[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] sendmail local root exploit

To: linux-security
Subject: [linux-security] sendmail local root exploit
From: Martin Siegert <siegert@sfu.ca>
Date: Mon, 10 Sep 2001 14:51:15 -0700
User-Agent: Mutt/1.2.5i

Topic
=====
Local root exploit in sendmail version 8.11.x, x < 6.

Problem Description
===================
The sendmail program is installed set-uid root in most installations.
This special privilege is needed for the sendmail program
to operate properly. The attack pattern involves running sendmail to
make use of the setuid-bit. The vulnerability can be classified as a
commandline processing bug while running with extended (root) privilege.

The error itself is a result of a comparison between a signed and an
unsigned integer when checking user-supplied data from the sendmail
command line: A high unsigned value is being considered a negative
signed value. A subsequent comparison is being evaluated the wrong way.

Exploits for this vulnerablility have been published.

Vulnerable Systems
==================
Unix systems that run sendmail versions 8.11.x, x < 6, and 8.12beta,
e.g., RedHat 7.1.

Not Affected
============
Systems that run earlier versions, e.g., 8.9.x and 8.10.x.
E.g., RedHat 6.2 (but see remark below)

Solution
========
Upgrade to sendmail 8.11.6

RedHat 7.1
----------
rpm -Fvh sendmail-8.11.6-1.7.1.i386.rpm \
         sendmail-cf-8.11.6-1.7.1.i386.rpm \
         sendmail-doc-8.11.6-1.7.1.i386.rpm

RedHat 7.0
----------
rpm -Fvh sendmail-8.11.6-1.7.0.i386.rpm \
         sendmail-cf-8.11.6-1.7.0.i386.rpm \
         sendmail-doc-8.11.6-1.7.0.i386.rpm

Mandrake 8.0
------------
rpm -Fvh sendmail-8.11.6-1.1mdk.i586.rpm \
         sendmail-cf-8.11.6-1.1mdk.i586.rpm \
         sendmail-doc-8.11.6-1.1mdk.i586.rpm

Mandrake 7.2
------------
rpm -Fvh sendmail-8.11.0-3.1mdk.i586.rpm \
         sendmail-cf-8.11.0-3.1mdk.i586.rpm \
         sendmail-doc-8.11.0-3.1mdk.i586.rpm

Caldera OpenLinux 3.1
---------------------
rpm -Fvh sendmail-8.11.1-4.i386.rpm \
         sendmail-cf-8.11.1-4.i386.rpm \
         sendmail-doc-8.11.1-4.i386.rpm

Remark
======
RedHat released new sendmail version for 6.2 as well. The reason is
unknown to me (probably consistency). You can upgrade your RH 6.2 sendmail
with:

rpm -Fvh sendmail-8.11.6-1.6.x.i386.rpm	\
         sendmail-cf-8.11.6-1.6.x.i386.rpm \
         sendmail-doc-8.11.6-1.6.x.i386.rpm

A word of caution: the RedHat bugzilla database shows already (the new rpms
were released last Saturday) 3 bug reports reporting problems with the
new sendmail rpms on pre RH-7.1 systems. I just installed it on my
desktop for test purposes and everything seems to work fine. However,
I do not run a sendmail daemon on my system (no need for that at SFU).
If you do you may run into problems with the sendmail.cf configuration
file.

Prev by Date: [linux-security] Re: ALERT: remote root exploit in telnet daemon
Next by Date: [linux-security] fetchmail remote vulnerability
Prev by thread: [linux-security] fetchmail remote vulnerability
Next by thread: [linux-security] Re: ALERT: remote root exploit in telnet daemon
Index(es):
- Date
- Thread