Bug 52194 - SUID sendmail allows local overflow
Summary: SUID sendmail allows local overflow
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: sendmail   
(Show other bugs)
Version: 7.1
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Florian La Roche
QA Contact: David Lawrence
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2001-08-21 16:29 UTC by Philip Rowlands
Modified: 2007-03-27 03:48 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-09-13 08:06:52 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2001:105 contract SHIPPED_LIVE : THIS IS A TEST ERRATA 2003-07-29 04:00:00 UTC
Red Hat Product Errata RHSA-2001:106 normal SHIPPED_LIVE : New sendmail packages available which fix a local root exploit 2001-08-28 04:00:00 UTC

Description Philip Rowlands 2001-08-21 16:29:16 UTC
Seen on Bugtraq:-


  Sendmail contains an input validation error, may lead to the  execution
  of arbitrary code with elevated privileges.


  Local users may be able to write  arbitrary  data  to  process  memory,
  possibly  allowing  the  execution  of  code/commands   with   elevated
The above post does not have a Bugtraq archive link yet.

Fixed in 8.11.16, apparently

Comment 1 Philip Rowlands 2001-08-22 19:18:57 UTC
Exploit now posted to Bugtraq, which works after some tweaking. By "works", I
mean "can create root owned mode 4755 executable copy of /bin/bash". I'm damned
if I can get the thing to run as root though...

Comment 2 Stijn Jonker 2001-08-27 18:31:33 UTC
IMHO this is a serious exploit. Is it possible to release a new sendmail rpm. 

Currently running with my own compiled version, but an rpm would be real nice ;-)

Comment 3 Florian La Roche 2001-08-27 18:43:53 UTC
http://people.redhat.com/laroche/sendmail* contains our current
sendmail rpm for rawhide. Please email me, if you see any problems with
these rpms, apart from recompiling them on our release.
I am now working on rpms for older releases and it will take some more
QA time to verify them.

Florian La Roche

Comment 4 Timothy Burt 2001-08-28 05:54:45 UTC
There may be a remote extension to this security bug, I am not sure.  Somebody 
is trying to exploit a couple of my boxes with a hack to the Errors-To header 
parameter.  I found this while in debug on a box that was having sendmail 

06433 === EXEC procmail -f f10879@walla.co.il -Y -a  -d validdomain
06433 >>> Return-Path: <f10879@walla.co.il>
06433 >>> Received: from vikee.com (nszx104.134.szptt.net.cn [] (
may be forged))
06433 >>>       by emerson.xyz.com (8.9.3/8.9.3) with ESMTP id QAA06431
06433 >>>       for <deborah@validdomain.com>; Mon, 27 Aug 2001 16:00:04 -0700
06433 >>> From: f10879@walla.co.il
06433 >>> Received: from [] by vikee.com
06433 >>>   (SMTPD32-6.04) id AA7BF90132; Sun, 26 Aug 2001 06:45:15 +0800
06433 >>> To:
06433 >>> Subject: Watch Censored Pix - Anonymously!
06433 >>> Date: Sun, 26 Aug 01 13:11:27 US Mountain Standard Time
06433 >>> Errors-To: C%^S'$"du^P^U)c^N\0&IbW#&3!k_^TZO8Nl0,@emerson.xyz.co
06433 >>>         az@emerson.xyz.com
06433 >>> X-Mailer: 'L,m:
06433 >>> X-Priority: 3
06433 >>> X-MSMailPriority: Normal
06433 >>> Importance: Normal
06433 >>> Message-Id: <200108260645445.SM01424@>
06433 >>>
06433 >>> <!doctype html public "-//w3c//dtd html 4.0 transitional//en">

Note the envelope return address from Israel (.il) and the relay mail server in 
Canada (.cn).

xyz.com is substituted for my domain, and "validdomain" is a virtual domain 
hosted on the box.

Note that the Errors-To contains some binary followed by a reference to my 

This email preceeded strange behavior by sendmail.  I am not sure it was a 
valid exploit, but it warrants looking into.


Comment 5 Bishop Clark 2001-08-28 08:26:56 UTC

Um, just for the record, CN isn't canada.  Please check your figures or join the FBI - Canada's
not exactly the cracker's haven you wish.  We just burn White Houses, which makes us arsonists.

 - bish

Comment 6 Timothy Burt 2001-08-28 18:28:14 UTC
  Right you are..  I didn't mean to slight our neighbors to the north...  .cn 
is that China?  I haven't memorized too many of the international roots.  I 
wasn't even positive that .il is Israel.

  It was also graciously pointed out that this is not a 8.11.* version of 
sendmail.  However, I was receiving similar attacks on both this older version 
and the 8.11.*

Forwarned is for-armed?  Thats all.

Comment 7 Timothy Burt 2001-08-31 13:19:25 UTC
Hello, me again.  Checking on the status of this security fix.

10 days since this ticket was opened, and a week since Security Focus issued 
it's recommendation to upgrade sendmail on all servers.

The link for the rawhide rpm, as seen above, is dead.

Is this security fix only available to subscribers of RedHat's premium service?

I am not a subscriber, but if I were, I would be wondering loudly why I am 
paying and not getting....

I do not mean to insult or belittle the maintainers of this code, you guys are 
saints.  I have an uneasy feeling that Redhat may be witholding this fix to the 
general public to boost subscribers to the Premium support service...

In the past, I have seen an increase in exploit activity on the eve of a major 
American Holiday.  It seems Admins like to enjoy a day off like everyone else, 
and the hackers know that come monday morning, their late Sunday night efforts 
may go unnoticed.

Will RedHat make this rpm available before the weekend is upon us?

Comment 8 Leonard den Ottolander 2001-09-10 21:01:02 UTC
Seen on Linux Weekly News:

Input validation problem with sendmail. An input validation error exists in versions of sendmail prior to
8.11.6 (or 8.12.0Beta19) which may be exploited by local users to obtain root access. See the August 23
Security Page for the initial report. 

This week's updates: 

     Mandrake (August 31, 2001)  

Previous updates: 

     Caldera (August 24, 2001)  
     Conectiva (August 23, 2001)  
     Debian (not vulnerable). 
     Immunix (August 23, 2001)  
     Slackware (August 27, 2001)  
     SuSE (August 23, 2001)  

There hasn't been any anouncement on the Redhat watch list yet. Isn't it time to make an announcement and let people know they should use the 
Rawhide RPMS for now? Or even better, release an update?


Comment 9 Oliver Schulze L. 2001-09-10 21:13:33 UTC
After updating to sendmail-8.11.6-1.7.0, I get this errors:
Sep 10 16:45:06 mail sendmail[16928]: f8AKj6h16928: tcpwrappers
(polaris.pla.net.py, rejection
Sep 10 16:45:06 mail sendmail[16928]: NOQUEUE: IDENT:uucp@polaris.pla.net.py
[] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

and the mail server does not accept any mail at all.

Where do I disable this extra security options?


Comment 10 Oliver Schulze L. 2001-09-10 23:26:27 UTC
Ok, isolated the problem to:
tcpwrappers (polaris.pla.net.py, rejection

and thanks to http://groups.google.com/ the solution is to
add a line to /etc/hosts.allow
sendmail: ALL

uff, in production again. :-)

I propose to add this info to the errata


Comment 11 Olli Lounela 2001-09-13 08:06:48 UTC
All the referred articles state versions 8.10 and 8.11 vulnerable, but I haven't
seen anybody claim 8.9.3 vulnerable. More like, ISTR, someone in Bugtraq claimed
it's not vulnerable. But trying to find out now, I found _nothing_ relevant to
8.9.3 from BugTraq archives (SF's new look doesn't help at all :/

Of course, changing to new (minor) release is unpleasant idea, with a nontrivial
conf that we have and all. If it isn't vulnerable, I'd definitely like to forgo
upgrading what works -- I have had enough experiences from Microsoft world how
that's just a really bad idea. And I'm _not_ interested in possibly buggy new

Does anybody know?

Note You need to log in before you can comment on or make changes to this bug.