Date: Tue, 21 Aug 2001 17:09:35 -0700 From: Kris Kennaway <kris@obsecurity.org> To: Michael Bryan <fbsd-secure@ursine.com> Cc: freebsd-security@freebsd.org Subject: Re: Local Sendmail vulnerability, from BugTraq Message-ID: <20010821170934.A22112@xor.obsecurity.org> In-Reply-To: <3B82F724.A0436441@ursine.com>; from fbsd-secure@ursine.com on Tue, Aug 21, 2001 at 05:04:52PM -0700 References: <3B82F724.A0436441@ursine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] It's already been fixed in the source tree Kris On Tue, Aug 21, 2001 at 05:04:52PM -0700, Michael Bryan wrote: > > FYI, I would presume this affects FreeBSD boxes... > > -----Original Message----- > From: Dave Ahmed [mailto:da@securityfocus.com] > Sent: Tuesday, August 21, 2001 9:04 AM > To: bugtraq@securityfocus.com > Subject: *ALERT* UPDATED BID 3163 (URGENCY 6.58): Sendmail Debugger > Arbitrary Code Execution Vulnerability (fwd) > > > > This alert is being posted to Bugtraq as our public release of the > vulnerability discovered in Sendmail by Cade Cairns > <cairnsc@securityfocus.com>. > > --------------------------------------------------------------------------- > Security Alert > > Subject: Sendmail Debugger Arbitrary Code Execution Vulnerability > BUGTRAQ ID: 3163 CVE ID: CAN-2001-0653 > Published: August 17, 2001 MT Updated: August 20, 2001 MT > > Remote: No Local: Yes > Availability: Always Authentication: Not Required > Credibility: Vendor Confirmed Ease: No Exploit Available > Class: Input Validation Error > > Impact: 10.00 Severity: 7.50 Urgency: 6.58 > > Last Change: Updated packages that rectify this issue are now available > from Sendmail. > --------------------------------------------------------------------------- > > Vulnerable Systems: > > Sendmail Consortium Sendmail 8.12beta7 > Sendmail Consortium Sendmail 8.12beta5 > Sendmail Consortium Sendmail 8.12beta16 > Sendmail Consortium Sendmail 8.12beta12 > Sendmail Consortium Sendmail 8.12beta10 > Sendmail Consortium Sendmail 8.11.5 > Sendmail Consortium Sendmail 8.11.4 > Sendmail Consortium Sendmail 8.11.3 > Sendmail Consortium Sendmail 8.11.2 > Sendmail Consortium Sendmail 8.11.1 > Sendmail Consortium Sendmail 8.11 > > Non-Vulnerable Systems: > > > > Summary: > > Sendmail contains an input validation error, may lead to the execution > of arbitrary code with elevated privileges. > > Impact: > > Local users may be able to write arbitrary data to process memory, > possibly allowing the execution of code/commands with elevated > privileges. > > Technical Description: > > An input validation error exists in Sendmail's debugging functionality. > > The problem is the result of the use of signed integers in the > program's tTflag() function, which is responsible for processing > arguments supplied from the command line with the '-d' switch and > writing the values to it's internal "trace vector." The vulnerability > exists because it is possible to cause a signed integer overflow by > supplying a large numeric value for the 'category' part of the debugger > arguments. The numeric value is used as an index for the trace vector. > > Before the vector is written to, a check is performed to ensure that > the supplied index value is not greater than the size of the vector. > However, because a signed integer comparison is used, it is possible to > bypass the check by supplying the signed integer equivalent of a > negative value. This may allow an attacker to write data to anywhere > within a certain range of locations in process memory. > > Because the '-d' command-line switch is processed before the program > drops its elevated privileges, this could lead to a full system > compromise. This vulnerability has been successfully exploited in a > laboratory environment. > > Attack Scenarios: > > An attacker with local access must determine the memory offsets of the > program's internal tTdvect variable and the location to which he or she > wishes to have data written. > > The attacker must craft in architecture specific binary code the > commands (or 'shellcode') to be executed with higher privilege. The > attacker must then run the program, using the '-d' flag to overwrite a > function return address with the location of the supplied shellcode. > > Exploits: > > Currently the SecurityFocus staff are not aware of any exploits for > this issue. If you feel we are in error or are aware of more recent > information, please mail us at: vuldb@securityfocus.com > <mailto:vuldb@securityfocus.com>. > > Mitigating Strategies: > > Restrict local access to trusted users only. > > Solutions: > > Below is a statement from the Sendmail Consortium regarding this issue: > > -------------------- > This vulnerability, present in sendmail open source versions between > 8.11.0 and 8.11.5 has been corrected in 8.11.6. sendmail 8.12.0.Beta > users should upgrade to 8.12.0.Beta19. The problem was not present in > 8.10 or earlier versions. However, as always, we recommend using the > latest version. Note that this problem is not remotely exploitable. > Additionally, sendmail 8.12 will no longer uses a set-user-id root > binary by default. > -------------------- > > Updated packages that rectify this issue are available from the vendor: > > For Sendmail Consortium Sendmail 8.11: > > Sendmail Consortium upgrade sendmail 8.11.6 > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz > > For Sendmail Consortium Sendmail 8.11.1: > > Sendmail Consortium upgrade sendmail 8.11.6 > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz > > For Sendmail Consortium Sendmail 8.11.2: > > Sendmail Consortium upgrade sendmail 8.11.6 > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz > > For Sendmail Consortium Sendmail 8.11.3: > > Sendmail Consortium upgrade sendmail 8.11.6 > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz > > For Sendmail Consortium Sendmail 8.11.4: > > Sendmail Consortium upgrade sendmail 8.11.6 > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz > > For Sendmail Consortium Sendmail 8.11.5: > > Sendmail Consortium upgrade sendmail 8.11.6 > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz > > For Sendmail Consortium Sendmail 8.12beta10: > > Sendmail Consortium upgrade sendmail 8.12.0 Beta19 > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz > > For Sendmail Consortium Sendmail 8.12beta12: > > Sendmail Consortium upgrade sendmail 8.12.0 Beta19 > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz > > For Sendmail Consortium Sendmail 8.12beta16: > > Sendmail Consortium upgrade sendmail 8.12.0 Beta19 > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz > > For Sendmail Consortium Sendmail 8.12beta5: > > Sendmail Consortium upgrade sendmail 8.12.0 Beta19 > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz > > For Sendmail Consortium Sendmail 8.12beta7: > > Sendmail Consortium upgrade sendmail 8.12.0 Beta19 > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz > > Credit: > > Discovered by Cade Cairns <cairnsc@securityfocus.com> of the Security > Focus SIA Threat Analysis Team. > > References: > > web page: > Sendmail Homepage (Sendmail) > http://www.sendmail.org/ > > ChangeLog: > > Aug 20, 2001: Updated packages that rectify this issue are now > available from Sendmail. > Aug 20, 2001: Updated versions of Sendmail will be available today at > 4:00 PDT. > Aug 09, 2001: Initial analysis. > > --------------------------------------------------------------------------- > > HOW TO INTERPRET THIS ALERT > > BUGTRAQ ID: This is a unique identifier assigned to the > vulnerability by SecurityFocus.com. > > CVE ID: This is a unique identifier assigned to the > vulnerability by the CVE. > > Published: The date the vulnerability was first made public. > > Updated: The date the information was last updated. > > Remote: Whether this is a remotely exploitable > vulnerability. > > Local: Whether this is a locally exploitable > vulnerability. > > Credibility: Describes how credible the information about the > vulnerability is. Possible values are: > > Conflicting Reports: The are multiple conflicting > about the existance of the vulnerability. > > Single Source: There is a single non-reliable > source reporting the existence of the > vulnerability. > > Reliable Source: There is a single reliable source > reporting the existence of the vulnerability. > > Conflicting Details: There is consensus on the > existence of the vulnerability but not it's > details. > > Multiple Sources: There is consensus on the > existence and details of the vulnerability. > > Vendor Confirmed: The vendor has confirmed the > vulnerability. > > Class: The class of vulnerability. Possible values are: > Boundary Condition Error, Access Validation Error, > Origin Validation Error, Input Valiadtion Error, > Failure to Handle Exceptional Conditions, Race > Condition Error, Serialization Error, Atomicity > Error, Environment Error, and Configuration Error. > > Ease: Rates how easiliy the vulnerability can be > exploited. Possible values are: No Exploit > Available, Exploit Available, and No Exploit > Required. > > Impact: Rates the impact of the vulnerability. It's range > is 1 through 10. > > Severity: Rates the severity of the vulnerability. It's range > is 1 through 10. It's computed from the impact > rating and remote flag. Remote vulnerabiliteis with > a high impact rating receive a high severity > rating. Local vulnerabilities with a low impact > rating receive a low severity rating. > > Urgency: Rates how quickly you should take action to fix or > mitigate the vulnerability. It's range is 1 through > 10. It's computed from the severity rating, the > ease rating, and the credibility rating. High > severity vulnerabilities with a high ease rating, > and a high confidence rating have a higher urgency > rating. Low severity vulnerabilities with a low > ease rating, and a low confidence rating have a > lower urgency rating. > > Last Change: The last change made to the vulnerability > information. > > Vulnerable Systems: The list of vulnerable systems. A '+' preceding a > system name indicates that one of the system > components is vulnerable vulnerable. For example, > Windows 98 ships with Internet Explorer. So if a > vulnerability is found in IE you may see something > like: Microsoft Internet Explorer + Microsoft > Windows 98 > > Non-Vulnerable Systems: The list of non-vulnerable systems. > > Summary: A concise summary of the vulnerability. > > Impact: The impact of the vulnerability. > > Technical Description: The in-depth description of the vulnerability. > > Attack Scenarios: Ways an attacker may make use of the vulnerability. > > Exploits: Exploit intructions or programs. > > Mitigating Strategies: Ways to mitigate the vulnerability. > > Solutions: Solutions to the vulnerability. > > Credit: Information about who disclosed the vulnerability. > > References: Sources of information on the vulnerability. > > Related Resources: Resources that might be of additional value. > > ChangeLog: History of changes to the vulnerability record. > > --------------------------------------------------------------------------- > > Copyright 2001 SecurityFocus.com > > https://alerts.securityfocus.com/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7gvg+Wry0BWjoQKURAnUhAJ0cbam7PQNp9duiY98OxHLzuaCCSACgnhio 1M2zWdunrAxpoDEeLRk1Mek= =+l3i -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010821170934.A22112>