TUCoPS :: Unix :: General :: ciacl133.txt

Sendmail Debugger Arbitrary Code Execution Vulnerability

             __________________________________________________________

                       The U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

            Sendmail Debugger Arbitrary Code Execution Vulnerability
                        [Security Focus Security Alert]

August 22, 2001 18:00 GMT                                         Number L-133
______________________________________________________________________________
PROBLEM:       Sendmail contains an input validation error. 
PLATFORM:      Sendmail Consortium Sendmail 8.11.0 - 8.11.5 Sendmail 
               Consortium Sendmail 8.12beta10 Sendmail Consortium Sendmail 
               8.12beta12 Sendmail Consortium Sendmail 8.12beta16 Sendmail 
               Consortium Sendmail 8.12beta5 Sendmail Consortium Sendmail 
               8.12beta7 
DAMAGE:        A local user could execute code and obtain elevated 
               privileges. 
SOLUTION:      If using sendmail 8.11.0 - 8.11.5 upgrade to sendmail 8.11.6. 
               If using sendmail 8.12.0Beta upgrade to 8.12.0Beta19 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM: A local attacker could gain root 
ASSESSMENT:    privileges. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/l-133.shtml 
 ORIGINAL BULLETIN:  http://www.securityfocus.com/bid/3163 
______________________________________________________________________________

[***** Start Security Focus Security Alert *****]

---------------------------------------------------------------------------
                              Security Alert

Subject      Sendmail Debugger Arbitrary Code Execution Vulnerability
BUGTRAQ ID   3163                   CVE ID         CAN-2001-0653
Published    August 17, 2001 MT     Updated        August 20, 2001 MT

Remote       No                     Local          Yes
Availability Always                 Authentication Not Required
Credibility  Vendor Confirmed       Ease           No Exploit Available
Class        Input Validation Error

Impact   10.00          Severity 7.50            Urgency  6.58

Last Change  Updated packages that rectify this issue  are  now  available
              from Sendmail.
---------------------------------------------------------------------------

Vulnerable Systems

  Sendmail Consortium Sendmail 8.12beta7
  Sendmail Consortium Sendmail 8.12beta5
  Sendmail Consortium Sendmail 8.12beta16
  Sendmail Consortium Sendmail 8.12beta12
  Sendmail Consortium Sendmail 8.12beta10
  Sendmail Consortium Sendmail 8.11.5
  Sendmail Consortium Sendmail 8.11.4
  Sendmail Consortium Sendmail 8.11.3
  Sendmail Consortium Sendmail 8.11.2
  Sendmail Consortium Sendmail 8.11.1
  Sendmail Consortium Sendmail 8.11

Non-Vulnerable Systems



Summary

  Sendmail contains an input validation error, may lead to the  execution
  of arbitrary code with elevated privileges.

Impact

  Local users may be able to write  arbitrary  data  to  process  memory,
  possibly  allowing  the  execution  of  code/commands   with   elevated
  privileges.

Technical Description

  An input validation error exists in Sendmail's debugging functionality.

  The problem is the  result  of  the  use  of  signed  integers  in  the
  program's  tTflag()  function,  which  is  responsible  for  processing
  arguments supplied from the command  line  with  the  '-d'  switch  and
  writing the values to it's internal "trace vector."  The  vulnerability
  exists because it is possible to cause a  signed  integer  overflow  by
  supplying a large numeric value for the 'category' part of the debugger
  arguments.  The numeric value is used as an index for the trace vector.

  Before the vector is written to, a check is performed  to  ensure  that
  the supplied index value is not greater than the size  of  the  vector.
  However, because a signed integer comparison is used, it is possible to
  bypass the check by  supplying  the  signed  integer  equivalent  of  a
  negative value.  This may allow an attacker to write data  to  anywhere
  within a certain range of locations in process memory.

  Because the '-d' command-line switch is processed  before  the  program
  drops its elevated  privileges,  this  could  lead  to  a  full  system
  compromise.  This vulnerability has been successfully  exploited  in  a
  laboratory environment.

Attack Scenarios

  An attacker with local access must determine the memory offsets of  the
  program's internal tTdvect variable and the location to which he or she
  wishes to have data written.

  The attacker must  craft  in  architecture  specific  binary  code  the
  commands (or 'shellcode') to be executed with  higher  privilege.   The
  attacker must then run the program, using the '-d' flag to overwrite  a
  function return address with the location of the supplied shellcode.

Exploits

  Currently the SecurityFocus staff are not aware  of  any  exploits  for
  this issue. If you feel we are in error or are  aware  of  more  recent
  information,    please    mail    us    at     vuldb@securityfocus.com
  <mailtovuldb@securityfocus.com>.

Mitigating Strategies

  Restrict local access to trusted users only.

Solutions

  Below is a statement from the Sendmail Consortium regarding this issue

  --------------------
  This vulnerability, present in sendmail open  source  versions  between
  8.11.0 and 8.11.5 has been corrected in 8.11.6.   sendmail  8.12.0.Beta
  users should upgrade to 8.12.0.Beta19.  The problem was not present  in
  8.10 or earlier versions.  However, as always, we recommend  using  the
  latest version.  Note that this problem is  not  remotely  exploitable.
  Additionally, sendmail 8.12 will no  longer  uses  a  set-user-id  root
  binary by default.
  --------------------

  Updated packages that rectify this issue are available from the vendor

  For Sendmail Consortium Sendmail 8.11

    Sendmail Consortium upgrade sendmail 8.11.6
    ftp//ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz

  For Sendmail Consortium Sendmail 8.11.1

    Sendmail Consortium upgrade sendmail 8.11.6
    ftp//ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz

  For Sendmail Consortium Sendmail 8.11.2

    Sendmail Consortium upgrade sendmail 8.11.6
    ftp//ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz

  For Sendmail Consortium Sendmail 8.11.3

    Sendmail Consortium upgrade sendmail 8.11.6
    ftp//ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz

  For Sendmail Consortium Sendmail 8.11.4

    Sendmail Consortium upgrade sendmail 8.11.6
    ftp//ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz

  For Sendmail Consortium Sendmail 8.11.5

    Sendmail Consortium upgrade sendmail 8.11.6
    ftp//ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz

  For Sendmail Consortium Sendmail 8.12beta10

    Sendmail Consortium upgrade sendmail 8.12.0 Beta19
    ftp//ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz

  For Sendmail Consortium Sendmail 8.12beta12

    Sendmail Consortium upgrade sendmail 8.12.0 Beta19
    ftp//ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz

  For Sendmail Consortium Sendmail 8.12beta16

    Sendmail Consortium upgrade sendmail 8.12.0 Beta19
    ftp//ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz

  For Sendmail Consortium Sendmail 8.12beta5

    Sendmail Consortium upgrade sendmail 8.12.0 Beta19
    ftp//ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz

  For Sendmail Consortium Sendmail 8.12beta7

    Sendmail Consortium upgrade sendmail 8.12.0 Beta19
    ftp//ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz

Credit

  Discovered by Cade Cairns <cairnsc@securityfocus.com> of the Security
  Focus SIA Threat Analysis Team.

References

  web page
  Sendmail Homepage (Sendmail)
  http//www.sendmail.org/

ChangeLog

  Aug 20, 2001 Updated  packages  that  rectify  this  issue   are   now
                available from Sendmail.
  Aug 20, 2001 Updated versions of Sendmail will be available  today  at
                400 PDT.
  Aug 09, 2001 Initial analysis.

---------------------------------------------------------------------------

HOW TO INTERPRET THIS ALERT

            BUGTRAQ ID This  is  a  unique  identifier  assigned  to   the
                        vulnerability by SecurityFocus.com.

                CVE ID This  is  a  unique  identifier  assigned  to   the
                        vulnerability by the CVE.

             Published The date the vulnerability was first made public.

               Updated The date the information was last updated.

                Remote Whether   this   is    a    remotely    exploitable
                        vulnerability.

                 Local Whether   this    is    a    locally    exploitable
                        vulnerability.

           Credibility Describes how credible the  information  about  the
                        vulnerability is. Possible values are

                        Conflicting Reports The are  multiple  conflicting
                        about the existance of the vulnerability.

                        Single  Source  There  is  a  single  non-reliable
                        source   reporting    the    existence    of    the
                        vulnerability.

                        Reliable Source There is a single reliable  source
                        reporting the existence of the vulnerability.

                        Conflicting Details  There  is  consensus  on  the
                        existence  of  the  vulnerability  but   not   it's
                        details.

                        Multiple  Sources  There  is  consensus   on   the
                        existence and details of the vulnerability.

                        Vendor Confirmed  The  vendor  has  confirmed  the
                        vulnerability.

                 Class The class of vulnerability.  Possible  values  are
                        Boundary Condition Error, Access Validation  Error,
                        Origin Validation Error,  Input  Valiadtion  Error,
                        Failure  to  Handle  Exceptional  Conditions,  Race
                        Condition  Error,  Serialization  Error,  Atomicity
                        Error, Environment Error, and Configuration Error.

                  Ease Rates  how  easiliy  the   vulnerability   can   be
                        exploited.  Possible   values   are   No   Exploit
                        Available,  Exploit  Available,  and   No   Exploit
                        Required.

                Impact Rates the impact of the vulnerability.  It's  range
                        is 1 through 10.

              Severity Rates the severity of the vulnerability. It's range
                        is 1 through 10.  It's  computed  from  the  impact
                        rating and remote flag. Remote vulnerabiliteis with
                        a  high  impact  rating  receive  a  high  severity
                        rating. Local vulnerabilities  with  a  low  impact
                        rating receive a low severity rating.

               Urgency Rates how quickly you should take action to fix  or
                        mitigate the vulnerability. It's range is 1 through
                        10. It's computed from  the  severity  rating,  the
                        ease  rating,  and  the  credibility  rating.  High
                        severity vulnerabilities with a high  ease  rating,
                        and a high confidence rating have a higher  urgency
                        rating. Low severity  vulnerabilities  with  a  low
                        ease rating, and a low  confidence  rating  have  a
                        lower urgency rating.

           Last Change The  last  change   made   to   the   vulnerability
                        information.

    Vulnerable Systems The list of vulnerable systems. A '+'  preceding  a
                        system  name  indicates  that  one  of  the  system
                        components is vulnerable vulnerable.  For  example,
                        Windows 98 ships with Internet Explorer.  So  if  a
                        vulnerability is found in IE you may see  something
                        like  Microsoft  Internet  Explorer  +   Microsoft
                        Windows 98

Non-Vulnerable Systems The list of non-vulnerable systems.

               Summary A concise summary of the vulnerability.

                Impact The impact of the vulnerability.

 Technical Description The in-depth description of the vulnerability.

      Attack Scenarios Ways an attacker may make use of the vulnerability.

              Exploits Exploit intructions or programs.

 Mitigating Strategies Ways to mitigate the vulnerability.

             Solutions Solutions to the vulnerability.

                Credit Information about who disclosed the vulnerability.

            References Sources of information on the vulnerability.

     Related Resources Resources that might be of additional value.

             ChangeLog History of changes to the vulnerability record.

---------------------------------------------------------------------------

                     Copyright 2001 SecurityFocus.com

                     https//alerts.securityfocus.com/


[***** End Security Focus Security Alert *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Security Focus for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Center, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

L-123: AIX libi18n Library Vulnerability
L-124: Remote Buffer Overflow in telnetd
L-125: SGI netprint Dynamic Shared Objects (DSO) Exploit
L-126: Microsoft Remote Procedure Call (RPC) Server Vulnerability
L-127: Sun BIND Vulnerabilities
L-128: MIT Kerberos 5 telnetd Buffer Overflows
L-129: Sun in.ftpd Filename Expansion Vulnerability
L-130: Multiple DoS Vulnerabilities in Cisco Broadband Operating Sy
L-131: IBM AIX telnetd Buffer Overflow
L-132: Microsoft Cumulative Patch for IIS





TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH