This alert is being posted to Bugtraq as our public release of the vulnerability discovered in Sendmail by Cade Cairns <cairnscat_private>. --------------------------------------------------------------------------- Security Alert Subject: Sendmail Debugger Arbitrary Code Execution Vulnerability BUGTRAQ ID: 3163 CVE ID: CAN-2001-0653 Published: August 17, 2001 MT Updated: August 20, 2001 MT Remote: No Local: Yes Availability: Always Authentication: Not Required Credibility: Vendor Confirmed Ease: No Exploit Available Class: Input Validation Error Impact: 10.00 Severity: 7.50 Urgency: 6.58 Last Change: Updated packages that rectify this issue are now available from Sendmail. --------------------------------------------------------------------------- Vulnerable Systems: Sendmail Consortium Sendmail 8.12beta7 Sendmail Consortium Sendmail 8.12beta5 Sendmail Consortium Sendmail 8.12beta16 Sendmail Consortium Sendmail 8.12beta12 Sendmail Consortium Sendmail 8.12beta10 Sendmail Consortium Sendmail 8.11.5 Sendmail Consortium Sendmail 8.11.4 Sendmail Consortium Sendmail 8.11.3 Sendmail Consortium Sendmail 8.11.2 Sendmail Consortium Sendmail 8.11.1 Sendmail Consortium Sendmail 8.11 Non-Vulnerable Systems: Summary: Sendmail contains an input validation error, may lead to the execution of arbitrary code with elevated privileges. Impact: Local users may be able to write arbitrary data to process memory, possibly allowing the execution of code/commands with elevated privileges. Technical Description: An input validation error exists in Sendmail's debugging functionality. The problem is the result of the use of signed integers in the program's tTflag() function, which is responsible for processing arguments supplied from the command line with the '-d' switch and writing the values to it's internal "trace vector." The vulnerability exists because it is possible to cause a signed integer overflow by supplying a large numeric value for the 'category' part of the debugger arguments. The numeric value is used as an index for the trace vector. Before the vector is written to, a check is performed to ensure that the supplied index value is not greater than the size of the vector. However, because a signed integer comparison is used, it is possible to bypass the check by supplying the signed integer equivalent of a negative value. This may allow an attacker to write data to anywhere within a certain range of locations in process memory. Because the '-d' command-line switch is processed before the program drops its elevated privileges, this could lead to a full system compromise. This vulnerability has been successfully exploited in a laboratory environment. Attack Scenarios: An attacker with local access must determine the memory offsets of the program's internal tTdvect variable and the location to which he or she wishes to have data written. The attacker must craft in architecture specific binary code the commands (or 'shellcode') to be executed with higher privilege. The attacker must then run the program, using the '-d' flag to overwrite a function return address with the location of the supplied shellcode. Exploits: Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldbat_private <mailto:vuldbat_private>. Mitigating Strategies: Restrict local access to trusted users only. Solutions: Below is a statement from the Sendmail Consortium regarding this issue: -------------------- This vulnerability, present in sendmail open source versions between 8.11.0 and 8.11.5 has been corrected in 8.11.6. sendmail 8.12.0.Beta users should upgrade to 8.12.0.Beta19. The problem was not present in 8.10 or earlier versions. However, as always, we recommend using the latest version. Note that this problem is not remotely exploitable. Additionally, sendmail 8.12 will no longer uses a set-user-id root binary by default. -------------------- Updated packages that rectify this issue are available from the vendor: For Sendmail Consortium Sendmail 8.11: Sendmail Consortium upgrade sendmail 8.11.6 ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz For Sendmail Consortium Sendmail 8.11.1: Sendmail Consortium upgrade sendmail 8.11.6 ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz For Sendmail Consortium Sendmail 8.11.2: Sendmail Consortium upgrade sendmail 8.11.6 ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz For Sendmail Consortium Sendmail 8.11.3: Sendmail Consortium upgrade sendmail 8.11.6 ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz For Sendmail Consortium Sendmail 8.11.4: Sendmail Consortium upgrade sendmail 8.11.6 ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz For Sendmail Consortium Sendmail 8.11.5: Sendmail Consortium upgrade sendmail 8.11.6 ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz For Sendmail Consortium Sendmail 8.12beta10: Sendmail Consortium upgrade sendmail 8.12.0 Beta19 ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz For Sendmail Consortium Sendmail 8.12beta12: Sendmail Consortium upgrade sendmail 8.12.0 Beta19 ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz For Sendmail Consortium Sendmail 8.12beta16: Sendmail Consortium upgrade sendmail 8.12.0 Beta19 ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz For Sendmail Consortium Sendmail 8.12beta5: Sendmail Consortium upgrade sendmail 8.12.0 Beta19 ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz For Sendmail Consortium Sendmail 8.12beta7: Sendmail Consortium upgrade sendmail 8.12.0 Beta19 ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz Credit: Discovered by Cade Cairns <cairnscat_private> of the Security Focus SIA Threat Analysis Team. References: web page: Sendmail Homepage (Sendmail) http://www.sendmail.org/ ChangeLog: Aug 20, 2001: Updated packages that rectify this issue are now available from Sendmail. Aug 20, 2001: Updated versions of Sendmail will be available today at 4:00 PDT. Aug 09, 2001: Initial analysis. --------------------------------------------------------------------------- HOW TO INTERPRET THIS ALERT BUGTRAQ ID: This is a unique identifier assigned to the vulnerability by SecurityFocus.com. CVE ID: This is a unique identifier assigned to the vulnerability by the CVE. Published: The date the vulnerability was first made public. Updated: The date the information was last updated. Remote: Whether this is a remotely exploitable vulnerability. Local: Whether this is a locally exploitable vulnerability. Credibility: Describes how credible the information about the vulnerability is. Possible values are: Conflicting Reports: The are multiple conflicting about the existance of the vulnerability. Single Source: There is a single non-reliable source reporting the existence of the vulnerability. Reliable Source: There is a single reliable source reporting the existence of the vulnerability. Conflicting Details: There is consensus on the existence of the vulnerability but not it's details. Multiple Sources: There is consensus on the existence and details of the vulnerability. Vendor Confirmed: The vendor has confirmed the vulnerability. Class: The class of vulnerability. Possible values are: Boundary Condition Error, Access Validation Error, Origin Validation Error, Input Valiadtion Error, Failure to Handle Exceptional Conditions, Race Condition Error, Serialization Error, Atomicity Error, Environment Error, and Configuration Error. Ease: Rates how easiliy the vulnerability can be exploited. Possible values are: No Exploit Available, Exploit Available, and No Exploit Required. Impact: Rates the impact of the vulnerability. It's range is 1 through 10. Severity: Rates the severity of the vulnerability. It's range is 1 through 10. It's computed from the impact rating and remote flag. Remote vulnerabiliteis with a high impact rating receive a high severity rating. Local vulnerabilities with a low impact rating receive a low severity rating. Urgency: Rates how quickly you should take action to fix or mitigate the vulnerability. It's range is 1 through 10. It's computed from the severity rating, the ease rating, and the credibility rating. High severity vulnerabilities with a high ease rating, and a high confidence rating have a higher urgency rating. Low severity vulnerabilities with a low ease rating, and a low confidence rating have a lower urgency rating. Last Change: The last change made to the vulnerability information. Vulnerable Systems: The list of vulnerable systems. A '+' preceding a system name indicates that one of the system components is vulnerable vulnerable. For example, Windows 98 ships with Internet Explorer. So if a vulnerability is found in IE you may see something like: Microsoft Internet Explorer + Microsoft Windows 98 Non-Vulnerable Systems: The list of non-vulnerable systems. Summary: A concise summary of the vulnerability. Impact: The impact of the vulnerability. Technical Description: The in-depth description of the vulnerability. Attack Scenarios: Ways an attacker may make use of the vulnerability. Exploits: Exploit intructions or programs. Mitigating Strategies: Ways to mitigate the vulnerability. Solutions: Solutions to the vulnerability. Credit: Information about who disclosed the vulnerability. References: Sources of information on the vulnerability. Related Resources: Resources that might be of additional value. ChangeLog: History of changes to the vulnerability record. --------------------------------------------------------------------------- Copyright 2001 SecurityFocus.com https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Aug 21 2001 - 09:10:08 PDT