From jeffb@COBALTNET.COM Fri Dec 24 02:44:40 1999 From: Jeff Bilicki Resent-From: mea culpa To: BUGTRAQ@SECURITYFOCUS.COM Resent-To: jericho@attrition.org Date: Wed, 24 Nov 1999 02:40:48 -0800 Subject: [ COBALT ] Security Advisory - Sendmail Cobalt Networks -- Security Advisory -- 11.24.1999 Problem: Sendmail up to the recent 8.9.x versions - allows any user with a shell access to pass the '-bi' parameter to /usr/sbin/sendmail. This will result in aliases database rebuild. The alias database is opened in the following way: 5366 open("/etc/aliases.db", O_RDWR|O_TRUNC) = 6 There's approx 0.1 sec delay due to /etc/aliases.db processing (on many common systems). Meantime, luser might deliver any signals to the Sendmail process, like SIGKILL. After that, /etc/aliases.db will be left in an unusable state (no EOF marker), causing DoS: 220 Marchew ESMTP Mail Service at nimue.ids.pl ready. mail from: myself 451 Cannot open hash database /etc/aliases: Invalid argument rcpt to: lcamtuf 503 Need MAIL before RCPT This vulnerability and problem text were produced by Michal Zalewski Relevant products and architectures (all languages) Product Architecture Vulnerable Qube1 MIPS yes Qube2 MIPS yes RaQ1 MIPS yes RaQ2 MIPS yes RaQ3 x86 yes Conflicts: -RaQ 1- After installing the RPM you will need to move /etc/sendmail.cf.rpmsave to /etc/sendmail.cf and restart sendmail -Qube1- See *Note RPMS: -RaQ 3- ftp://ftp.cobaltnet.com/pub/experimental/security/i386/sendmail-8.9.3-C7.i386.rpm -RaQ 2 Qube 2- ftp://ftp.cobaltnet.com/pub/experimental/security/mips/sendmail-8.9.3-C7.mips.rpm -RaQ 1 Qube 1- ftp://ftp.cobaltnet.com/pub/experimental/security/mips/sendmail-8.8.8-1C4.mips.rpm SRPMS: -RaQ 3 RaQ 2 Qube 2- ftp://ftp.cobaltnet.com/pub/experimental/security/srpms/sendmail-8.9.3-C7.src.rpm -RaQ 1 Qube 1- ftp://ftp.cobaltnet.com/pub/experimental/security/mips/sendmail-8.8.8-1C4.mips.rpm MD5 sums Package Name ------------------------------------------------------------- sendmail-8.9.3-C7.i386.rpm 9b28a5650f77a3d7bbeec2db064c2e82 sendmail-8.9.3-C7.mips.rpm 9a27c638b77d833c41d42bfad7b21b7b sendmail-8.9.3-C7.src.rpm 3c6ce162b6de3cd072ed3f99e2200d3e sendmail-8.8.8-1C4.mips.rpm 5590d0a0955fef086e219aa67245aa86 sendmail-8.8.8-1C4.src.rpm 10bb1f7ac3e6b1b817f4b6e4d17504ca You can verify each rpm using the following command: rpm --checksig [package] To install, use the following command, while logged in as root: rpm -U [package] The package file format (pkg) for this fix is currently in testing, and will be available in the near future. Jeff Bilicki Cobalt Networks *Note for Qube 1 After installing the RPM you will need to move /etc/sendmail.cf.rpmsave to /etc/sendmail.cf If you are installing this sendmail on a Qube 1 you will need to do a couple of thing before installing the rpm. After Qube1 we moved all the rc scripts into initscripts-cobalt, due to the way the rpm was built you might need to do the following. (This will be automated when the package is released) 1. Type as root: cp /etc/rc.d/init.d/sendmail /root/sendmail.tmp 2. Install the rpm using: rpm -U sendmail-8.8.8-1C4.mips.rpm 3. Type as root: mv /root/sendmail.tmp /etc/rc.d/init.d/sendmail mv /etc/rc.d/rc0.d/K30sendmail.rpmsave /etc/rc.d/rc0.d/K30sendmail mv /etc/rc.d/rc1.d/K30sendmail.rpmsave /etc/rc.d/rc1.d/K30sendmail mv /etc/rc.d/rc2.d/S60sendmail.rpmsave /etc/rc.d/rc2.d/S60sendmail mv /etc/rc.d/rc3.d/S80sendmail.rpmsave /etc/rc.d/rc3.d/S80sendmail mv /etc/rc.d/rc5.d/S80sendmail.rpmsave /etc/rc.d/rc5.d/S80sendmail mv /etc/rc.d/rc6.d/K30sendmail.rpmsave /etc/rc.d/rc6.d/K30sendmail