exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

95-09b

95-09b
Posted Sep 23, 1999

95-09b

SHA-256 | a2c24b51ec46c5311c6b28dee8ed9d7e67693120686135ef49638cafd6242a07

95-09b

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
AA-95.09b AUSCERT Advisory
22 September, 1995
SunOS 4.1.x sendmail "-oR" option vulnerability
- -----------------------------------------------------------------------------

AUSCERT has received advice that a vulnerability exists in the SunOS 4.1.x
sendmail program that allows local users to gain root privileges. Other
versions of sendmail are not vulnerable to this problem.

** This Advisory contains updated information and supercedes AA-95.09a.

A vulnerability has been reported in sendmail_wrapper version 1.5, which was
listed as a workaround in AA-95.09a. A new version (v1.6) of the wrapper
which removes the sendmail_wrapper vulnerability is now available.

This version also includes updated installation instructions which fix
problems which have been encountered by sites which have the /usr
filesystem NFS-mounted by diskless or dataless NFS clients.

AUSCERT recommends that sites that have any version of the sendmail
wrapper prior to version 1.6 immediately upgrade. Details for obtaining the
latest version can be found in section 3.1.

** An exploit for the sendmail "-oR" option vulnerability has been made
** available. AUSCERT recommends that the remedial action in Section 3 be
** performed immediately.

- -----------------------------------------------------------------------------

1. Description

There is a vulnerability in the way that the SunOS 4.1.x version of
sendmail processes the "-oR" option. This may be exploited by local
users to gain root access.

This vulnerability has been verified to exist for SunOS 4.1.x (sendmail
patch levels up to and including 100377-19, 101665-04, and 102423-01).

AUSCERT recommends that patches addressing this vulnerability for SunOS
4.1.x sendmail be installed as soon as they are made available by Sun
Microsystems (Section 3.3).

In the absence of suitable patches, sites may either apply a workaround
solution or upgrade their sendmail to Eric Allman's 8.6.12 sendmail as
this version contains no known vulnerabilities. Note that converting
from SunOS sendmail to Version 8.6.12 sendmail may require significant
effort. The sendmail wrapper specified in Section 3.1 may be used in
the interim period.

2. Impact

Local users may gain root access.

Intruders require an account on the system to exploit this
vulnerability.

3. Workaround

AUSCERT believes that either workaround provided in Sections 3.1 or
Section 3.2 will address this vulnerability. Vendor patches may
address this vulnerability in the future (Section 3.3).

3.1 Install sendmail wrapper

For sites that must continue using their existing SunOS sendmail, the
sendmail wrapper can be used as an interim solution. This wrapper is
available by anonymous FTP from:

ftp.auscert.org.au:/pub/auscert/tools/sendmail_wrapper.c
MD5 = f4049cc56075ddb142f5bd70a53ba341

This wrapper will provide protection against this vulnerability, in
addition to some older vulnerabilities. Please note that this wrapper
does not address all known vulnerabilities and should be considered as
a temporary workaround to this problem.

This wrapper will syslog possible attacks to facility LOG_MAIL with
severity LOG_ERR. Sites may wish to customise these values in the
sendmail wrapper or their syslog.conf files to suit their requirements.

3.2 Replace SunOS sendmail with sendmail Version 8.6.12 (or later)

Replace the SunOS sendmail with Eric Allman's Version 8.6.12 sendmail.
This may require significant effort to complete. Version 8.6.12
sendmail contains no known security vulnerabilities.

Sendmail version 8.6.12 can be obtained from:

ftp://ftp.auscert.org.au/pub/mirrors/ftp.cs.berkeley.edu/ucb/sendmail/
sendmail.8.6.12.*

Information to assist sites in converting from Sun's sendmail to
Version 8 can be found in the sendmail.8.6.12.misc.tar.Z file which is
found in the directory above.

The existing SunOS sendmail binaries (sendmail and sendmail.mx) should
be disabled by setting the permissions to mode 0700.

3.3 Install vendor patches

Install vendor patches for sendmail as they become available. Please
note that several sendmail vulnerabilities have been reported to Sun
Microsystems recently. It is important to verify that all reported
vulnerabilities are addressed when installing patches.

Sun Microsystems are testing patches for this and all previously
reported sendmail vulnerabilities. Sun Microsystems report that these
patches are expected to be available in the near future.

- ----------------------------------------------------------------------------
AUSCERT acknowledges 8lgm for reporting this problem.
- ----------------------------------------------------------------------------

If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).

AUSCERT is the Australian Computer Emergency Response Team, funded by the
Australian Academic Research Network (AARNet) for its members. It is
located at The University of Queensland within the Prentice Centre.
AUSCERT is a full member of the Forum of Incident Response and Security
Teams (FIRST).

AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au. This archive contains past SERT and AUSCERT
Advisories, and other computer security information.

AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au.

Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.

Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld. 4072.
AUSTRALIA

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
Comment: Finger pgp@ftp.auscert.org.au to retrieve AUSCERT's public key

iQCVAwUBMGNZBSh9+71yA2DNAQHYpwP8CabVfqFmeyhTVXjt1+Bh7i6LXoHYTWCQ
WnzhlFGc+uY6DEVPCKjSv3DBIdYk4V1PJpxlbxy0tZgq0Yf1zq69hCwIz0bAMDYs
kPvSWHO1nemeYhPfMI20AVsoBcNEWlcpsSn0wVbwg1jmt1evBCcRY7PR3db8F3ph
ez5+T9OfXrs=
=W4Mx
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close