Date: Wed, 24 Nov 1999 02:40:48 -0800 From: Jeff Bilicki <jeffb@COBALTNET.COM> Subject: [ COBALT ] Security Advisory - Sendmail To: BUGTRAQ@SECURITYFOCUS.COM Cobalt Networks -- Security Advisory -- 11.24.1999 Problem: Sendmail up to the recent 8.9.x versions - allows any user with a shell access to pass the '-bi' parameter to /usr/sbin/sendmail. This will result in aliases database rebuild. The alias database is opened in the following way: 5366 open("/etc/aliases.db", O_RDWR|O_TRUNC) = 6 There's approx 0.1 sec delay due to /etc/aliases.db processing (on many common systems). Meantime, luser might deliver any signals to the Sendmail process, like SIGKILL. After that, /etc/aliases.db will be left in an unusable state (no EOF marker), causing DoS: 220 Marchew ESMTP Mail Service at nimue.ids.pl ready. mail from: myself 451 Cannot open hash database /etc/aliases: Invalid argument rcpt to: lcamtuf 503 Need MAIL before RCPT This vulnerability and problem text were produced by Michal Zalewski <lcamtuf@IDS.PL> Relevant products and architectures (all languages) Product Architecture Vulnerable Qube1 MIPS yes Qube2 MIPS yes RaQ1 MIPS yes RaQ2 MIPS yes RaQ3 x86 yes Conflicts: -RaQ 1- After installing the RPM you will need to move /etc/sendmail.cf.rpmsave to /etc/sendmail.cf and restart sendmail -Qube1- See *Note RPMS: -RaQ 3- ftp://ftp.cobaltnet.com/pub/experimental/security/i386/sendmail-8.9.3-C7.i386.rpm -RaQ 2 Qube 2- ftp://ftp.cobaltnet.com/pub/experimental/security/mips/sendmail-8.9.3-C7.mips.rpm -RaQ 1 Qube 1- ftp://ftp.cobaltnet.com/pub/experimental/security/mips/sendmail-8.8.8-1C4.mips.rpm SRPMS: -RaQ 3 RaQ 2 Qube 2- ftp://ftp.cobaltnet.com/pub/experimental/security/srpms/sendmail-8.9.3-C7.src.rpm -RaQ 1 Qube 1- ftp://ftp.cobaltnet.com/pub/experimental/security/mips/sendmail-8.8.8-1C4.mips.rpm MD5 sums Package Name ------------------------------------------------------------- sendmail-8.9.3-C7.i386.rpm 9b28a5650f77a3d7bbeec2db064c2e82 sendmail-8.9.3-C7.mips.rpm 9a27c638b77d833c41d42bfad7b21b7b sendmail-8.9.3-C7.src.rpm 3c6ce162b6de3cd072ed3f99e2200d3e sendmail-8.8.8-1C4.mips.rpm 5590d0a0955fef086e219aa67245aa86 sendmail-8.8.8-1C4.src.rpm 10bb1f7ac3e6b1b817f4b6e4d17504ca You can verify each rpm using the following command: rpm --checksig [package] To install, use the following command, while logged in as root: rpm -U [package] The package file format (pkg) for this fix is currently in testing, and will be available in the near future. Jeff Bilicki Cobalt Networks *Note for Qube 1 After installing the RPM you will need to move /etc/sendmail.cf.rpmsave to /etc/sendmail.cf If you are installing this sendmail on a Qube 1 you will need to do a couple of thing before installing the rpm. After Qube1 we moved all the rc scripts into initscripts-cobalt, due to the way the rpm was built you might need to do the following. (This will be automated when the package is released) 1. Type as root: cp /etc/rc.d/init.d/sendmail /root/sendmail.tmp 2. Install the rpm using: rpm -U sendmail-8.8.8-1C4.mips.rpm 3. Type as root: mv /root/sendmail.tmp /etc/rc.d/init.d/sendmail mv /etc/rc.d/rc0.d/K30sendmail.rpmsave /etc/rc.d/rc0.d/K30sendmail mv /etc/rc.d/rc1.d/K30sendmail.rpmsave /etc/rc.d/rc1.d/K30sendmail mv /etc/rc.d/rc2.d/S60sendmail.rpmsave /etc/rc.d/rc2.d/S60sendmail mv /etc/rc.d/rc3.d/S80sendmail.rpmsave /etc/rc.d/rc3.d/S80sendmail mv /etc/rc.d/rc5.d/S80sendmail.rpmsave /etc/rc.d/rc5.d/S80sendmail mv /etc/rc.d/rc6.d/K30sendmail.rpmsave /etc/rc.d/rc6.d/K30sendmail