Date: Tue, 21 Aug 2001 17:04:52 -0700 From: Michael Bryan <fbsd-secure@ursine.com> To: freebsd-security@freebsd.org Subject: Local Sendmail vulnerability, from BugTraq Message-ID: <3B82F724.A0436441@ursine.com>
next in thread | raw e-mail | index | archive | help
FYI, I would presume this affects FreeBSD boxes...
-----Original Message-----
From: Dave Ahmed [mailto:da@securityfocus.com]
Sent: Tuesday, August 21, 2001 9:04 AM
To: bugtraq@securityfocus.com
Subject: *ALERT* UPDATED BID 3163 (URGENCY 6.58): Sendmail Debugger
Arbitrary Code Execution Vulnerability (fwd)
This alert is being posted to Bugtraq as our public release of the
vulnerability discovered in Sendmail by Cade Cairns
<cairnsc@securityfocus.com>.
---------------------------------------------------------------------------
Security Alert
Subject: Sendmail Debugger Arbitrary Code Execution Vulnerability
BUGTRAQ ID: 3163 CVE ID: CAN-2001-0653
Published: August 17, 2001 MT Updated: August 20, 2001 MT
Remote: No Local: Yes
Availability: Always Authentication: Not Required
Credibility: Vendor Confirmed Ease: No Exploit Available
Class: Input Validation Error
Impact: 10.00 Severity: 7.50 Urgency: 6.58
Last Change: Updated packages that rectify this issue are now available
from Sendmail.
---------------------------------------------------------------------------
Vulnerable Systems:
Sendmail Consortium Sendmail 8.12beta7
Sendmail Consortium Sendmail 8.12beta5
Sendmail Consortium Sendmail 8.12beta16
Sendmail Consortium Sendmail 8.12beta12
Sendmail Consortium Sendmail 8.12beta10
Sendmail Consortium Sendmail 8.11.5
Sendmail Consortium Sendmail 8.11.4
Sendmail Consortium Sendmail 8.11.3
Sendmail Consortium Sendmail 8.11.2
Sendmail Consortium Sendmail 8.11.1
Sendmail Consortium Sendmail 8.11
Non-Vulnerable Systems:
Summary:
Sendmail contains an input validation error, may lead to the execution
of arbitrary code with elevated privileges.
Impact:
Local users may be able to write arbitrary data to process memory,
possibly allowing the execution of code/commands with elevated
privileges.
Technical Description:
An input validation error exists in Sendmail's debugging functionality.
The problem is the result of the use of signed integers in the
program's tTflag() function, which is responsible for processing
arguments supplied from the command line with the '-d' switch and
writing the values to it's internal "trace vector." The vulnerability
exists because it is possible to cause a signed integer overflow by
supplying a large numeric value for the 'category' part of the debugger
arguments. The numeric value is used as an index for the trace vector.
Before the vector is written to, a check is performed to ensure that
the supplied index value is not greater than the size of the vector.
However, because a signed integer comparison is used, it is possible to
bypass the check by supplying the signed integer equivalent of a
negative value. This may allow an attacker to write data to anywhere
within a certain range of locations in process memory.
Because the '-d' command-line switch is processed before the program
drops its elevated privileges, this could lead to a full system
compromise. This vulnerability has been successfully exploited in a
laboratory environment.
Attack Scenarios:
An attacker with local access must determine the memory offsets of the
program's internal tTdvect variable and the location to which he or she
wishes to have data written.
The attacker must craft in architecture specific binary code the
commands (or 'shellcode') to be executed with higher privilege. The
attacker must then run the program, using the '-d' flag to overwrite a
function return address with the location of the supplied shellcode.
Exploits:
Currently the SecurityFocus staff are not aware of any exploits for
this issue. If you feel we are in error or are aware of more recent
information, please mail us at: vuldb@securityfocus.com
<mailto:vuldb@securityfocus.com>.
Mitigating Strategies:
Restrict local access to trusted users only.
Solutions:
Below is a statement from the Sendmail Consortium regarding this issue:
--------------------
This vulnerability, present in sendmail open source versions between
8.11.0 and 8.11.5 has been corrected in 8.11.6. sendmail 8.12.0.Beta
users should upgrade to 8.12.0.Beta19. The problem was not present in
8.10 or earlier versions. However, as always, we recommend using the
latest version. Note that this problem is not remotely exploitable.
Additionally, sendmail 8.12 will no longer uses a set-user-id root
binary by default.
--------------------
Updated packages that rectify this issue are available from the vendor:
For Sendmail Consortium Sendmail 8.11:
Sendmail Consortium upgrade sendmail 8.11.6
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz
For Sendmail Consortium Sendmail 8.11.1:
Sendmail Consortium upgrade sendmail 8.11.6
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz
For Sendmail Consortium Sendmail 8.11.2:
Sendmail Consortium upgrade sendmail 8.11.6
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz
For Sendmail Consortium Sendmail 8.11.3:
Sendmail Consortium upgrade sendmail 8.11.6
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz
For Sendmail Consortium Sendmail 8.11.4:
Sendmail Consortium upgrade sendmail 8.11.6
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz
For Sendmail Consortium Sendmail 8.11.5:
Sendmail Consortium upgrade sendmail 8.11.6
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz
For Sendmail Consortium Sendmail 8.12beta10:
Sendmail Consortium upgrade sendmail 8.12.0 Beta19
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz
For Sendmail Consortium Sendmail 8.12beta12:
Sendmail Consortium upgrade sendmail 8.12.0 Beta19
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz
For Sendmail Consortium Sendmail 8.12beta16:
Sendmail Consortium upgrade sendmail 8.12.0 Beta19
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz
For Sendmail Consortium Sendmail 8.12beta5:
Sendmail Consortium upgrade sendmail 8.12.0 Beta19
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz
For Sendmail Consortium Sendmail 8.12beta7:
Sendmail Consortium upgrade sendmail 8.12.0 Beta19
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz
Credit:
Discovered by Cade Cairns <cairnsc@securityfocus.com> of the Security
Focus SIA Threat Analysis Team.
References:
web page:
Sendmail Homepage (Sendmail)
http://www.sendmail.org/
ChangeLog:
Aug 20, 2001: Updated packages that rectify this issue are now
available from Sendmail.
Aug 20, 2001: Updated versions of Sendmail will be available today at
4:00 PDT.
Aug 09, 2001: Initial analysis.
---------------------------------------------------------------------------
HOW TO INTERPRET THIS ALERT
BUGTRAQ ID: This is a unique identifier assigned to the
vulnerability by SecurityFocus.com.
CVE ID: This is a unique identifier assigned to the
vulnerability by the CVE.
Published: The date the vulnerability was first made public.
Updated: The date the information was last updated.
Remote: Whether this is a remotely exploitable
vulnerability.
Local: Whether this is a locally exploitable
vulnerability.
Credibility: Describes how credible the information about the
vulnerability is. Possible values are:
Conflicting Reports: The are multiple conflicting
about the existance of the vulnerability.
Single Source: There is a single non-reliable
source reporting the existence of the
vulnerability.
Reliable Source: There is a single reliable source
reporting the existence of the vulnerability.
Conflicting Details: There is consensus on the
existence of the vulnerability but not it's
details.
Multiple Sources: There is consensus on the
existence and details of the vulnerability.
Vendor Confirmed: The vendor has confirmed the
vulnerability.
Class: The class of vulnerability. Possible values are:
Boundary Condition Error, Access Validation Error,
Origin Validation Error, Input Valiadtion Error,
Failure to Handle Exceptional Conditions, Race
Condition Error, Serialization Error, Atomicity
Error, Environment Error, and Configuration Error.
Ease: Rates how easiliy the vulnerability can be
exploited. Possible values are: No Exploit
Available, Exploit Available, and No Exploit
Required.
Impact: Rates the impact of the vulnerability. It's range
is 1 through 10.
Severity: Rates the severity of the vulnerability. It's range
is 1 through 10. It's computed from the impact
rating and remote flag. Remote vulnerabiliteis with
a high impact rating receive a high severity
rating. Local vulnerabilities with a low impact
rating receive a low severity rating.
Urgency: Rates how quickly you should take action to fix or
mitigate the vulnerability. It's range is 1 through
10. It's computed from the severity rating, the
ease rating, and the credibility rating. High
severity vulnerabilities with a high ease rating,
and a high confidence rating have a higher urgency
rating. Low severity vulnerabilities with a low
ease rating, and a low confidence rating have a
lower urgency rating.
Last Change: The last change made to the vulnerability
information.
Vulnerable Systems: The list of vulnerable systems. A '+' preceding a
system name indicates that one of the system
components is vulnerable vulnerable. For example,
Windows 98 ships with Internet Explorer. So if a
vulnerability is found in IE you may see something
like: Microsoft Internet Explorer + Microsoft
Windows 98
Non-Vulnerable Systems: The list of non-vulnerable systems.
Summary: A concise summary of the vulnerability.
Impact: The impact of the vulnerability.
Technical Description: The in-depth description of the vulnerability.
Attack Scenarios: Ways an attacker may make use of the vulnerability.
Exploits: Exploit intructions or programs.
Mitigating Strategies: Ways to mitigate the vulnerability.
Solutions: Solutions to the vulnerability.
Credit: Information about who disclosed the vulnerability.
References: Sources of information on the vulnerability.
Related Resources: Resources that might be of additional value.
ChangeLog: History of changes to the vulnerability record.
---------------------------------------------------------------------------
Copyright 2001 SecurityFocus.com
https://alerts.securityfocus.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B82F724.A0436441>