-----BEGIN PGP SIGNED MESSAGE-----

             __________________________________________________________

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

	           Vulnerability in SunOS 4.1.* Sendmail (-oR option)

September 8, 1995 1200 PDT                                          Number F-28
_______________________________________________________________________________

PROBLEM:        A vulnerability exists in SunOS 4.1.* systems that could allow
		an intruder to exploit a vulnerability in the way sendmail(8)
		uses the -oR option
PLATFORM:	SunOS 4.1.* based systems
DAMAGE:         Users logged into a system may gain unauthorized root
		privileges.
SOLUTION:       See the notes below
AVAILABILITY:	See the notes below
_______________________________________________________________________________

VULNERABILITY   Unprivileged users who are logged on to a system can use this 
ASSESSMENT:     vulnerability to gain unauthorized root privileges.  An 
		exploit program for this vulnerability has been published
		by 8lgm. CIAC advises that one of the workarounds described 
		below be performed immediately.
_______________________________________________________________________________

	  CRITICAL Information on the sendmail -oR vulnerability in SunOS

CIAC has received information that a vulnerability has been identified in
the sendmail(8) program on SunOS 4.1.X systems that can be exploited to gain
root access.  The basic problem involves misusing the -oR option in sendmail
which uses popen().

Detailed Description
____________________

sendmail(8) on SunOS 4.1.X systems when using the -oR option, uses popen()
to return undeliverable mail.  Local unprivileged users can use this
to obtain root access.  This vulnerability has been verified as being present
in Sun sendmail including the current patches (currently at 100377-19 (4.1.3),
101665-04 (4.1.3_U1), 102423-01 (4.1.4)) as of the time of this printing.

A vulnerability script to exploit this bug has been released to the public.

WORKAROUNDS
___________

CIAC recommends that you apply patches for this vulnerability when they
become available from Sun Microsystems.  At the time of this printing, 
patches were not available, but in final testing.

One workaround is to install Eric Allman's sendmail (current version as of
printing is 8.6.12).  This version of sendmail has had many bugs fixed, but
could require significant effort to install and may require rewriting of
sendmail.cf files.  The software and documentation is available from:

		ftp://ftp.cs.berkeley.edu/ucb/sendmail

A second workaround is in the form of a sendmail "wrapper" program.  The
program was written by members of the AUSCERT team, and is also available 
from:
		ftp://ftp.cs.berkeley.edu/ucb/sendmail/sendmail_wrapper.c

This program provides workarounds for this bug as well as several others.  
This should be considered a temporary fix however, and you should install the 
Sun patches as soon as they become available.  Documentation on installation 
of this wrapper is provided in the file (sendmail_wrapper.c).

_______________________________________________________________________________

CIAC wishes to thank the AUSCERT team and 8lgm for providing information for
this bulletin. 
_______________________________________________________________________________

CIAC, the Computer Incident Advisory Capability, is the computer security 
incident response team for the U.S. Department of Energy. CIAC is located at 
the Lawrence Livermore National Laboratory in Livermore, California. CIAC is 
also a founding member of FIRST, the Forum of Incident Response and Security 
Teams, a global organization established to foster cooperation and 
coordination among computer security teams worldwide. 

CIAC services are available to DOE and DOE contractors, and CIAC can be 
contacted at:
    Voice:    510-422-8193
    FAX:      510-423-8002
    STU-III:  510-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE and DOE contractor sites may 
contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the CIAC 
voice number 510-422-8193 and leave a message, or call 800-759-7243 
(800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the 
primary PIN number, 8550070, is for the CIAC duty person, and the secondary 
PIN number, 8550074 is for the CIAC Project Leader.

Previous CIAC notices, anti-virus software, and other information are 
available from the CIAC Computer Security Archive. 

   World Wide Web:	http://ciac.llnl.gov/
   Anonymous FTP: 	ciac.llnl.gov (128.115.19.53)
   Modem access:  	(510) 423-4753 (14.4K baud)
                  	(510) 423-3331 (9600 baud)

CIAC has several self-subscribing mailing lists for electronic publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical information 
   and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) 
   software updates, new features, distribution and availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the use of 
   SPI products.

Our mailing lists are managed by a public domain software package called 
ListProcessor, which ignores E-mail header subject lines. To subscribe (add 
yourself) to one of our mailing lists, send the following request as the 
E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or 
SPI-NOTES for list-name and valid information for LastName FirstName and 
PhoneNumber when sending

E-mail to	ciac-listproc@llnl.gov:
	subscribe list-name LastName, FirstName PhoneNumber
  e.g.,	subscribe ciac-notes OUHara, Scarlett W. 404-555-1212 x36

You will receive an acknowledgment containing address, initial PIN, and 
information on how to change either of them, cancel your subscription, or 
get help. 

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins.  If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations and
their constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line: send
first-contacts.

This document was prepared as an account of work sponsored by an agency of the
United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
express or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, apparatus, product,
or process disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products, process,
or service by trade name, trademark, manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation or favoring by
the United States Government or the University of California. The views and
opinions of authors expressed herein do not necessarily state or reflect those
of the United States Government or the University of California, and shall not
be used for advertising or product endorsement purposes.


CIAC BULLETINS ISSUED IN FY95 (Previous bulletins available from CIAC)
(F-01)	SGI IRIX serial_ports Vulnerability
(F-02)	Summary of HP Security Bulletins
(F-03)	Restricted Distribution
(F-04)	Security Vulnerabilities in DECnet/OSI for OpenVMS
(F-05)	SCO Unix at, login, prwarn, sadc, and pt_chmod 
          Patches Available
(F-06)	Novell UnixWare sadc, urestore, and suid_exec Vulnerabilities
(F-07)	New and Revised HP Bulletins
(F-08)	Internet Address Spoofing and Hijacked Session Attacks
(F-09)	Unix /bin/mail Vulnerabilities
(F-10)	HP-UX Remote Watch
(F-11)	Unix NCSA httpd Vulnerability
(F-12)	Kerberos Telnet Encryption Vulnerability
(F-13)	Unix sendmail vulnerabilities
(F-14)	HP-UX Malicious Code Sequences
(F-15)	HP-UX "at" and "cron" vulnerabilities
(F-16)	SGI IRIX Desktop Permissions Tool Vulnerability
(F-17)	Limited Distribution
(F-18)	MPE/iX Vulnerabilities
(F-19)	Protecting HP-UX Systems Against SATAN
(F-20)	Security Administrator Tool for Analyzing Networks (SATAN)
(F-21)  Protecting SUN OS Systems Against SATAN
(F-22)  SATAN Password Disclosure
(F-23)	Protecting IBM AIX Systems Against SATAN
(F-24)  Protecting SGI IRIX Systems Against SATAN
(F-25)  Cisco IOS Router Software Vulnerability
(F-26)  OSF/DCE Security Hole
(F-27)	Incorrect Permissions on /tmp

CIAC NOTES ISSUED IN FY1995 (Previous Notes available from CIAC)
04c	December 8, 1994
05d	January 11, 1995
06	March 22, 1995
07	March 29, 1995
08	April 4, 1995
09	April 24, 1995
10a	June 16, 1995
11	July, 31, 1995

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMFCPpbnzJzdsy3QZAQGg9QP/QlLIroWTs6QZ4Nb9q6PJMvQNeahPlHvJ
PNXUN/50ExkUKrqSnqB/JLW5Vnnqzj5U7x3vWHelTRpKm6M4tDIfRGHefuBX1/d3
aBQaStTG1Fsiwvv/SOMu6FZW3uKEfEEkEmYnb05zYw58O9/q4CF8ML9n3pcmDAZM
of3U9jREmdY=
=OUd+
-----END PGP SIGNATURE-----