-----BEGIN PGP SIGNED MESSAGE-----

===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : Teun Nijssen/Don Stikvoort                  Index  :    S-96-58
Distribution  : World                                       Page   :          1
Classification: External                                    Version:          2
Subject       : Sendmail 8.8.0/8.8.1 vulnerability          Date   :  21-Oct-96
===============================================================================

NOTE: THIS VERSION (v2) SUPERCEDES THE PREVIOUS S-96-58 OF 18-OCT-96 (v1) .
      PLEASE DELETE THE OLD VERSION .

By courtesy of AUSCERT we received information on a vulnerability in
sendmail 8.8.0 and 8.8.1 . Originally 8.8.1 was intended to fix
the bug in 8.8.0 but this attempt proved false .

CERT-NL recommends to move to sendmail version 8.8.2 as soon as possible.

===============================================================================

**  This Advisory contains updated information.  The new version of
**  sendmail released to fix the vulnerability in sendmail Version 8.8.0
**  did not address the problem.  A new version of sendmail, Version 8.8.2,
**  has now been released.

AUSCERT has received information that sendmail Versions 8.8.0 and 8.8.1
contain a serious security vulnerability.  This vulnerability allows remote
users to execute arbitrary commands on systems running the vulnerable
sendmail by sending a carefully crafted electronic mail message.  Note
that this vulnerability may be exploited on systems despite the presence
of firewalls or other boundary protective measures.

- ---------------------------------------------------------------------------

1.  Description

    A serious security vulnerability in sendmail Versions 8.8.0 and 8.8.1
    has been discovered that allows remote users to execute arbitrary
    commands with root privileges.  Versions prior to Version 8.8.0 do
    not contain this vulnerability.  Versions prior to 8.7.6 contain other
    unrelated vulnerabilities.  The vulnerability described in this
    Advisory is exploited by sending a carefully crafted electronic mail
    message to the system running the vulnerable version of sendmail.
    This vulnerability may be exploited on systems despite the presence
    of firewalls and other boundary protective measures.

    System are vulnerable to this attack if both of the following
    conditions are true:

    1.  The version of sendmail is 8.8.0 or 8.8.1.  To determine the
 version of sendmail, use the following command:

 % sendmail -d0 -bt | grep Version

 If the string returned is "Version 8.8.0" or "Version 8.8.1", then
 this version of sendmail contains the vulnerability.  Note you
 can type ^D to exit this command.

    2.  Examine the sendmail configuration file (usually, /etc/sendmail.cf).
 If the '9' flag is set in the "F=" (Flags) section for any Mailer
 specifications (Sections starting with 'M' in the first column,
 such as "Mprog" or "Mlocal"), then this configuration is
 vulnerable.  Use of the '9' flag can usually be determined using
 the following command (depending on your sendmail configuration):

        % grep '^M' /etc/sendmail.cf | grep '9'

 If any lines are output from this command, then the sendmail
 configuration may be vulnerable.

    The use of the '9' flag in the sendmail configuration is documented
    only in the Release Notes.  This flag is set by default if the
    sendmail.cf file was generated from the sendmail Version 8.8.x
    distribution files using m4(1).  Previous versions of sendmail did
    not set this flag by default when the sendmail.cf file was generated.
    The '9' flag is also set by default in the precompiled example
    configuration files found in the cf/cf/obj/ subdirectory of the
    sendmail Version 8.8.x distribution.

2.  Impact

    Remote users may execute arbitrary commands as root on systems using
    the vulnerable sendmail.  This may be leveraged to gain root access.

3.  Workarounds/Solution

    AUSCERT recommends that sendmail Version 8.8.2 be installed immediately
    (see Section 3.1).  For sites that can not install sendmail Version
    8.8.2 immediately, apply the workaround described in Section 3.2.

3.1 Upgrade to sendmail version 8.8.2.

    Eric Allman has released a new version of sendmail which fixes this
    vulnerability.  This can be obtained from the following locations:

 ftp://ftp.sendmail.org/ucb/src/sendmail/
 ftp://ftp.auscert.org.au/pub/mirrors/ftp.cs.berkeley.edu/ucb/sendmail/
 ftp://ftp.cert.dfn.de/pub/tools/net/sendmail/
 ftp://ftp.cert.org/pub/tools/sendmail/

    The MD5 checksum for this distribution is:

 MD5 (sendmail.8.8.2.patch) = a3fdf7ea9967064e2b00f7796a87dfd9
 MD5 (sendmail.8.8.2.tar.gz) = 7ba82d2008a40337bc5828a77694f66e
 MD5 (sendmail.8.8.2.tar.sig) = 3b1765110818cf1ab3cec33e825479cb
 MD5 (sendmail.8.8.2.tar.Z) = 183b7d3461af7735bf2f9b2c17526476

3.2 Workaround for existing sendmail Version 8.8.0 and 8.8.1 installations

    AUSCERT has been advised that the following workaround removes the
    vulnerability described in this Advisory.

    The /etc/sendmail.cf file should be modified to remove the use of the
    '9' flag for all Mailer specifications (lines starting with 'M').

    For example, the sendmail.cf file should look similar to (depending
    on your system and configuration):

Mlocal,         P=/usr/libexec/mail.local, F=lsDFMAw5:/|@qrmn, S=10/30, R=20/40,
  T=DNS/RFC822/X-Unix,
  A=mail -d $u
Mprog,          P=/bin/sh, F=lsDFMoqeu, S=10/30, R=20/40,
  D=$z:/,
  T=X-Unix,
  A=sh -c $u

    This can be achieved for the "Mlocal" and "Mprog" Mailers by modifying
    the ".mc" file to include the following lines:

 define(`LOCAL_MAILER_FLAGS',
  ifdef(`LOCAL_MAILER_FLAGS',
   `translit(LOCAL_MAILER_FLAGS, `9')',
   `rmn'))
 define(`LOCAL_SHELL_FLAGS',
  ifdef(`LOCAL_SHELL_FLAGS',
   `translit(LOCAL_SHELL_FLAGS, `9')',
   `eu'))

    and then rebuilding the sendmail.cf file using m4(1).

    It is possible to directly edit the sendmail.cf file to resolve this
    vulnerability.  However, caution must be taken to ensure that the
    sendmail.cf file is not replaced in the future with a new version
    rebuilt from configuration files that include the '9' flag.

    Once the configuration file has been modified, all running versions
    of sendmail should be killed and the sendmail daemon restarted, or
    the system rebooted, for these changes to take effect.

4.  Additional Measures

    This section describes some additional measures for increasing the
    security of sendmail in general.  It is unrelated to the vulnerability
    described in this Advisory.  Sites must apply the Workarounds/Solution
    described in Section 3 first, and then optionally apply additional
    measures described in this Section.

4.1 Restrict Ability to Mail to Programs

    If the ability to send electronic mail to programs (for example,
    vacation programs) is not required, this feature should be disabled.
    This is achieved by modifying the "Mprog" line in the configuration
    file to mail to "/bin/false" rather than "/bin/sh".  The following
    line in the ".mc" file will achieve this:

 define(`LOCAL_SHELL_PATH', `/bin/false')dnl

    If mailing to programs is required, it is recommended that the sendmail
    restricted shell, smrsh, be used at all times.  This applies to all
    versions of sendmail, including vendor versions.  smrsh is supplied
    with the sendmail 8.8.2 distribution and includes documentation and
    installation instructions.

- ---------------------------------------------------------------------------
AUSCERT thanks Eric Allman for his rapid response to this vulnerability,
and Wolfgang Ley from the DFN-CERT team for technical input to this
Advisory.
- ---------------------------------------------------------------------------

==============================================================================

CERT-NL is the Computer Emergency Response Team for SURFnet customers.
SURFnet is the Dutch network for educational, research and related institutes.
CERT-NL is a member of the Forum of Incident Response and Security Teams
(FIRST).

All CERT-NL material is available under:
  http://www.surfnet.nl/surfnet/security/cert-nl.html
  ftp://ftp.surfnet.nl/surfnet/net-security

In case of computer or network security problems please contact your
local CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet
customer please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).
   Email:     cert-nl@surfnet.nl
   Phone:     +31 302 305 305
   Fax:       +31 302 305 329
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands
   A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST
   members on request.
==============================================================================

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQCVAwUBMmsbRGL2fnkJN/jpAQH3yAP9GXBtpc8aGJ90044QyjHjpZGFggcwd/wh
x5vuLL+HcKsmlIS3SSUe35Q176q/cHw5P1l2POFK/ObtuOfBo81WcpueyGlKivdj
eD1BlXFboxd4eTzEIKiZx4Cq+KKjfEvdD94xCb6UjOa+EySOI0mbyEkqfXfdm8Ck
d40S6BkvPFs=
=N3uE
-----END PGP SIGNATURE-----