Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 21 Aug 2001 17:04:52 -0700
From:      Michael Bryan <fbsd-secure@ursine.com>
To:        freebsd-security@freebsd.org
Subject:   Local Sendmail vulnerability, from BugTraq
Message-ID:  <3B82F724.A0436441@ursine.com>

next in thread | raw e-mail | index | archive | help

FYI, I would presume this affects FreeBSD boxes...

-----Original Message-----
From: Dave Ahmed [mailto:da@securityfocus.com]
Sent: Tuesday, August 21, 2001 9:04 AM
To: bugtraq@securityfocus.com
Subject: *ALERT* UPDATED BID 3163 (URGENCY 6.58): Sendmail Debugger
Arbitrary Code Execution Vulnerability (fwd)



This alert is being posted to Bugtraq as our public release of the
vulnerability discovered in Sendmail by Cade Cairns
<cairnsc@securityfocus.com>.

---------------------------------------------------------------------------
                              Security Alert

Subject:      Sendmail Debugger Arbitrary Code Execution Vulnerability
BUGTRAQ ID:   3163                   CVE ID:         CAN-2001-0653
Published:    August 17, 2001 MT     Updated:        August 20, 2001 MT

Remote:       No                     Local:          Yes
Availability: Always                 Authentication: Not Required
Credibility:  Vendor Confirmed       Ease:           No Exploit Available
Class:        Input Validation Error

Impact:   10.00          Severity: 7.50            Urgency:  6.58

Last Change:  Updated packages that rectify this issue  are  now  available
              from Sendmail.
---------------------------------------------------------------------------

Vulnerable Systems:

  Sendmail Consortium Sendmail 8.12beta7
  Sendmail Consortium Sendmail 8.12beta5
  Sendmail Consortium Sendmail 8.12beta16
  Sendmail Consortium Sendmail 8.12beta12
  Sendmail Consortium Sendmail 8.12beta10
  Sendmail Consortium Sendmail 8.11.5
  Sendmail Consortium Sendmail 8.11.4
  Sendmail Consortium Sendmail 8.11.3
  Sendmail Consortium Sendmail 8.11.2
  Sendmail Consortium Sendmail 8.11.1
  Sendmail Consortium Sendmail 8.11

Non-Vulnerable Systems:



Summary:

  Sendmail contains an input validation error, may lead to the  execution
  of arbitrary code with elevated privileges.

Impact:

  Local users may be able to write  arbitrary  data  to  process  memory,
  possibly  allowing  the  execution  of  code/commands   with   elevated
  privileges.

Technical Description:

  An input validation error exists in Sendmail's debugging functionality.

  The problem is the  result  of  the  use  of  signed  integers  in  the
  program's  tTflag()  function,  which  is  responsible  for  processing
  arguments supplied from the command  line  with  the  '-d'  switch  and
  writing the values to it's internal "trace vector."  The  vulnerability
  exists because it is possible to cause a  signed  integer  overflow  by
  supplying a large numeric value for the 'category' part of the debugger
  arguments.  The numeric value is used as an index for the trace vector.

  Before the vector is written to, a check is performed  to  ensure  that
  the supplied index value is not greater than the size  of  the  vector.
  However, because a signed integer comparison is used, it is possible to
  bypass the check by  supplying  the  signed  integer  equivalent  of  a
  negative value.  This may allow an attacker to write data  to  anywhere
  within a certain range of locations in process memory.

  Because the '-d' command-line switch is processed  before  the  program
  drops its elevated  privileges,  this  could  lead  to  a  full  system
  compromise.  This vulnerability has been successfully  exploited  in  a
  laboratory environment.

Attack Scenarios:

  An attacker with local access must determine the memory offsets of  the
  program's internal tTdvect variable and the location to which he or she
  wishes to have data written.

  The attacker must  craft  in  architecture  specific  binary  code  the
  commands (or 'shellcode') to be executed with  higher  privilege.   The
  attacker must then run the program, using the '-d' flag to overwrite  a
  function return address with the location of the supplied shellcode.

Exploits:

  Currently the SecurityFocus staff are not aware  of  any  exploits  for
  this issue. If you feel we are in error or are  aware  of  more  recent
  information,    please    mail    us    at:     vuldb@securityfocus.com
  <mailto:vuldb@securityfocus.com>.

Mitigating Strategies:

  Restrict local access to trusted users only.

Solutions:

  Below is a statement from the Sendmail Consortium regarding this issue:

  --------------------
  This vulnerability, present in sendmail open  source  versions  between
  8.11.0 and 8.11.5 has been corrected in 8.11.6.   sendmail  8.12.0.Beta
  users should upgrade to 8.12.0.Beta19.  The problem was not present  in
  8.10 or earlier versions.  However, as always, we recommend  using  the
  latest version.  Note that this problem is  not  remotely  exploitable.
  Additionally, sendmail 8.12 will no  longer  uses  a  set-user-id  root
  binary by default.
  --------------------

  Updated packages that rectify this issue are available from the vendor:

  For Sendmail Consortium Sendmail 8.11:

    Sendmail Consortium upgrade sendmail 8.11.6
    ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz

  For Sendmail Consortium Sendmail 8.11.1:

    Sendmail Consortium upgrade sendmail 8.11.6
    ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz

  For Sendmail Consortium Sendmail 8.11.2:

    Sendmail Consortium upgrade sendmail 8.11.6
    ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz

  For Sendmail Consortium Sendmail 8.11.3:

    Sendmail Consortium upgrade sendmail 8.11.6
    ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz

  For Sendmail Consortium Sendmail 8.11.4:

    Sendmail Consortium upgrade sendmail 8.11.6
    ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz

  For Sendmail Consortium Sendmail 8.11.5:

    Sendmail Consortium upgrade sendmail 8.11.6
    ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz

  For Sendmail Consortium Sendmail 8.12beta10:

    Sendmail Consortium upgrade sendmail 8.12.0 Beta19
    ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz

  For Sendmail Consortium Sendmail 8.12beta12:

    Sendmail Consortium upgrade sendmail 8.12.0 Beta19
    ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz

  For Sendmail Consortium Sendmail 8.12beta16:

    Sendmail Consortium upgrade sendmail 8.12.0 Beta19
    ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz

  For Sendmail Consortium Sendmail 8.12beta5:

    Sendmail Consortium upgrade sendmail 8.12.0 Beta19
    ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz

  For Sendmail Consortium Sendmail 8.12beta7:

    Sendmail Consortium upgrade sendmail 8.12.0 Beta19
    ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz

Credit:

  Discovered by Cade Cairns <cairnsc@securityfocus.com> of the Security
  Focus SIA Threat Analysis Team.

References:

  web page:
  Sendmail Homepage (Sendmail)
  http://www.sendmail.org/

ChangeLog:

  Aug 20, 2001: Updated  packages  that  rectify  this  issue   are   now
                available from Sendmail.
  Aug 20, 2001: Updated versions of Sendmail will be available  today  at
                4:00 PDT.
  Aug 09, 2001: Initial analysis.

---------------------------------------------------------------------------

HOW TO INTERPRET THIS ALERT

            BUGTRAQ ID: This  is  a  unique  identifier  assigned  to   the
                        vulnerability by SecurityFocus.com.

                CVE ID: This  is  a  unique  identifier  assigned  to   the
                        vulnerability by the CVE.

             Published: The date the vulnerability was first made public.

               Updated: The date the information was last updated.

                Remote: Whether   this   is    a    remotely    exploitable
                        vulnerability.

                 Local: Whether   this    is    a    locally    exploitable
                        vulnerability.

           Credibility: Describes how credible the  information  about  the
                        vulnerability is. Possible values are:

                        Conflicting Reports: The are  multiple  conflicting
                        about the existance of the vulnerability.

                        Single  Source:  There  is  a  single  non-reliable
                        source   reporting    the    existence    of    the
                        vulnerability.

                        Reliable Source: There is a single reliable  source
                        reporting the existence of the vulnerability.

                        Conflicting Details:  There  is  consensus  on  the
                        existence  of  the  vulnerability  but   not   it's
                        details.

                        Multiple  Sources:  There  is  consensus   on   the
                        existence and details of the vulnerability.

                        Vendor Confirmed:  The  vendor  has  confirmed  the
                        vulnerability.

                 Class: The class of vulnerability.  Possible  values  are:
                        Boundary Condition Error, Access Validation  Error,
                        Origin Validation Error,  Input  Valiadtion  Error,
                        Failure  to  Handle  Exceptional  Conditions,  Race
                        Condition  Error,  Serialization  Error,  Atomicity
                        Error, Environment Error, and Configuration Error.

                  Ease: Rates  how  easiliy  the   vulnerability   can   be
                        exploited.  Possible   values   are:   No   Exploit
                        Available,  Exploit  Available,  and   No   Exploit
                        Required.

                Impact: Rates the impact of the vulnerability.  It's  range
                        is 1 through 10.

              Severity: Rates the severity of the vulnerability. It's range
                        is 1 through 10.  It's  computed  from  the  impact
                        rating and remote flag. Remote vulnerabiliteis with
                        a  high  impact  rating  receive  a  high  severity
                        rating. Local vulnerabilities  with  a  low  impact
                        rating receive a low severity rating.

               Urgency: Rates how quickly you should take action to fix  or
                        mitigate the vulnerability. It's range is 1 through
                        10. It's computed from  the  severity  rating,  the
                        ease  rating,  and  the  credibility  rating.  High
                        severity vulnerabilities with a high  ease  rating,
                        and a high confidence rating have a higher  urgency
                        rating. Low severity  vulnerabilities  with  a  low
                        ease rating, and a low  confidence  rating  have  a
                        lower urgency rating.

           Last Change: The  last  change   made   to   the   vulnerability
                        information.

    Vulnerable Systems: The list of vulnerable systems. A '+'  preceding  a
                        system  name  indicates  that  one  of  the  system
                        components is vulnerable vulnerable.  For  example,
                        Windows 98 ships with Internet Explorer.  So  if  a
                        vulnerability is found in IE you may see  something
                        like:  Microsoft  Internet  Explorer  +   Microsoft
                        Windows 98

Non-Vulnerable Systems: The list of non-vulnerable systems.

               Summary: A concise summary of the vulnerability.

                Impact: The impact of the vulnerability.

 Technical Description: The in-depth description of the vulnerability.

      Attack Scenarios: Ways an attacker may make use of the vulnerability.

              Exploits: Exploit intructions or programs.

 Mitigating Strategies: Ways to mitigate the vulnerability.

             Solutions: Solutions to the vulnerability.

                Credit: Information about who disclosed the vulnerability.

            References: Sources of information on the vulnerability.

     Related Resources: Resources that might be of additional value.

             ChangeLog: History of changes to the vulnerability record.

---------------------------------------------------------------------------

                     Copyright 2001 SecurityFocus.com

                     https://alerts.securityfocus.com/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B82F724.A0436441>