-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= CERT(sm) Advisory CA-95:11 Original issue date: September 19, 1995 Last revised: September 21, 1996 This advisory is superseded by CA-96.20. A complete revision history is at the end of this file. Topic: Sun Sendmail -oR Vulnerability - ----------------------------------------------------------------------------- *** SUPERSEDED BY CA-96.20 *** The CERT Coordination Center has received reports of problems with the -oR option in sendmail. The problem is present in the version of sendmail that is available from Sun Microsystems, Inc. in SunOS 4.1.X, including patches 100377-19 (for SunOS 4.1.3), 101665-04 (for SunOS 4.1.3_U1), and 102423-01 (for SunOS 4.1.4). ***This vulnerability is widely known and is currently being actively exploited by intruders.*** The CERT staff recommends installing the appropriate patches as soon as they are available from Sun Microsystems. Alternatives are installing a wrapper or installing sendmail version 8.6.12; see Section III for details. (Although sendmail 8.7 recently became available, we have not yet reviewed it.) We will update this advisory as we receive additional information. Please check advisory files regularly for updates that relate to your site. - ----------------------------------------------------------------------------- I. Description There is a problem with the way that the Sun Microsystems, Inc. version of sendmail processes the -oR option. This problem has been verified as existing in the version of sendmail that is in SunOS 4.1.X, including patches 100377-19 (for SunOS 4.1.3), 101665-04 (for SunOS 4.1.3_U1), and 102423-01 (for SunOS 4.1.4). The -oR option specifies the host, called the mail hub, to which mail should be forwarded when a user on a client of that hub receives mail. This host can be identified with the -oR option on the command line as -oRhost_name or in the configuration file as: ORhost_name or by NFS mounting the /var/spool/mail directory from a file server, probably from the mail hub. In this case, the host name of the file server is used as the forwarding host identified as host_name above. All these configurations are vulnerable. II. Impact By exploiting the vulnerabilities, local users may be able to gain unauthorized root access and subsequently read any file on the system, overwrite or destroy files, or run programs on the system. Remote users cannot exploit this vulnerability. III. Solutions A. Install a patch from Sun Microsystems. Check with your local SunService and SunSoft Support Services organizations or SunSolve Online at the URL http://sunsolve1.sun.com B. Install the sendmail wrapper available from ftp://info.cert.org/pub/tools/sendmail/sendmail_wrapper ftp://ftp.cs.berkeley.edu/pub/sendmail/sendmail_wrapper.c ftp://ftp.auscert.org.au:/pub/auscert/tools/sendmail_wrapper.c MD5 = f4049cc56075ddb142f5bd70a53ba341 If you already have this wrapper and are running any version prior to version 1.6, you should immediately upgrade. Details can be found in section 3.1 of AUSCERT advisory (AA-95.09b), available from ftp://ftp.auscert.org.au/pub/auscert/auscert-advisory C. An alternative to using the patch or wrapper is to install the latest version of sendmail (as of the issue date of this advisory, it was version 8.6.12) and the sendmail restricted shell program ("smrsh"). 1. Install sendmail 8.6.12 or later. Information on latest versions is available from ftp://info.cert.org/pub/latest_sw_versions/ Sendmail is available by anonymous FTP from ftp://ftp.cs.berkeley.edu/ucb/sendmail/ ftp://info.cert.org/pub/tools/sendmail/ ftp://ftp.auscert.org.au/pub/mirrors/ftp.cs.berkeley.edu/ucb/sendmail/ ftp://ftp.cert.dfn.de/pub/tools/net/sendmail/ Checksums for 8.6.12 MD5 (sendmail.8.6.12.base.tar.Z) = 31591dfb0dacbe0a7e06147747a6ccea MD5 (sendmail.8.6.12.cf.tar.Z) = c60becd7628fad715df8f7e13dcf3cc6 MD5 (sendmail.8.6.12.misc.tar.Z) = 6212390ca0bb4b353e29521f1aab492f MD5 (sendmail.8.6.12.patch) = 10961687c087ef30920b13185eef41e8 MD5 (sendmail.8.6.12.xdoc.tar.Z) = 8b2252943f365f303b6302b71ef9a841 A note on configuration: Depending upon the currently installed sendmail program, switching to a different sendmail may require significant effort, such as rewriting the sendmail.cf file. We strongly recommend that if you change to sendmail 8.6.12, you also change to the configuration files that are provided with that version. In addition, a paper is available to help you convert your sendmail configuration files from Sun's version of sendmail to one that works with version 8.6.12: "Converting Standard Sun Config Files to Sendmail Version 8" by Rick McCarty of Texas Instruments Inc. This paper is included in the sendmail.8.6.12.misc.tar.Z file and is located in contrib/converting.sun.configs. 2. Install the sendmail restricted shell program To restrict the sendmail program mailer facility, install the sendmail restricted shell program (smrsh) by Eric Allman (the original author of sendmail), following the directions included with the program. Copies of this program may be obtained from ftp://info.cert.org/pub/tools/smrsh ftp://ftp.uu.net/pub/security/smrsh The checksums are MD5 (README) = fc4cf266288511099e44b664806a5594 MD5 (smrsh.8) = 35aeefba9714f251a3610c7b1714e355 MD5 (smrsh.c) = d4822ce7c273fc8b93c68e39ec67739c - --------------------------------------------------------------------------- The CERT Coordination Center thanks AUSCERT for providing the sendmail wrapper. - --------------------------------------------------------------------------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (FIRST). If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise that the email be encrypted. The CERT Coordination Center can support a shared DES key, PGP (public key available via anonymous FTP on info.cert.org), or PEM (contact CERT staff for details). Internet email: cert@cert.org Telephone: +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 USA CERT advisories and bulletins are posted on the USENET newsgroup comp.security.announce. If you would like to have future advisories and bulletins mailed to you or to a mail exploder at your site, please send mail to cert-advisory-request@cert.org. Past CERT publications, information about FIRST representatives, and other information related to computer security are available for anonymous FTP from info.cert.org. Copyright 1995, 1996 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and the copyright statement is included. CERT is a service mark of Carnegie Mellon University. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision history Sep. 21, 1996 Superseded by CA-96.20. Aug. 30, 1996 Information previously in the README was inserted into the advisory. Sep. 25, 1995 Sec. III.B - added note to upgrade if a site is using the sendmail wrapper prior to version 1.6. Updated pointers and checksum. -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBOBS+D1r9kb5qlZHQEQL5wwCeK1a8qFEpzk4wUfS71O19A9CHECAAoIn4 toPH8b1E1VOS2NQZLfzw7R6d =590+ -----END PGP SIGNATURE-----