To: bugtraqat_private announceat_private security-alertsat_private full-disclosureat_private ______________________________________________________________________________ SCO Security Advisory Subject: Linux: sendmail smrsh bypass vulnerabilities Advisory number: CSSA-2002-052.0 Issue date: 2002 November 21 Cross reference: ______________________________________________________________________________ 1. Problem Description From the iDEFENSE Security Advisory 10.01.02: It is possible for an attacker to bypass the restrictions imposed by The Sendmail Consortium's Restricted Shell (SMRSH) and execute a binary of his choosing by inserting a special character sequence into his .forward file. SMRSH is an application intended as a replacement for sh for use in Sendmail. 2. Vulnerable Supported Versions System Package ---------------------------------------------------------------------- OpenLinux 3.1.1 Server prior to sendmail-8.11.6-11.i386.rpm prior to sendmail-cf-8.11.6-11.i386.rpm prior to sendmail-doc-8.11.6-11.i386.rpm OpenLinux 3.1.1 Workstation prior to sendmail-8.11.6-11.i386.rpm prior to sendmail-cf-8.11.6-11.i386.rpm prior to sendmail-doc-8.11.6-11.i386.rpm OpenLinux 3.1 Server prior to sendmail-8.11.6-11.i386.rpm prior to sendmail-cf-8.11.6-11.i386.rpm prior to sendmail-doc-8.11.6-11.i386.rpm OpenLinux 3.1 Workstation prior to sendmail-8.11.6-11.i386.rpm prior to sendmail-cf-8.11.6-11.i386.rpm prior to sendmail-doc-8.11.6-11.i386.rpm 3. Solution The proper solution is to install the latest packages. Many customers find it easier to use the Caldera System Updater, called cupdate (or kcupdate under the KDE environment), to update these packages rather than downloading and installing them by hand. 4. OpenLinux 3.1.1 Server 4.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-052.0/RPMS 4.2 Packages 801885a99b80d0efed1356ecad6768be sendmail-8.11.6-11.i386.rpm fdc3ec861fb77a8d5efd80c711c77dfe sendmail-cf-8.11.6-11.i386.rpm d33bbd8db1d0347a5b03487b2c4e01c8 sendmail-doc-8.11.6-11.i386.rpm 4.3 Installation rpm -Fvh sendmail-8.11.6-11.i386.rpm rpm -Fvh sendmail-cf-8.11.6-11.i386.rpm rpm -Fvh sendmail-doc-8.11.6-11.i386.rpm 4.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-052.0/SRPMS 4.5 Source Packages 17e678b9e82b3ea5e06b036efec4f4ad sendmail-8.11.6-11.src.rpm 5. OpenLinux 3.1.1 Workstation 5.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-052.0/RPMS 5.2 Packages b27b55dc5bd43eaad0436859ec7550c3 sendmail-8.11.6-11.i386.rpm ecf5c724d092d9d3a6b97f5634325cb5 sendmail-cf-8.11.6-11.i386.rpm 2c4f99b24b5807d3e4a15b144a7660fa sendmail-doc-8.11.6-11.i386.rpm 5.3 Installation rpm -Fvh sendmail-8.11.6-11.i386.rpm rpm -Fvh sendmail-cf-8.11.6-11.i386.rpm rpm -Fvh sendmail-doc-8.11.6-11.i386.rpm 5.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-052.0/SRPMS 5.5 Source Packages c9f0ecff09724880e8a01bbce9cf0364 sendmail-8.11.6-11.src.rpm 6. OpenLinux 3.1 Server 6.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-052.0/RPMS 6.2 Packages 9e2dd5db944ef26a1655c61946861449 sendmail-8.11.6-11.i386.rpm 75e3ace99d3b19a81bf5464768788ba0 sendmail-cf-8.11.6-11.i386.rpm 8872f76c94f6f23b7aad009053592cbf sendmail-doc-8.11.6-11.i386.rpm 6.3 Installation rpm -Fvh sendmail-8.11.6-11.i386.rpm rpm -Fvh sendmail-cf-8.11.6-11.i386.rpm rpm -Fvh sendmail-doc-8.11.6-11.i386.rpm 6.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-052.0/SRPMS 6.5 Source Packages 146c778258b59082f0ee0ba235bfbc7b sendmail-8.11.6-11.src.rpm 7. OpenLinux 3.1 Workstation 7.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-052.0/RPMS 7.2 Packages d267d43ae1a996598d5d4b605ff6ae49 sendmail-8.11.6-11.i386.rpm a4dfa76da9d2bb9e6bc5ec96b82a0e02 sendmail-cf-8.11.6-11.i386.rpm 860b4aa74905e1d9093fb0d121f77dc8 sendmail-doc-8.11.6-11.i386.rpm 7.3 Installation rpm -Fvh sendmail-8.11.6-11.i386.rpm rpm -Fvh sendmail-cf-8.11.6-11.i386.rpm rpm -Fvh sendmail-doc-8.11.6-11.i386.rpm 7.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-052.0/SRPMS 7.5 Source Packages 0dcc6753c98c6b618297dc5c03c22932 sendmail-8.11.6-11.src.rpm 8. References Specific references for this advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1165 SCO security resources: http://www.sco.com/support/security/index.html This security fix closes SCO incidents sr869922, fz526234, erg712134. 9. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. 10. Acknowledgements zen-parse (zen-parseat_private) and Pedram Amini (paminiat_private) discovered and researched these vulnerabilities. ______________________________________________________________________________
This archive was generated by hypermail 2b30 : Sat Nov 23 2002 - 05:17:50 PST