AA-96.06a.sendmail.8.8.0-8.8.1.Vulnerability
2c171fe80c1a42ee8e0d807944e658f0480d48fb7fc0bde094b1abc9fd4c897a
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-96.06a AUSCERT Advisory
sendmail 8.8.0-8.8.1 Vulnerability
18 October 1996
Last Revised:
20-Oct-1996 Updated to include Version 8.8.1 Vulnerability
- ---------------------------------------------------------------------------
** This Advisory contains updated information. The new version of
** sendmail released to fix the vulnerability in sendmail Version 8.8.0
** did not address the problem. A new version of sendmail, Version 8.8.2,
** has now been released.
AUSCERT has received information that sendmail Versions 8.8.0 and 8.8.1
contain a serious security vulnerability. This vulnerability allows remote
users to execute arbitrary commands on systems running the vulnerable
sendmail by sending a carefully crafted electronic mail message. Note
that this vulnerability may be exploited on systems despite the presence
of firewalls or other boundary protective measures.
- ---------------------------------------------------------------------------
1. Description
A serious security vulnerability in sendmail Versions 8.8.0 and 8.8.1
has been discovered that allows remote users to execute arbitrary
commands with root privileges. Versions prior to Version 8.8.0 do
not contain this vulnerability. Versions prior to 8.7.6 contain other
unrelated vulnerabilities. The vulnerability described in this
Advisory is exploited by sending a carefully crafted electronic mail
message to the system running the vulnerable version of sendmail.
This vulnerability may be exploited on systems despite the presence
of firewalls and other boundary protective measures.
System are vulnerable to this attack if both of the following
conditions are true:
1. The version of sendmail is 8.8.0 or 8.8.1. To determine the
version of sendmail, use the following command:
% sendmail -d0 -bt | grep Version
If the string returned is "Version 8.8.0" or "Version 8.8.1", then
this version of sendmail contains the vulnerability. Note you
can type ^D to exit this command.
2. Examine the sendmail configuration file (usually, /etc/sendmail.cf).
If the '9' flag is set in the "F=" (Flags) section for any Mailer
specifications (Sections starting with 'M' in the first column,
such as "Mprog" or "Mlocal"), then this configuration is
vulnerable. Use of the '9' flag can usually be determined using
the following command (depending on your sendmail configuration):
% grep '^M' /etc/sendmail.cf | grep '9'
If any lines are output from this command, then the sendmail
configuration may be vulnerable.
The use of the '9' flag in the sendmail configuration is documented
only in the Release Notes. This flag is set by default if the
sendmail.cf file was generated from the sendmail Version 8.8.x
distribution files using m4(1). Previous versions of sendmail did
not set this flag by default when the sendmail.cf file was generated.
The '9' flag is also set by default in the precompiled example
configuration files found in the cf/cf/obj/ subdirectory of the
sendmail Version 8.8.x distribution.
2. Impact
Remote users may execute arbitrary commands as root on systems using
the vulnerable sendmail. This may be leveraged to gain root access.
3. Workarounds/Solution
AUSCERT recommends that sendmail Version 8.8.2 be installed immediately
(see Section 3.1). For sites that can not install sendmail Version
8.8.2 immediately, apply the workaround described in Section 3.2.
3.1 Upgrade to sendmail version 8.8.2.
Eric Allman has released a new version of sendmail which fixes this
vulnerability. This can be obtained from the following locations:
ftp://ftp.sendmail.org/ucb/src/sendmail/
ftp://ftp.auscert.org.au/pub/mirrors/ftp.cs.berkeley.edu/ucb/sendmail/
ftp://ftp.cert.dfn.de/pub/tools/net/sendmail/
ftp://ftp.cert.org/pub/tools/sendmail/
The MD5 checksum for this distribution is:
MD5 (sendmail.8.8.2.patch) = a3fdf7ea9967064e2b00f7796a87dfd9
MD5 (sendmail.8.8.2.tar.gz) = 7ba82d2008a40337bc5828a77694f66e
MD5 (sendmail.8.8.2.tar.sig) = 3b1765110818cf1ab3cec33e825479cb
MD5 (sendmail.8.8.2.tar.Z) = 183b7d3461af7735bf2f9b2c17526476
3.2 Workaround for existing sendmail Version 8.8.0 and 8.8.1 installations
AUSCERT has been advised that the following workaround removes the
vulnerability described in this Advisory.
The /etc/sendmail.cf file should be modified to remove the use of the
'9' flag for all Mailer specifications (lines starting with 'M').
For example, the sendmail.cf file should look similar to (depending
on your system and configuration):
Mlocal, P=/usr/libexec/mail.local, F=lsDFMAw5:/|@qrmn, S=10/30, R=20/40,
T=DNS/RFC822/X-Unix,
A=mail -d $u
Mprog, P=/bin/sh, F=lsDFMoqeu, S=10/30, R=20/40,
D=$z:/,
T=X-Unix,
A=sh -c $u
This can be achieved for the "Mlocal" and "Mprog" Mailers by modifying
the ".mc" file to include the following lines:
define(`LOCAL_MAILER_FLAGS',
ifdef(`LOCAL_MAILER_FLAGS',
`translit(LOCAL_MAILER_FLAGS, `9')',
`rmn'))
define(`LOCAL_SHELL_FLAGS',
ifdef(`LOCAL_SHELL_FLAGS',
`translit(LOCAL_SHELL_FLAGS, `9')',
`eu'))
and then rebuilding the sendmail.cf file using m4(1).
It is possible to directly edit the sendmail.cf file to resolve this
vulnerability. However, caution must be taken to ensure that the
sendmail.cf file is not replaced in the future with a new version
rebuilt from configuration files that include the '9' flag.
Once the configuration file has been modified, all running versions
of sendmail should be killed and the sendmail daemon restarted, or
the system rebooted, for these changes to take effect.
4. Additional Measures
This section describes some additional measures for increasing the
security of sendmail in general. It is unrelated to the vulnerability
described in this Advisory. Sites must apply the Workarounds/Solution
described in Section 3 first, and then optionally apply additional
measures described in this Section.
4.1 Restrict Ability to Mail to Programs
If the ability to send electronic mail to programs (for example,
vacation programs) is not required, this feature should be disabled.
This is achieved by modifying the "Mprog" line in the configuration
file to mail to "/bin/false" rather than "/bin/sh". The following
line in the ".mc" file will achieve this:
define(`LOCAL_SHELL_PATH', `/bin/false')dnl
If mailing to programs is required, it is recommended that the sendmail
restricted shell, smrsh, be used at all times. This applies to all
versions of sendmail, including vendor versions. smrsh is supplied
with the sendmail 8.8.2 distribution and includes documentation and
installation instructions.
- ---------------------------------------------------------------------------
AUSCERT thanks Eric Allman for his rapid response to this vulnerability,
and Wolfgang Ley from the DFN-CERT team for technical input to this
Advisory.
- ---------------------------------------------------------------------------
The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate. However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures. AUSCERT takes no responsibility for the
consequences of applying the contents of this document.
If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AUSCERT is located at The University of Queensland within the Prentice
Centre. AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).
AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT
Advisories, and other computer security information.
AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld. 4072.
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
20-Oct-1996. Revision a. Sendmail Version 8.8.1 did not adequately
address the problem. A new version (8.8.2) has now been released.
Advisory updated to reflect these changes. Added ftp.cert.org to
mirror site as Version 8.8.2 is now there.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBMmoAYyh9+71yA2DNAQEomAP/dmfNJFhF5mG8WgVjVEVfNzqN94IF5lfX
WL1haADOd9Tp+4d5Zf2gwJUOrHTfMBGqUxf2r4EUQqMLVMTmuMQp7Ob8XNbRBNZc
i/jGA19DRfNWnbhEbGXqC9oY5Ev5Phx+OYI2ItBn4ppt2ljsluTZCeQdycjfJig+
Et25ix0c378=
=WgTX
-----END PGP SIGNATURE-----