From owner-freebsd-security Tue Aug 21 17:12:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-7.dsl.lsan03.pacbell.net [63.207.60.7]) by hub.freebsd.org (Postfix) with ESMTP id AFB1537B414 for ; Tue, 21 Aug 2001 17:09:35 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 28A0A66D1C; Tue, 21 Aug 2001 17:09:35 -0700 (PDT) Date: Tue, 21 Aug 2001 17:09:35 -0700 From: Kris Kennaway To: Michael Bryan Cc: freebsd-security@freebsd.org Subject: Re: Local Sendmail vulnerability, from BugTraq Message-ID: <20010821170934.A22112@xor.obsecurity.org> References: <3B82F724.A0436441@ursine.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="gKMricLos+KVdGMg" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B82F724.A0436441@ursine.com>; from fbsd-secure@ursine.com on Tue, Aug 21, 2001 at 05:04:52PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --gKMricLos+KVdGMg Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable It's already been fixed in the source tree Kris On Tue, Aug 21, 2001 at 05:04:52PM -0700, Michael Bryan wrote: >=20 > FYI, I would presume this affects FreeBSD boxes... >=20 > -----Original Message----- > From: Dave Ahmed [mailto:da@securityfocus.com] > Sent: Tuesday, August 21, 2001 9:04 AM > To: bugtraq@securityfocus.com > Subject: *ALERT* UPDATED BID 3163 (URGENCY 6.58): Sendmail Debugger > Arbitrary Code Execution Vulnerability (fwd) >=20 >=20 >=20 > This alert is being posted to Bugtraq as our public release of the > vulnerability discovered in Sendmail by Cade Cairns > . >=20 > -------------------------------------------------------------------------= -- > Security Alert >=20 > Subject: Sendmail Debugger Arbitrary Code Execution Vulnerability > BUGTRAQ ID: 3163 CVE ID: CAN-2001-0653 > Published: August 17, 2001 MT Updated: August 20, 2001 MT >=20 > Remote: No Local: Yes > Availability: Always Authentication: Not Required > Credibility: Vendor Confirmed Ease: No Exploit Available > Class: Input Validation Error >=20 > Impact: 10.00 Severity: 7.50 Urgency: 6.58 >=20 > Last Change: Updated packages that rectify this issue are now availab= le > from Sendmail. > -------------------------------------------------------------------------= -- >=20 > Vulnerable Systems: >=20 > Sendmail Consortium Sendmail 8.12beta7 > Sendmail Consortium Sendmail 8.12beta5 > Sendmail Consortium Sendmail 8.12beta16 > Sendmail Consortium Sendmail 8.12beta12 > Sendmail Consortium Sendmail 8.12beta10 > Sendmail Consortium Sendmail 8.11.5 > Sendmail Consortium Sendmail 8.11.4 > Sendmail Consortium Sendmail 8.11.3 > Sendmail Consortium Sendmail 8.11.2 > Sendmail Consortium Sendmail 8.11.1 > Sendmail Consortium Sendmail 8.11 >=20 > Non-Vulnerable Systems: >=20 >=20 >=20 > Summary: >=20 > Sendmail contains an input validation error, may lead to the execution > of arbitrary code with elevated privileges. >=20 > Impact: >=20 > Local users may be able to write arbitrary data to process memory, > possibly allowing the execution of code/commands with elevated > privileges. >=20 > Technical Description: >=20 > An input validation error exists in Sendmail's debugging functionality. >=20 > The problem is the result of the use of signed integers in the > program's tTflag() function, which is responsible for processing > arguments supplied from the command line with the '-d' switch and > writing the values to it's internal "trace vector." The vulnerability > exists because it is possible to cause a signed integer overflow by > supplying a large numeric value for the 'category' part of the debugger > arguments. The numeric value is used as an index for the trace vector. >=20 > Before the vector is written to, a check is performed to ensure that > the supplied index value is not greater than the size of the vector. > However, because a signed integer comparison is used, it is possible to > bypass the check by supplying the signed integer equivalent of a > negative value. This may allow an attacker to write data to anywhere > within a certain range of locations in process memory. >=20 > Because the '-d' command-line switch is processed before the program > drops its elevated privileges, this could lead to a full system > compromise. This vulnerability has been successfully exploited in a > laboratory environment. >=20 > Attack Scenarios: >=20 > An attacker with local access must determine the memory offsets of the > program's internal tTdvect variable and the location to which he or she > wishes to have data written. >=20 > The attacker must craft in architecture specific binary code the > commands (or 'shellcode') to be executed with higher privilege. The > attacker must then run the program, using the '-d' flag to overwrite a > function return address with the location of the supplied shellcode. >=20 > Exploits: >=20 > Currently the SecurityFocus staff are not aware of any exploits for > this issue. If you feel we are in error or are aware of more recent > information, please mail us at: vuldb@securityfocus.com > . >=20 > Mitigating Strategies: >=20 > Restrict local access to trusted users only. >=20 > Solutions: >=20 > Below is a statement from the Sendmail Consortium regarding this issue: >=20 > -------------------- > This vulnerability, present in sendmail open source versions between > 8.11.0 and 8.11.5 has been corrected in 8.11.6. sendmail 8.12.0.Beta > users should upgrade to 8.12.0.Beta19. The problem was not present in > 8.10 or earlier versions. However, as always, we recommend using the > latest version. Note that this problem is not remotely exploitable. > Additionally, sendmail 8.12 will no longer uses a set-user-id root > binary by default. > -------------------- >=20 > Updated packages that rectify this issue are available from the vendor: >=20 > For Sendmail Consortium Sendmail 8.11: >=20 > Sendmail Consortium upgrade sendmail 8.11.6 > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz >=20 > For Sendmail Consortium Sendmail 8.11.1: >=20 > Sendmail Consortium upgrade sendmail 8.11.6 > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz >=20 > For Sendmail Consortium Sendmail 8.11.2: >=20 > Sendmail Consortium upgrade sendmail 8.11.6 > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz >=20 > For Sendmail Consortium Sendmail 8.11.3: >=20 > Sendmail Consortium upgrade sendmail 8.11.6 > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz >=20 > For Sendmail Consortium Sendmail 8.11.4: >=20 > Sendmail Consortium upgrade sendmail 8.11.6 > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz >=20 > For Sendmail Consortium Sendmail 8.11.5: >=20 > Sendmail Consortium upgrade sendmail 8.11.6 > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz >=20 > For Sendmail Consortium Sendmail 8.12beta10: >=20 > Sendmail Consortium upgrade sendmail 8.12.0 Beta19 > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz >=20 > For Sendmail Consortium Sendmail 8.12beta12: >=20 > Sendmail Consortium upgrade sendmail 8.12.0 Beta19 > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz >=20 > For Sendmail Consortium Sendmail 8.12beta16: >=20 > Sendmail Consortium upgrade sendmail 8.12.0 Beta19 > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz >=20 > For Sendmail Consortium Sendmail 8.12beta5: >=20 > Sendmail Consortium upgrade sendmail 8.12.0 Beta19 > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz >=20 > For Sendmail Consortium Sendmail 8.12beta7: >=20 > Sendmail Consortium upgrade sendmail 8.12.0 Beta19 > ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz >=20 > Credit: >=20 > Discovered by Cade Cairns of the Security > Focus SIA Threat Analysis Team. >=20 > References: >=20 > web page: > Sendmail Homepage (Sendmail) > http://www.sendmail.org/ >=20 > ChangeLog: >=20 > Aug 20, 2001: Updated packages that rectify this issue are now > available from Sendmail. > Aug 20, 2001: Updated versions of Sendmail will be available today at > 4:00 PDT. > Aug 09, 2001: Initial analysis. >=20 > -------------------------------------------------------------------------= -- >=20 > HOW TO INTERPRET THIS ALERT >=20 > BUGTRAQ ID: This is a unique identifier assigned to t= he > vulnerability by SecurityFocus.com. >=20 > CVE ID: This is a unique identifier assigned to t= he > vulnerability by the CVE. >=20 > Published: The date the vulnerability was first made public. >=20 > Updated: The date the information was last updated. >=20 > Remote: Whether this is a remotely exploitab= le > vulnerability. >=20 > Local: Whether this is a locally exploitab= le > vulnerability. >=20 > Credibility: Describes how credible the information about t= he > vulnerability is. Possible values are: >=20 > Conflicting Reports: The are multiple conflicti= ng > about the existance of the vulnerability. >=20 > Single Source: There is a single non-reliab= le > source reporting the existence of t= he > vulnerability. >=20 > Reliable Source: There is a single reliable sour= ce > reporting the existence of the vulnerability. >=20 > Conflicting Details: There is consensus on t= he > existence of the vulnerability but not it= 's > details. >=20 > Multiple Sources: There is consensus on t= he > existence and details of the vulnerability. >=20 > Vendor Confirmed: The vendor has confirmed t= he > vulnerability. >=20 > Class: The class of vulnerability. Possible values ar= e: > Boundary Condition Error, Access Validation Erro= r, > Origin Validation Error, Input Valiadtion Erro= r, > Failure to Handle Exceptional Conditions, Ra= ce > Condition Error, Serialization Error, Atomici= ty > Error, Environment Error, and Configuration Error. >=20 > Ease: Rates how easiliy the vulnerability can = be > exploited. Possible values are: No Explo= it > Available, Exploit Available, and No Explo= it > Required. >=20 > Impact: Rates the impact of the vulnerability. It's ran= ge > is 1 through 10. >=20 > Severity: Rates the severity of the vulnerability. It's ran= ge > is 1 through 10. It's computed from the impa= ct > rating and remote flag. Remote vulnerabiliteis wi= th > a high impact rating receive a high severi= ty > rating. Local vulnerabilities with a low impa= ct > rating receive a low severity rating. >=20 > Urgency: Rates how quickly you should take action to fix = or > mitigate the vulnerability. It's range is 1 throu= gh > 10. It's computed from the severity rating, t= he > ease rating, and the credibility rating. Hi= gh > severity vulnerabilities with a high ease ratin= g, > and a high confidence rating have a higher urgen= cy > rating. Low severity vulnerabilities with a l= ow > ease rating, and a low confidence rating have = a > lower urgency rating. >=20 > Last Change: The last change made to the vulnerabili= ty > information. >=20 > Vulnerable Systems: The list of vulnerable systems. A '+' preceding = a > system name indicates that one of the syst= em > components is vulnerable vulnerable. For exampl= e, > Windows 98 ships with Internet Explorer. So if = a > vulnerability is found in IE you may see somethi= ng > like: Microsoft Internet Explorer + Microso= ft > Windows 98 >=20 > Non-Vulnerable Systems: The list of non-vulnerable systems. >=20 > Summary: A concise summary of the vulnerability. >=20 > Impact: The impact of the vulnerability. >=20 > Technical Description: The in-depth description of the vulnerability. >=20 > Attack Scenarios: Ways an attacker may make use of the vulnerabilit= y. >=20 > Exploits: Exploit intructions or programs. >=20 > Mitigating Strategies: Ways to mitigate the vulnerability. >=20 > Solutions: Solutions to the vulnerability. >=20 > Credit: Information about who disclosed the vulnerability. >=20 > References: Sources of information on the vulnerability. >=20 > Related Resources: Resources that might be of additional value. >=20 > ChangeLog: History of changes to the vulnerability record. >=20 > -------------------------------------------------------------------------= -- >=20 > Copyright 2001 SecurityFocus.com >=20 > https://alerts.securityfocus.com/ >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --gKMricLos+KVdGMg Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7gvg+Wry0BWjoQKURAnUhAJ0cbam7PQNp9duiY98OxHLzuaCCSACgnhio 1M2zWdunrAxpoDEeLRk1Mek= =+l3i -----END PGP SIGNATURE----- --gKMricLos+KVdGMg-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message