Re: Local Sendmail vulnerability, from BugTraq
From: Kris Kennaway (kris@obsecurity.org)
Date: 08/22/01
- Next message: Kris Kennaway: "Re: question about procfs advisory..."
- Previous message: Michael Bryan: "Local Sendmail vulnerability, from BugTraq"
- In reply to: Michael Bryan: "Local Sendmail vulnerability, from BugTraq"
- Next in thread: Christopher Schulte: "Re: Local Sendmail vulnerability, from BugTraq"
- Reply: Christopher Schulte: "Re: Local Sendmail vulnerability, from BugTraq"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 21 Aug 2001 17:09:35 -0700 From: Kris Kennaway <kris@obsecurity.org> To: Michael Bryan <fbsd-secure@ursine.com>
It's already been fixed in the source tree
Kris
On Tue, Aug 21, 2001 at 05:04:52PM -0700, Michael Bryan wrote:
>
> FYI, I would presume this affects FreeBSD boxes...
>
> -----Original Message-----
> From: Dave Ahmed [mailto:da@securityfocus.com]
> Sent: Tuesday, August 21, 2001 9:04 AM
> To: bugtraq@securityfocus.com
> Subject: *ALERT* UPDATED BID 3163 (URGENCY 6.58): Sendmail Debugger
> Arbitrary Code Execution Vulnerability (fwd)
>
>
>
> This alert is being posted to Bugtraq as our public release of the
> vulnerability discovered in Sendmail by Cade Cairns
> <cairnsc@securityfocus.com>.
>
> ---------------------------------------------------------------------------
> Security Alert
>
> Subject: Sendmail Debugger Arbitrary Code Execution Vulnerability
> BUGTRAQ ID: 3163 CVE ID: CAN-2001-0653
> Published: August 17, 2001 MT Updated: August 20, 2001 MT
>
> Remote: No Local: Yes
> Availability: Always Authentication: Not Required
> Credibility: Vendor Confirmed Ease: No Exploit Available
> Class: Input Validation Error
>
> Impact: 10.00 Severity: 7.50 Urgency: 6.58
>
> Last Change: Updated packages that rectify this issue are now available
> from Sendmail.
> ---------------------------------------------------------------------------
>
> Vulnerable Systems:
>
> Sendmail Consortium Sendmail 8.12beta7
> Sendmail Consortium Sendmail 8.12beta5
> Sendmail Consortium Sendmail 8.12beta16
> Sendmail Consortium Sendmail 8.12beta12
> Sendmail Consortium Sendmail 8.12beta10
> Sendmail Consortium Sendmail 8.11.5
> Sendmail Consortium Sendmail 8.11.4
> Sendmail Consortium Sendmail 8.11.3
> Sendmail Consortium Sendmail 8.11.2
> Sendmail Consortium Sendmail 8.11.1
> Sendmail Consortium Sendmail 8.11
>
> Non-Vulnerable Systems:
>
>
>
> Summary:
>
> Sendmail contains an input validation error, may lead to the execution
> of arbitrary code with elevated privileges.
>
> Impact:
>
> Local users may be able to write arbitrary data to process memory,
> possibly allowing the execution of code/commands with elevated
> privileges.
>
> Technical Description:
>
> An input validation error exists in Sendmail's debugging functionality.
>
> The problem is the result of the use of signed integers in the
> program's tTflag() function, which is responsible for processing
> arguments supplied from the command line with the '-d' switch and
> writing the values to it's internal "trace vector." The vulnerability
> exists because it is possible to cause a signed integer overflow by
> supplying a large numeric value for the 'category' part of the debugger
> arguments. The numeric value is used as an index for the trace vector.
>
> Before the vector is written to, a check is performed to ensure that
> the supplied index value is not greater than the size of the vector.
> However, because a signed integer comparison is used, it is possible to
> bypass the check by supplying the signed integer equivalent of a
> negative value. This may allow an attacker to write data to anywhere
> within a certain range of locations in process memory.
>
> Because the '-d' command-line switch is processed before the program
> drops its elevated privileges, this could lead to a full system
> compromise. This vulnerability has been successfully exploited in a
> laboratory environment.
>
> Attack Scenarios:
>
> An attacker with local access must determine the memory offsets of the
> program's internal tTdvect variable and the location to which he or she
> wishes to have data written.
>
> The attacker must craft in architecture specific binary code the
> commands (or 'shellcode') to be executed with higher privilege. The
> attacker must then run the program, using the '-d' flag to overwrite a
> function return address with the location of the supplied shellcode.
>
> Exploits:
>
> Currently the SecurityFocus staff are not aware of any exploits for
> this issue. If you feel we are in error or are aware of more recent
> information, please mail us at: vuldb@securityfocus.com
> <mailto:vuldb@securityfocus.com>.
>
> Mitigating Strategies:
>
> Restrict local access to trusted users only.
>
> Solutions:
>
> Below is a statement from the Sendmail Consortium regarding this issue:
>
> --------------------
> This vulnerability, present in sendmail open source versions between
> 8.11.0 and 8.11.5 has been corrected in 8.11.6. sendmail 8.12.0.Beta
> users should upgrade to 8.12.0.Beta19. The problem was not present in
> 8.10 or earlier versions. However, as always, we recommend using the
> latest version. Note that this problem is not remotely exploitable.
> Additionally, sendmail 8.12 will no longer uses a set-user-id root
> binary by default.
> --------------------
>
> Updated packages that rectify this issue are available from the vendor:
>
> For Sendmail Consortium Sendmail 8.11:
>
> Sendmail Consortium upgrade sendmail 8.11.6
> ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz
>
> For Sendmail Consortium Sendmail 8.11.1:
>
> Sendmail Consortium upgrade sendmail 8.11.6
> ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz
>
> For Sendmail Consortium Sendmail 8.11.2:
>
> Sendmail Consortium upgrade sendmail 8.11.6
> ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz
>
> For Sendmail Consortium Sendmail 8.11.3:
>
> Sendmail Consortium upgrade sendmail 8.11.6
> ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz
>
> For Sendmail Consortium Sendmail 8.11.4:
>
> Sendmail Consortium upgrade sendmail 8.11.6
> ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz
>
> For Sendmail Consortium Sendmail 8.11.5:
>
> Sendmail Consortium upgrade sendmail 8.11.6
> ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz
>
> For Sendmail Consortium Sendmail 8.12beta10:
>
> Sendmail Consortium upgrade sendmail 8.12.0 Beta19
> ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz
>
> For Sendmail Consortium Sendmail 8.12beta12:
>
> Sendmail Consortium upgrade sendmail 8.12.0 Beta19
> ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz
>
> For Sendmail Consortium Sendmail 8.12beta16:
>
> Sendmail Consortium upgrade sendmail 8.12.0 Beta19
> ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz
>
> For Sendmail Consortium Sendmail 8.12beta5:
>
> Sendmail Consortium upgrade sendmail 8.12.0 Beta19
> ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz
>
> For Sendmail Consortium Sendmail 8.12beta7:
>
> Sendmail Consortium upgrade sendmail 8.12.0 Beta19
> ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz
>
> Credit:
>
> Discovered by Cade Cairns <cairnsc@securityfocus.com> of the Security
> Focus SIA Threat Analysis Team.
>
> References:
>
> web page:
> Sendmail Homepage (Sendmail)
> http://www.sendmail.org/
>
> ChangeLog:
>
> Aug 20, 2001: Updated packages that rectify this issue are now
> available from Sendmail.
> Aug 20, 2001: Updated versions of Sendmail will be available today at
> 4:00 PDT.
> Aug 09, 2001: Initial analysis.
>
> ---------------------------------------------------------------------------
>
> HOW TO INTERPRET THIS ALERT
>
> BUGTRAQ ID: This is a unique identifier assigned to the
> vulnerability by SecurityFocus.com.
>
> CVE ID: This is a unique identifier assigned to the
> vulnerability by the CVE.
>
> Published: The date the vulnerability was first made public.
>
> Updated: The date the information was last updated.
>
> Remote: Whether this is a remotely exploitable
> vulnerability.
>
> Local: Whether this is a locally exploitable
> vulnerability.
>
> Credibility: Describes how credible the information about the
> vulnerability is. Possible values are:
>
> Conflicting Reports: The are multiple conflicting
> about the existance of the vulnerability.
>
> Single Source: There is a single non-reliable
> source reporting the existence of the
> vulnerability.
>
> Reliable Source: There is a single reliable source
> reporting the existence of the vulnerability.
>
> Conflicting Details: There is consensus on the
> existence of the vulnerability but not it's
> details.
>
> Multiple Sources: There is consensus on the
> existence and details of the vulnerability.
>
> Vendor Confirmed: The vendor has confirmed the
> vulnerability.
>
> Class: The class of vulnerability. Possible values are:
> Boundary Condition Error, Access Validation Error,
> Origin Validation Error, Input Valiadtion Error,
> Failure to Handle Exceptional Conditions, Race
> Condition Error, Serialization Error, Atomicity
> Error, Environment Error, and Configuration Error.
>
> Ease: Rates how easiliy the vulnerability can be
> exploited. Possible values are: No Exploit
> Available, Exploit Available, and No Exploit
> Required.
>
> Impact: Rates the impact of the vulnerability. It's range
> is 1 through 10.
>
> Severity: Rates the severity of the vulnerability. It's range
> is 1 through 10. It's computed from the impact
> rating and remote flag. Remote vulnerabiliteis with
> a high impact rating receive a high severity
> rating. Local vulnerabilities with a low impact
> rating receive a low severity rating.
>
> Urgency: Rates how quickly you should take action to fix or
> mitigate the vulnerability. It's range is 1 through
> 10. It's computed from the severity rating, the
> ease rating, and the credibility rating. High
> severity vulnerabilities with a high ease rating,
> and a high confidence rating have a higher urgency
> rating. Low severity vulnerabilities with a low
> ease rating, and a low confidence rating have a
> lower urgency rating.
>
> Last Change: The last change made to the vulnerability
> information.
>
> Vulnerable Systems: The list of vulnerable systems. A '+' preceding a
> system name indicates that one of the system
> components is vulnerable vulnerable. For example,
> Windows 98 ships with Internet Explorer. So if a
> vulnerability is found in IE you may see something
> like: Microsoft Internet Explorer + Microsoft
> Windows 98
>
> Non-Vulnerable Systems: The list of non-vulnerable systems.
>
> Summary: A concise summary of the vulnerability.
>
> Impact: The impact of the vulnerability.
>
> Technical Description: The in-depth description of the vulnerability.
>
> Attack Scenarios: Ways an attacker may make use of the vulnerability.
>
> Exploits: Exploit intructions or programs.
>
> Mitigating Strategies: Ways to mitigate the vulnerability.
>
> Solutions: Solutions to the vulnerability.
>
> Credit: Information about who disclosed the vulnerability.
>
> References: Sources of information on the vulnerability.
>
> Related Resources: Resources that might be of additional value.
>
> ChangeLog: History of changes to the vulnerability record.
>
> ---------------------------------------------------------------------------
>
> Copyright 2001 SecurityFocus.com
>
> https://alerts.securityfocus.com/
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- application/pgp-signature attachment: stored
- Next message: Kris Kennaway: "Re: question about procfs advisory..."
- Previous message: Michael Bryan: "Local Sendmail vulnerability, from BugTraq"
- In reply to: Michael Bryan: "Local Sendmail vulnerability, from BugTraq"
- Next in thread: Christopher Schulte: "Re: Local Sendmail vulnerability, from BugTraq"
- Reply: Christopher Schulte: "Re: Local Sendmail vulnerability, from BugTraq"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
