc56075ddb142f5bd70a53ba341
This wrapper will provide protection against this vulnerability, in
addition to some older vulnerabilities. Please note that this wrapper
does not address all known vulnerabilities and should be considered as
a temporary workaround to this problem.
This wrapper will syslog possible attacks to facility LOG_MAIL with
severity LOG_ERR. Sites may wish to customise these values in the
sendmail wrapper or their syslog.conf files to suit their requirements.
3.2 Replace SunOS sendmail with sendmail Version 8.6.12 (or later)
Replace the SunOS sendmail with Eric Allman's Version 8.6.12 sendmail.
This may require significant effort to complete. Version 8.6.12
sendmail contains no known security vulnerabilities.
Sendmail version 8.6.12 can be obtained from:
ftp://ftp.auscert.org.au/pub/mirrors/ftp.cs.berkeley.edu/ucb/sendmail/
sendmail.8.6.12.*
Information to assist sites in converting from Sun's sendmail to
Version 8 can be found in the sendmail.8.6.12.misc.tar.Z file which is
found in the directory above.
The existing SunOS sendmail binaries (sendmail and sendmail.mx) should
be disabled by setting the permissions to mode 0700.
3.3 Install vendor patches
Install vendor patches for sendmail as they become available. Please
note that several sendmail vulnerabilities have been reported to Sun
Microsystems recently. It is important to verify that all reported
vulnerabilities are addressed when installing patches.
Sun Microsystems are testing patches for this and all previously
reported sendmail vulnerabilities. Sun Microsystems report that these
patches are expected to be available in the near future.
- ----------------------------------------------------------------------------
AUSCERT acknowledges 8lgm for reporting this problem.
- ----------------------------------------------------------------------------
If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).
AUSCERT is the Australian Computer Emergency Response Team, funded by the
Australian Academic Research Network (AARNet) for its members. It is
located at The University of Queensland within the Prentice Centre.
AUSCERT is a full member of the Forum of Incident Response and Security
Teams (FIRST).
AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au. This archive contains past SERT and AUSCERT
Advisories, and other computer security information.
AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld. 4072.
AUSTRALIA
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
Comment: Finger pgp@ftp.auscert.org.au to retrieve AUSCERT's public key
iQCVAwUBMGNZBSh9+71yA2DNAQHYpwP8CabVfqFmeyhTVXjt1+Bh7i6LXoHYTWCQ
WnzhlFGc+uY6DEVPCKjSv3DBIdYk4V1PJpxlbxy0tZgq0Yf1zq69hCwIz0bAMDYs
kPvSWHO1nemeYhPfMI20AVsoBcNEWlcpsSn0wVbwg1jmt1evBCcRY7PR3db8F3ph
ez5+T9OfXrs=
=W4Mx
-----END PGP SIGNATURE-----