Bug 52194

Summary: SUID sendmail allows local overflow
Product: [Retired] Red Hat Linux Reporter: Philip Rowlands <phr>
Component: sendmailAssignee: Florian La Roche <laroche>
Status: CLOSED CURRENTRELEASE QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: high    
Version: 7.1CC: alfcruz, chrismcc, djuran, donfede, leonard-rh-bugzilla, oliver, per.starback, schumann, sjcjonker
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-09-13 08:06:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Philip Rowlands 2001-08-21 16:29:16 UTC 
Seen on Bugtraq:-

---
Summary:

  Sendmail contains an input validation error, may lead to the  execution
  of arbitrary code with elevated privileges.

Impact:

  Local users may be able to write  arbitrary  data  to  process  memory,
  possibly  allowing  the  execution  of  code/commands   with   elevated
  privileges.
---
The above post does not have a Bugtraq archive link yet.

Fixed in 8.11.16, apparently
http://www.sendmail.org/8.11.html
Comment 1 Philip Rowlands 2001-08-22 19:18:57 UTC 
Exploit now posted to Bugtraq, which works after some tweaking. By "works", I
mean "can create root owned mode 4755 executable copy of /bin/bash". I'm damned
if I can get the thing to run as root though...
Comment 2 Stijn Jonker 2001-08-27 18:31:33 UTC 
IMHO this is a serious exploit. Is it possible to release a new sendmail rpm. 

Currently running with my own compiled version, but an rpm would be real nice ;-)
Comment 3 Florian La Roche 2001-08-27 18:43:53 UTC 
http://people.redhat.com/laroche/sendmail* contains our current
sendmail rpm for rawhide. Please email me, if you see any problems with
these rpms, apart from recompiling them on our release.
I am now working on rpms for older releases and it will take some more
QA time to verify them.

Florian La Roche
Comment 4 Timothy Burt 2001-08-28 05:54:45 UTC 
There may be a remote extension to this security bug, I am not sure.  Somebody 
is trying to exploit a couple of my boxes with a hack to the Errors-To header 
parameter.  I found this while in debug on a box that was having sendmail 
problems...


06433 === EXEC procmail -f f10879.il -Y -a  -d validdomain
06433 >>> Return-Path: <f10879.il>
06433 >>> Received: from vikee.com (nszx104.134.szptt.net.cn [202.104.134.182] (
may be forged))
06433 >>>       by emerson.xyz.com (8.9.3/8.9.3) with ESMTP id QAA06431
06433 >>>       for <deborah>; Mon, 27 Aug 2001 16:00:04 -0700
06433 >>> From: f10879.il
06433 >>> Received: from 195.55.23.2 [4.4.177.79] by vikee.com
06433 >>>   (SMTPD32-6.04) id AA7BF90132; Sun, 26 Aug 2001 06:45:15 +0800
06433 >>> To:
06433 >>> Subject: Watch Censored Pix - Anonymously!
06433 >>> Date: Sun, 26 Aug 01 13:11:27 US Mountain Standard Time
06433 >>> Errors-To: C%^S'$"du^P^U)c^N\0&IbW#&3!k_^TZO8Nl0,@emerson.xyz.co
m,
06433 >>>         az.com
06433 >>> X-Mailer: 'L,m:
06433 >>> X-Priority: 3
06433 >>> X-MSMailPriority: Normal
06433 >>> Importance: Normal
06433 >>> Message-Id: <200108260645445.SM01424.23.2>
06433 >>>
06433 >>> <!doctype html public "-//w3c//dtd html 4.0 transitional//en">

Note the envelope return address from Israel (.il) and the relay mail server in 
Canada (.cn).

xyz.com is substituted for my domain, and "validdomain" is a virtual domain 
hosted on the box.

Note that the Errors-To contains some binary followed by a reference to my 
domain.

This email preceeded strange behavior by sendmail.  I am not sure it was a 
valid exploit, but it warrants looking into.

Thanks...
Comment 5 Bishop Clark 2001-08-28 08:26:56 UTC 
tburt;

Um, just for the record, CN isn't canada.  Please check your figures or join the FBI - Canada's
not exactly the cracker's haven you wish.  We just burn White Houses, which makes us arsonists.

 - bish
Comment 6 Timothy Burt 2001-08-28 18:28:14 UTC 
bishop...
  Right you are..  I didn't mean to slight our neighbors to the north...  .cn 
is that China?  I haven't memorized too many of the international roots.  I 
wasn't even positive that .il is Israel.

  It was also graciously pointed out that this is not a 8.11.* version of 
sendmail.  However, I was receiving similar attacks on both this older version 
and the 8.11.*

Forwarned is for-armed?  Thats all.
Comment 7 Timothy Burt 2001-08-31 13:19:25 UTC 
Hello, me again.  Checking on the status of this security fix.

10 days since this ticket was opened, and a week since Security Focus issued 
it's recommendation to upgrade sendmail on all servers.

The link for the rawhide rpm, as seen above, is dead.

Is this security fix only available to subscribers of RedHat's premium service?

I am not a subscriber, but if I were, I would be wondering loudly why I am 
paying and not getting....

I do not mean to insult or belittle the maintainers of this code, you guys are 
saints.  I have an uneasy feeling that Redhat may be witholding this fix to the 
general public to boost subscribers to the Premium support service...

In the past, I have seen an increase in exploit activity on the eve of a major 
American Holiday.  It seems Admins like to enjoy a day off like everyone else, 
and the hackers know that come monday morning, their late Sunday night efforts 
may go unnoticed.

Will RedHat make this rpm available before the weekend is upon us?
Comment 8 Leonard den Ottolander 2001-09-10 21:01:02 UTC 
Seen on Linux Weekly News:
http://lwn.net/2001/0906/security.php3

Input validation problem with sendmail. An input validation error exists in versions of sendmail prior to
8.11.6 (or 8.12.0Beta19) which may be exploited by local users to obtain root access. See the August 23
Security Page for the initial report. 

This week's updates: 

     Mandrake (August 31, 2001)  

Previous updates: 

     Caldera (August 24, 2001)  
     Conectiva (August 23, 2001)  
     Debian (not vulnerable). 
     Immunix (August 23, 2001)  
     Slackware (August 27, 2001)  
     SuSE (August 23, 2001)  

There hasn't been any anouncement on the Redhat watch list yet. Isn't it time to make an announcement and let people know they should use the 
Rawhide RPMS for now? Or even better, release an update?

Leonard.
Comment 9 Oliver Schulze L. 2001-09-10 21:13:33 UTC 
After updating to sendmail-8.11.6-1.7.0, I get this errors:
Sep 10 16:45:06 mail sendmail[16928]: f8AKj6h16928: tcpwrappers
(polaris.pla.net.py, 216.250.196.10) rejection
Sep 10 16:45:06 mail sendmail[16928]: NOQUEUE: IDENT:uucp.net.py
[216.250.196.10] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

and the mail server does not accept any mail at all.

Where do I disable this extra security options?

Thanks
Oliver
Comment 10 Oliver Schulze L. 2001-09-10 23:26:27 UTC 
Ok, isolated the problem to:
tcpwrappers (polaris.pla.net.py, 216.250.196.10) rejection

and thanks to http://groups.google.com/ the solution is to
add a line to /etc/hosts.allow
sendmail: ALL

uff, in production again. :-)

I propose to add this info to the errata

Oliver
Comment 11 Olli Lounela 2001-09-13 08:06:48 UTC 
All the referred articles state versions 8.10 and 8.11 vulnerable, but I haven't
seen anybody claim 8.9.3 vulnerable. More like, ISTR, someone in Bugtraq claimed
it's not vulnerable. But trying to find out now, I found _nothing_ relevant to
8.9.3 from BugTraq archives (SF's new look doesn't help at all :/

Of course, changing to new (minor) release is unpleasant idea, with a nontrivial
conf that we have and all. If it isn't vulnerable, I'd definitely like to forgo
upgrading what works -- I have had enough experiences from Microsoft world how
that's just a really bad idea. And I'm _not_ interested in possibly buggy new
features.

Does anybody know?