Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 21 Aug 2001 17:09:35 -0700
From:      Kris Kennaway <kris@obsecurity.org>
To:        Michael Bryan <fbsd-secure@ursine.com>
Cc:        freebsd-security@freebsd.org
Subject:   Re: Local Sendmail vulnerability, from BugTraq
Message-ID:  <20010821170934.A22112@xor.obsecurity.org>
In-Reply-To: <3B82F724.A0436441@ursine.com>; from fbsd-secure@ursine.com on Tue, Aug 21, 2001 at 05:04:52PM -0700
References:  <3B82F724.A0436441@ursine.com>

next in thread | previous in thread | raw e-mail | index | archive | help

--gKMricLos+KVdGMg
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

It's already been fixed in the source tree

Kris

On Tue, Aug 21, 2001 at 05:04:52PM -0700, Michael Bryan wrote:
>=20
> FYI, I would presume this affects FreeBSD boxes...
>=20
> -----Original Message-----
> From: Dave Ahmed [mailto:da@securityfocus.com]
> Sent: Tuesday, August 21, 2001 9:04 AM
> To: bugtraq@securityfocus.com
> Subject: *ALERT* UPDATED BID 3163 (URGENCY 6.58): Sendmail Debugger
> Arbitrary Code Execution Vulnerability (fwd)
>=20
>=20
>=20
> This alert is being posted to Bugtraq as our public release of the
> vulnerability discovered in Sendmail by Cade Cairns
> <cairnsc@securityfocus.com>.
>=20
> -------------------------------------------------------------------------=
--
>                               Security Alert
>=20
> Subject:      Sendmail Debugger Arbitrary Code Execution Vulnerability
> BUGTRAQ ID:   3163                   CVE ID:         CAN-2001-0653
> Published:    August 17, 2001 MT     Updated:        August 20, 2001 MT
>=20
> Remote:       No                     Local:          Yes
> Availability: Always                 Authentication: Not Required
> Credibility:  Vendor Confirmed       Ease:           No Exploit Available
> Class:        Input Validation Error
>=20
> Impact:   10.00          Severity: 7.50            Urgency:  6.58
>=20
> Last Change:  Updated packages that rectify this issue  are  now  availab=
le
>               from Sendmail.
> -------------------------------------------------------------------------=
--
>=20
> Vulnerable Systems:
>=20
>   Sendmail Consortium Sendmail 8.12beta7
>   Sendmail Consortium Sendmail 8.12beta5
>   Sendmail Consortium Sendmail 8.12beta16
>   Sendmail Consortium Sendmail 8.12beta12
>   Sendmail Consortium Sendmail 8.12beta10
>   Sendmail Consortium Sendmail 8.11.5
>   Sendmail Consortium Sendmail 8.11.4
>   Sendmail Consortium Sendmail 8.11.3
>   Sendmail Consortium Sendmail 8.11.2
>   Sendmail Consortium Sendmail 8.11.1
>   Sendmail Consortium Sendmail 8.11
>=20
> Non-Vulnerable Systems:
>=20
>=20
>=20
> Summary:
>=20
>   Sendmail contains an input validation error, may lead to the  execution
>   of arbitrary code with elevated privileges.
>=20
> Impact:
>=20
>   Local users may be able to write  arbitrary  data  to  process  memory,
>   possibly  allowing  the  execution  of  code/commands   with   elevated
>   privileges.
>=20
> Technical Description:
>=20
>   An input validation error exists in Sendmail's debugging functionality.
>=20
>   The problem is the  result  of  the  use  of  signed  integers  in  the
>   program's  tTflag()  function,  which  is  responsible  for  processing
>   arguments supplied from the command  line  with  the  '-d'  switch  and
>   writing the values to it's internal "trace vector."  The  vulnerability
>   exists because it is possible to cause a  signed  integer  overflow  by
>   supplying a large numeric value for the 'category' part of the debugger
>   arguments.  The numeric value is used as an index for the trace vector.
>=20
>   Before the vector is written to, a check is performed  to  ensure  that
>   the supplied index value is not greater than the size  of  the  vector.
>   However, because a signed integer comparison is used, it is possible to
>   bypass the check by  supplying  the  signed  integer  equivalent  of  a
>   negative value.  This may allow an attacker to write data  to  anywhere
>   within a certain range of locations in process memory.
>=20
>   Because the '-d' command-line switch is processed  before  the  program
>   drops its elevated  privileges,  this  could  lead  to  a  full  system
>   compromise.  This vulnerability has been successfully  exploited  in  a
>   laboratory environment.
>=20
> Attack Scenarios:
>=20
>   An attacker with local access must determine the memory offsets of  the
>   program's internal tTdvect variable and the location to which he or she
>   wishes to have data written.
>=20
>   The attacker must  craft  in  architecture  specific  binary  code  the
>   commands (or 'shellcode') to be executed with  higher  privilege.   The
>   attacker must then run the program, using the '-d' flag to overwrite  a
>   function return address with the location of the supplied shellcode.
>=20
> Exploits:
>=20
>   Currently the SecurityFocus staff are not aware  of  any  exploits  for
>   this issue. If you feel we are in error or are  aware  of  more  recent
>   information,    please    mail    us    at:     vuldb@securityfocus.com
>   <mailto:vuldb@securityfocus.com>.
>=20
> Mitigating Strategies:
>=20
>   Restrict local access to trusted users only.
>=20
> Solutions:
>=20
>   Below is a statement from the Sendmail Consortium regarding this issue:
>=20
>   --------------------
>   This vulnerability, present in sendmail open  source  versions  between
>   8.11.0 and 8.11.5 has been corrected in 8.11.6.   sendmail  8.12.0.Beta
>   users should upgrade to 8.12.0.Beta19.  The problem was not present  in
>   8.10 or earlier versions.  However, as always, we recommend  using  the
>   latest version.  Note that this problem is  not  remotely  exploitable.
>   Additionally, sendmail 8.12 will no  longer  uses  a  set-user-id  root
>   binary by default.
>   --------------------
>=20
>   Updated packages that rectify this issue are available from the vendor:
>=20
>   For Sendmail Consortium Sendmail 8.11:
>=20
>     Sendmail Consortium upgrade sendmail 8.11.6
>     ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz
>=20
>   For Sendmail Consortium Sendmail 8.11.1:
>=20
>     Sendmail Consortium upgrade sendmail 8.11.6
>     ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz
>=20
>   For Sendmail Consortium Sendmail 8.11.2:
>=20
>     Sendmail Consortium upgrade sendmail 8.11.6
>     ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz
>=20
>   For Sendmail Consortium Sendmail 8.11.3:
>=20
>     Sendmail Consortium upgrade sendmail 8.11.6
>     ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz
>=20
>   For Sendmail Consortium Sendmail 8.11.4:
>=20
>     Sendmail Consortium upgrade sendmail 8.11.6
>     ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz
>=20
>   For Sendmail Consortium Sendmail 8.11.5:
>=20
>     Sendmail Consortium upgrade sendmail 8.11.6
>     ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz
>=20
>   For Sendmail Consortium Sendmail 8.12beta10:
>=20
>     Sendmail Consortium upgrade sendmail 8.12.0 Beta19
>     ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz
>=20
>   For Sendmail Consortium Sendmail 8.12beta12:
>=20
>     Sendmail Consortium upgrade sendmail 8.12.0 Beta19
>     ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz
>=20
>   For Sendmail Consortium Sendmail 8.12beta16:
>=20
>     Sendmail Consortium upgrade sendmail 8.12.0 Beta19
>     ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz
>=20
>   For Sendmail Consortium Sendmail 8.12beta5:
>=20
>     Sendmail Consortium upgrade sendmail 8.12.0 Beta19
>     ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz
>=20
>   For Sendmail Consortium Sendmail 8.12beta7:
>=20
>     Sendmail Consortium upgrade sendmail 8.12.0 Beta19
>     ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz
>=20
> Credit:
>=20
>   Discovered by Cade Cairns <cairnsc@securityfocus.com> of the Security
>   Focus SIA Threat Analysis Team.
>=20
> References:
>=20
>   web page:
>   Sendmail Homepage (Sendmail)
>   http://www.sendmail.org/
>=20
> ChangeLog:
>=20
>   Aug 20, 2001: Updated  packages  that  rectify  this  issue   are   now
>                 available from Sendmail.
>   Aug 20, 2001: Updated versions of Sendmail will be available  today  at
>                 4:00 PDT.
>   Aug 09, 2001: Initial analysis.
>=20
> -------------------------------------------------------------------------=
--
>=20
> HOW TO INTERPRET THIS ALERT
>=20
>             BUGTRAQ ID: This  is  a  unique  identifier  assigned  to   t=
he
>                         vulnerability by SecurityFocus.com.
>=20
>                 CVE ID: This  is  a  unique  identifier  assigned  to   t=
he
>                         vulnerability by the CVE.
>=20
>              Published: The date the vulnerability was first made public.
>=20
>                Updated: The date the information was last updated.
>=20
>                 Remote: Whether   this   is    a    remotely    exploitab=
le
>                         vulnerability.
>=20
>                  Local: Whether   this    is    a    locally    exploitab=
le
>                         vulnerability.
>=20
>            Credibility: Describes how credible the  information  about  t=
he
>                         vulnerability is. Possible values are:
>=20
>                         Conflicting Reports: The are  multiple  conflicti=
ng
>                         about the existance of the vulnerability.
>=20
>                         Single  Source:  There  is  a  single  non-reliab=
le
>                         source   reporting    the    existence    of    t=
he
>                         vulnerability.
>=20
>                         Reliable Source: There is a single reliable  sour=
ce
>                         reporting the existence of the vulnerability.
>=20
>                         Conflicting Details:  There  is  consensus  on  t=
he
>                         existence  of  the  vulnerability  but   not   it=
's
>                         details.
>=20
>                         Multiple  Sources:  There  is  consensus   on   t=
he
>                         existence and details of the vulnerability.
>=20
>                         Vendor Confirmed:  The  vendor  has  confirmed  t=
he
>                         vulnerability.
>=20
>                  Class: The class of vulnerability.  Possible  values  ar=
e:
>                         Boundary Condition Error, Access Validation  Erro=
r,
>                         Origin Validation Error,  Input  Valiadtion  Erro=
r,
>                         Failure  to  Handle  Exceptional  Conditions,  Ra=
ce
>                         Condition  Error,  Serialization  Error,  Atomici=
ty
>                         Error, Environment Error, and Configuration Error.
>=20
>                   Ease: Rates  how  easiliy  the   vulnerability   can   =
be
>                         exploited.  Possible   values   are:   No   Explo=
it
>                         Available,  Exploit  Available,  and   No   Explo=
it
>                         Required.
>=20
>                 Impact: Rates the impact of the vulnerability.  It's  ran=
ge
>                         is 1 through 10.
>=20
>               Severity: Rates the severity of the vulnerability. It's ran=
ge
>                         is 1 through 10.  It's  computed  from  the  impa=
ct
>                         rating and remote flag. Remote vulnerabiliteis wi=
th
>                         a  high  impact  rating  receive  a  high  severi=
ty
>                         rating. Local vulnerabilities  with  a  low  impa=
ct
>                         rating receive a low severity rating.
>=20
>                Urgency: Rates how quickly you should take action to fix  =
or
>                         mitigate the vulnerability. It's range is 1 throu=
gh
>                         10. It's computed from  the  severity  rating,  t=
he
>                         ease  rating,  and  the  credibility  rating.  Hi=
gh
>                         severity vulnerabilities with a high  ease  ratin=
g,
>                         and a high confidence rating have a higher  urgen=
cy
>                         rating. Low severity  vulnerabilities  with  a  l=
ow
>                         ease rating, and a low  confidence  rating  have =
 a
>                         lower urgency rating.
>=20
>            Last Change: The  last  change   made   to   the   vulnerabili=
ty
>                         information.
>=20
>     Vulnerable Systems: The list of vulnerable systems. A '+'  preceding =
 a
>                         system  name  indicates  that  one  of  the  syst=
em
>                         components is vulnerable vulnerable.  For  exampl=
e,
>                         Windows 98 ships with Internet Explorer.  So  if =
 a
>                         vulnerability is found in IE you may see  somethi=
ng
>                         like:  Microsoft  Internet  Explorer  +   Microso=
ft
>                         Windows 98
>=20
> Non-Vulnerable Systems: The list of non-vulnerable systems.
>=20
>                Summary: A concise summary of the vulnerability.
>=20
>                 Impact: The impact of the vulnerability.
>=20
>  Technical Description: The in-depth description of the vulnerability.
>=20
>       Attack Scenarios: Ways an attacker may make use of the vulnerabilit=
y.
>=20
>               Exploits: Exploit intructions or programs.
>=20
>  Mitigating Strategies: Ways to mitigate the vulnerability.
>=20
>              Solutions: Solutions to the vulnerability.
>=20
>                 Credit: Information about who disclosed the vulnerability.
>=20
>             References: Sources of information on the vulnerability.
>=20
>      Related Resources: Resources that might be of additional value.
>=20
>              ChangeLog: History of changes to the vulnerability record.
>=20
> -------------------------------------------------------------------------=
--
>=20
>                      Copyright 2001 SecurityFocus.com
>=20
>                      https://alerts.securityfocus.com/
>=20
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

--gKMricLos+KVdGMg
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7gvg+Wry0BWjoQKURAnUhAJ0cbam7PQNp9duiY98OxHLzuaCCSACgnhio
1M2zWdunrAxpoDEeLRk1Mek=
=+l3i
-----END PGP SIGNATURE-----

--gKMricLos+KVdGMg--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010821170934.A22112>