__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Center ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Sendmail Debugger Arbitrary Code Execution Vulnerability [Security Focus Security Alert] August 22, 2001 18:00 GMT Number L-133 ______________________________________________________________________________ PROBLEM: Sendmail contains an input validation error. PLATFORM: Sendmail Consortium Sendmail 8.11.0 - 8.11.5 Sendmail Consortium Sendmail 8.12beta10 Sendmail Consortium Sendmail 8.12beta12 Sendmail Consortium Sendmail 8.12beta16 Sendmail Consortium Sendmail 8.12beta5 Sendmail Consortium Sendmail 8.12beta7 DAMAGE: A local user could execute code and obtain elevated privileges. SOLUTION: If using sendmail 8.11.0 - 8.11.5 upgrade to sendmail 8.11.6. If using sendmail 8.12.0Beta upgrade to 8.12.0Beta19 ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM: A local attacker could gain root ASSESSMENT: privileges. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/l-133.shtml ORIGINAL BULLETIN: http://www.securityfocus.com/bid/3163 ______________________________________________________________________________ [***** Start Security Focus Security Alert *****] --------------------------------------------------------------------------- Security Alert Subject Sendmail Debugger Arbitrary Code Execution Vulnerability BUGTRAQ ID 3163 CVE ID CAN-2001-0653 Published August 17, 2001 MT Updated August 20, 2001 MT Remote No Local Yes Availability Always Authentication Not Required Credibility Vendor Confirmed Ease No Exploit Available Class Input Validation Error Impact 10.00 Severity 7.50 Urgency 6.58 Last Change Updated packages that rectify this issue are now available from Sendmail. --------------------------------------------------------------------------- Vulnerable Systems Sendmail Consortium Sendmail 8.12beta7 Sendmail Consortium Sendmail 8.12beta5 Sendmail Consortium Sendmail 8.12beta16 Sendmail Consortium Sendmail 8.12beta12 Sendmail Consortium Sendmail 8.12beta10 Sendmail Consortium Sendmail 8.11.5 Sendmail Consortium Sendmail 8.11.4 Sendmail Consortium Sendmail 8.11.3 Sendmail Consortium Sendmail 8.11.2 Sendmail Consortium Sendmail 8.11.1 Sendmail Consortium Sendmail 8.11 Non-Vulnerable Systems Summary Sendmail contains an input validation error, may lead to the execution of arbitrary code with elevated privileges. Impact Local users may be able to write arbitrary data to process memory, possibly allowing the execution of code/commands with elevated privileges. Technical Description An input validation error exists in Sendmail's debugging functionality. The problem is the result of the use of signed integers in the program's tTflag() function, which is responsible for processing arguments supplied from the command line with the '-d' switch and writing the values to it's internal "trace vector." The vulnerability exists because it is possible to cause a signed integer overflow by supplying a large numeric value for the 'category' part of the debugger arguments. The numeric value is used as an index for the trace vector. Before the vector is written to, a check is performed to ensure that the supplied index value is not greater than the size of the vector. However, because a signed integer comparison is used, it is possible to bypass the check by supplying the signed integer equivalent of a negative value. This may allow an attacker to write data to anywhere within a certain range of locations in process memory. Because the '-d' command-line switch is processed before the program drops its elevated privileges, this could lead to a full system compromise. This vulnerability has been successfully exploited in a laboratory environment. Attack Scenarios An attacker with local access must determine the memory offsets of the program's internal tTdvect variable and the location to which he or she wishes to have data written. The attacker must craft in architecture specific binary code the commands (or 'shellcode') to be executed with higher privilege. The attacker must then run the program, using the '-d' flag to overwrite a function return address with the location of the supplied shellcode. Exploits Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at vuldb@securityfocus.com . Mitigating Strategies Restrict local access to trusted users only. Solutions Below is a statement from the Sendmail Consortium regarding this issue -------------------- This vulnerability, present in sendmail open source versions between 8.11.0 and 8.11.5 has been corrected in 8.11.6. sendmail 8.12.0.Beta users should upgrade to 8.12.0.Beta19. The problem was not present in 8.10 or earlier versions. However, as always, we recommend using the latest version. Note that this problem is not remotely exploitable. Additionally, sendmail 8.12 will no longer uses a set-user-id root binary by default. -------------------- Updated packages that rectify this issue are available from the vendor For Sendmail Consortium Sendmail 8.11 Sendmail Consortium upgrade sendmail 8.11.6 ftp//ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz For Sendmail Consortium Sendmail 8.11.1 Sendmail Consortium upgrade sendmail 8.11.6 ftp//ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz For Sendmail Consortium Sendmail 8.11.2 Sendmail Consortium upgrade sendmail 8.11.6 ftp//ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz For Sendmail Consortium Sendmail 8.11.3 Sendmail Consortium upgrade sendmail 8.11.6 ftp//ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz For Sendmail Consortium Sendmail 8.11.4 Sendmail Consortium upgrade sendmail 8.11.6 ftp//ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz For Sendmail Consortium Sendmail 8.11.5 Sendmail Consortium upgrade sendmail 8.11.6 ftp//ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz For Sendmail Consortium Sendmail 8.12beta10 Sendmail Consortium upgrade sendmail 8.12.0 Beta19 ftp//ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz For Sendmail Consortium Sendmail 8.12beta12 Sendmail Consortium upgrade sendmail 8.12.0 Beta19 ftp//ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz For Sendmail Consortium Sendmail 8.12beta16 Sendmail Consortium upgrade sendmail 8.12.0 Beta19 ftp//ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz For Sendmail Consortium Sendmail 8.12beta5 Sendmail Consortium upgrade sendmail 8.12.0 Beta19 ftp//ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz For Sendmail Consortium Sendmail 8.12beta7 Sendmail Consortium upgrade sendmail 8.12.0 Beta19 ftp//ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz Credit Discovered by Cade Cairns of the Security Focus SIA Threat Analysis Team. References web page Sendmail Homepage (Sendmail) http//www.sendmail.org/ ChangeLog Aug 20, 2001 Updated packages that rectify this issue are now available from Sendmail. Aug 20, 2001 Updated versions of Sendmail will be available today at 400 PDT. Aug 09, 2001 Initial analysis. --------------------------------------------------------------------------- HOW TO INTERPRET THIS ALERT BUGTRAQ ID This is a unique identifier assigned to the vulnerability by SecurityFocus.com. CVE ID This is a unique identifier assigned to the vulnerability by the CVE. Published The date the vulnerability was first made public. Updated The date the information was last updated. Remote Whether this is a remotely exploitable vulnerability. Local Whether this is a locally exploitable vulnerability. Credibility Describes how credible the information about the vulnerability is. Possible values are Conflicting Reports The are multiple conflicting about the existance of the vulnerability. Single Source There is a single non-reliable source reporting the existence of the vulnerability. Reliable Source There is a single reliable source reporting the existence of the vulnerability. Conflicting Details There is consensus on the existence of the vulnerability but not it's details. Multiple Sources There is consensus on the existence and details of the vulnerability. Vendor Confirmed The vendor has confirmed the vulnerability. Class The class of vulnerability. Possible values are Boundary Condition Error, Access Validation Error, Origin Validation Error, Input Valiadtion Error, Failure to Handle Exceptional Conditions, Race Condition Error, Serialization Error, Atomicity Error, Environment Error, and Configuration Error. Ease Rates how easiliy the vulnerability can be exploited. Possible values are No Exploit Available, Exploit Available, and No Exploit Required. Impact Rates the impact of the vulnerability. It's range is 1 through 10. Severity Rates the severity of the vulnerability. It's range is 1 through 10. It's computed from the impact rating and remote flag. Remote vulnerabiliteis with a high impact rating receive a high severity rating. Local vulnerabilities with a low impact rating receive a low severity rating. Urgency Rates how quickly you should take action to fix or mitigate the vulnerability. It's range is 1 through 10. It's computed from the severity rating, the ease rating, and the credibility rating. High severity vulnerabilities with a high ease rating, and a high confidence rating have a higher urgency rating. Low severity vulnerabilities with a low ease rating, and a low confidence rating have a lower urgency rating. Last Change The last change made to the vulnerability information. Vulnerable Systems The list of vulnerable systems. A '+' preceding a system name indicates that one of the system components is vulnerable vulnerable. For example, Windows 98 ships with Internet Explorer. So if a vulnerability is found in IE you may see something like Microsoft Internet Explorer + Microsoft Windows 98 Non-Vulnerable Systems The list of non-vulnerable systems. Summary A concise summary of the vulnerability. Impact The impact of the vulnerability. Technical Description The in-depth description of the vulnerability. Attack Scenarios Ways an attacker may make use of the vulnerability. Exploits Exploit intructions or programs. Mitigating Strategies Ways to mitigate the vulnerability. Solutions Solutions to the vulnerability. Credit Information about who disclosed the vulnerability. References Sources of information on the vulnerability. Related Resources Resources that might be of additional value. ChangeLog History of changes to the vulnerability record. --------------------------------------------------------------------------- Copyright 2001 SecurityFocus.com https//alerts.securityfocus.com/ [***** End Security Focus Security Alert *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Security Focus for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Center, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) L-123: AIX libi18n Library Vulnerability L-124: Remote Buffer Overflow in telnetd L-125: SGI netprint Dynamic Shared Objects (DSO) Exploit L-126: Microsoft Remote Procedure Call (RPC) Server Vulnerability L-127: Sun BIND Vulnerabilities L-128: MIT Kerberos 5 telnetd Buffer Overflows L-129: Sun in.ftpd Filename Expansion Vulnerability L-130: Multiple DoS Vulnerabilities in Cisco Broadband Operating Sy L-131: IBM AIX telnetd Buffer Overflow L-132: Microsoft Cumulative Patch for IIS