Vulnerability

    sendmail

Affected

    SCO OpenServer 5.0.6 upgrade from 5.0.x and 5.0.6 fresh install (sendmail 8.9.3)

Description

    Following is  based on  a Strategic  Reconnaissance Team  Security
    Advisory  (SRT2001-01).   SCO   OpenServer  5.0.6  ships  with   a
    previously  known  buggy  MMDF  package.   SCO  Security  Bulletin
    2000.06  states  "Recently  Network  Associates,  Inc.  issued   a
    SECURITY ADVISORY against all versions  of MMDF prior to the  beta
    release  2.44a-B4"  however  SCO  still  released OpenServer 5.0.6
    with version 2.43.3b of MMDF.  The sendmail 8.9.3 binary has  poor
    handling of command line arguments resulting in a buffer overflow.

        /opt/K/SCO/MMDF/2.43.3b/usr/lib/sendmail `perl -e 'print "A" x 3000'`
        Memory fault - core dumped

    This problem makes  it possible to  overwrite memory space  of the
    running process, and potentially  execute code with the  inherited
    privileges of the mmdf subsystem.

        uid=17(mmdf) gid=22(mmdf) groups=22(mmdf)

    Credit goes to Kevin Finisterre.

Solution

    - chmod -s /opt/K/SCO/MMDF/2.43.3b/usr/lib/sendmail
    - upgrade to a newer version of MMDF.
    - Vendor was notified on 03/22/01.  Vendor lab tests confirmed the
      issue.  Patch status is unknown.