AA-96.10.smtpd.SIGHUP.sendmail.vul
9204190f79269ed3fbb86c8aa6938830bcadfa51edfdfee026e86c140355c0e1
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-96.10 AUSCERT Advisory
smtpd-SIGHUP sendmail vulnerability
18 November 1996
Last Revised: 7 February 1997
Added vendor information pointer
- ---------------------------------------------------------------------------
AUSCERT has received information that sendmail versions 8.7.x to 8.8.2
(inclusive) contain a serious security vulnerability.
This vulnerability may allow local users to gain root privileges.
Exploit details involving this vulnerability have been widely distributed.
AUSCERT recommends that sites takes the steps outlined in Section 3
as soon as possible.
- ---------------------------------------------------------------------------
1. Description
A vulnerability exists in all versions of sendmail from 8.7.x to 8.8.2
that allows local users to gain root privileges.
A user can invoke sendmail in "daemon" mode by naming it to be "smtpd".
Due to a coding error, this bypasses the usual check that only root
can start the daemon. As of 8.7, sendmail will restart itself when
it gets a SIGHUP signal. By manipulating the environment in which
sendmail is run it is possible to force sendmail into executing an
arbitrary program with root privileges.
AUSCERT has been informed that sendmail versions prior to 8.8.x are
no longer supported. Sites using older versions of sendmail will need
to upgrade to the current version of sendmail.
Sites can determine their version of sendmail by executing:
% cat /dev/null | sendmail -d0 -bt | grep Version
2. Impact
Local users can gain root privileges.
3. Workarounds/Solution
AUSCERT recommends that sites upgrade to the current version of
sendmail (see Section 3.1).
CERT/CC have also released an advisory on this problem (CA-96.24).
This advisory contains specific vendor information and an additional
workaround that was not available at the original time of writing this
advisory. To obtain this vendor information, sites are encouraged to
retrieve CA-96.24 titled CA-96.24.sendmail.daemon.mode from:
ftp://info.cert.org/pub/cert_advisories/
ftp://ftp.auscert.org.au/pub/cert/cert_advisories/
3.1 Upgrade to current version of sendmail
Eric Allman has released a new version of sendmail (8.8.3) which fixes
this vulnerability.
There is no patch for 8.7.6. Sites running 8.7.x or previous versions
will need to upgrade to 8.8.3.
Sendmail 8.8.3 can be obtained from the following locations.
ftp://ftp.sendmail.org/ucb/src/sendmail/
ftp://ftp.cert.dfn.de/pub/tools/net/sendmail/
ftp://ftp.auscert.org.au/pub/mirrors/ftp.cs.berkeley.edu/ucb/sendmail/
The MD5 checksum for this distribution is:
MD5 (sendmail.8.8.3.patch) = 5b550b509b98912bea453b7a2c25d378
MD5 (sendmail.8.8.3.tar.gz) = 0cb58caae93a19ac69ddd40660e01646
MD5 (sendmail.8.8.3.tar.Z) = 7f7c5463012f8d7af368a79d417c72de
- ---------------------------------------------------------------------------
AUSCERT thanks Eric Allman for his rapid response to this vulnerability
and his assistance in the preparation of this advisory.
- ---------------------------------------------------------------------------
The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate. However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures. AUSCERT takes no responsibility for the
consequences of applying the contents of this document.
If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AUSCERT is located at The University of Queensland within the Prentice
Centre. AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).
AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT
Advisories, and other computer security information.
AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld. 4072.
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
7 Feb 1997 Added a pointer to CERT advisory CA-96.24 which
contained specific vendor information not previously
available.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBMvsytyh9+71yA2DNAQHeRQP/ZS8ppGN9+Us+OTvzkBESSNfjKZESmxxP
jSR64+6NR831HPgDVrAt5wsvREp9CcGy9QYV27vMgF8NUp9jtH+iAL1D02210yh4
8Ko1YiAfBQvCj0HNZyOchvLTcxRwT/5lh7RENgYFc4TknwxR+UtVYCIs0/z5a3zB
IvqBTRkw8gc=
=clQy
-----END PGP SIGNATURE-----