Red Hat Bugzilla – Bug 52194
SUID sendmail allows local overflow
Last modified: 2007-03-26 23:48:10 EDT
Seen on Bugtraq:-
Sendmail contains an input validation error, may lead to the execution
of arbitrary code with elevated privileges.
Local users may be able to write arbitrary data to process memory,
possibly allowing the execution of code/commands with elevated
The above post does not have a Bugtraq archive link yet.
Fixed in 8.11.16, apparently
Exploit now posted to Bugtraq, which works after some tweaking. By "works", I
mean "can create root owned mode 4755 executable copy of /bin/bash". I'm damned
if I can get the thing to run as root though...
IMHO this is a serious exploit. Is it possible to release a new sendmail rpm.
Currently running with my own compiled version, but an rpm would be real nice ;-)
http://people.redhat.com/laroche/sendmail* contains our current
sendmail rpm for rawhide. Please email me, if you see any problems with
these rpms, apart from recompiling them on our release.
I am now working on rpms for older releases and it will take some more
QA time to verify them.
Florian La Roche
There may be a remote extension to this security bug, I am not sure. Somebody
is trying to exploit a couple of my boxes with a hack to the Errors-To header
parameter. I found this while in debug on a box that was having sendmail
06433 === EXEC procmail -f email@example.com -Y -a -d validdomain
06433 >>> Return-Path: <firstname.lastname@example.org>
06433 >>> Received: from vikee.com (nszx104.134.szptt.net.cn [18.104.22.168] (
may be forged))
06433 >>> by emerson.xyz.com (8.9.3/8.9.3) with ESMTP id QAA06431
06433 >>> for <email@example.com>; Mon, 27 Aug 2001 16:00:04 -0700
06433 >>> From: firstname.lastname@example.org
06433 >>> Received: from 22.214.171.124 [126.96.36.199] by vikee.com
06433 >>> (SMTPD32-6.04) id AA7BF90132; Sun, 26 Aug 2001 06:45:15 +0800
06433 >>> To:
06433 >>> Subject: Watch Censored Pix - Anonymously!
06433 >>> Date: Sun, 26 Aug 01 13:11:27 US Mountain Standard Time
06433 >>> Errors-To: C%^S'$"du^P^U)c^N\0&IbW#&3!k_^TZO8Nl0,@emerson.xyz.co
06433 >>> email@example.com
06433 >>> X-Mailer: 'L,m:
06433 >>> X-Priority: 3
06433 >>> X-MSMailPriority: Normal
06433 >>> Importance: Normal
06433 >>> Message-Id: <200108260645445.SM01424@188.8.131.52>
06433 >>> <!doctype html public "-//w3c//dtd html 4.0 transitional//en">
Note the envelope return address from Israel (.il) and the relay mail server in
xyz.com is substituted for my domain, and "validdomain" is a virtual domain
hosted on the box.
Note that the Errors-To contains some binary followed by a reference to my
This email preceeded strange behavior by sendmail. I am not sure it was a
valid exploit, but it warrants looking into.
Um, just for the record, CN isn't canada. Please check your figures or join the FBI - Canada's
not exactly the cracker's haven you wish. We just burn White Houses, which makes us arsonists.
Right you are.. I didn't mean to slight our neighbors to the north... .cn
is that China? I haven't memorized too many of the international roots. I
wasn't even positive that .il is Israel.
It was also graciously pointed out that this is not a 8.11.* version of
sendmail. However, I was receiving similar attacks on both this older version
and the 8.11.*
Forwarned is for-armed? Thats all.
Hello, me again. Checking on the status of this security fix.
10 days since this ticket was opened, and a week since Security Focus issued
it's recommendation to upgrade sendmail on all servers.
The link for the rawhide rpm, as seen above, is dead.
Is this security fix only available to subscribers of RedHat's premium service?
I am not a subscriber, but if I were, I would be wondering loudly why I am
paying and not getting....
I do not mean to insult or belittle the maintainers of this code, you guys are
saints. I have an uneasy feeling that Redhat may be witholding this fix to the
general public to boost subscribers to the Premium support service...
In the past, I have seen an increase in exploit activity on the eve of a major
American Holiday. It seems Admins like to enjoy a day off like everyone else,
and the hackers know that come monday morning, their late Sunday night efforts
may go unnoticed.
Will RedHat make this rpm available before the weekend is upon us?
Seen on Linux Weekly News:
Input validation problem with sendmail. An input validation error exists in versions of sendmail prior to
8.11.6 (or 8.12.0Beta19) which may be exploited by local users to obtain root access. See the August 23
Security Page for the initial report.
This week's updates:
Mandrake (August 31, 2001)
Caldera (August 24, 2001)
Conectiva (August 23, 2001)
Debian (not vulnerable).
Immunix (August 23, 2001)
Slackware (August 27, 2001)
SuSE (August 23, 2001)
There hasn't been any anouncement on the Redhat watch list yet. Isn't it time to make an announcement and let people know they should use the
Rawhide RPMS for now? Or even better, release an update?
After updating to sendmail-8.11.6-1.7.0, I get this errors:
Sep 10 16:45:06 mail sendmail: f8AKj6h16928: tcpwrappers
(polaris.pla.net.py, 184.108.40.206) rejection
Sep 10 16:45:06 mail sendmail: NOQUEUE: IDENT:firstname.lastname@example.org
[220.127.116.11] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
and the mail server does not accept any mail at all.
Where do I disable this extra security options?
Ok, isolated the problem to:
tcpwrappers (polaris.pla.net.py, 18.104.22.168) rejection
and thanks to http://groups.google.com/ the solution is to
add a line to /etc/hosts.allow
uff, in production again. :-)
I propose to add this info to the errata
All the referred articles state versions 8.10 and 8.11 vulnerable, but I haven't
seen anybody claim 8.9.3 vulnerable. More like, ISTR, someone in Bugtraq claimed
it's not vulnerable. But trying to find out now, I found _nothing_ relevant to
8.9.3 from BugTraq archives (SF's new look doesn't help at all :/
Of course, changing to new (minor) release is unpleasant idea, with a nontrivial
conf that we have and all. If it isn't vulnerable, I'd definitely like to forgo
upgrading what works -- I have had enough experiences from Microsoft world how
that's just a really bad idea. And I'm _not_ interested in possibly buggy new
Does anybody know?