Date: Wed, 24 Nov 1999 02:40:48 -0800
From: Jeff Bilicki <[email protected]>
To: [email protected]Subject: [ COBALT ] Security Advisory - Sendmail
Cobalt Networks -- Security Advisory -- 11.24.1999
Problem:
Sendmail up to the recent 8.9.x versions - allows any user with a shell
access to pass the '-bi' parameter to /usr/sbin/sendmail. This will
result in aliases database rebuild. The alias database is opened in the
following way:
5366 open("/etc/aliases.db", O_RDWR|O_TRUNC) = 6
There's approx 0.1 sec delay due to /etc/aliases.db processing (on many
common systems). Meantime, luser might deliver any signals to the
Sendmail process, like SIGKILL. After that, /etc/aliases.db will be left
in an unusable state (no EOF marker), causing DoS:
220 Marchew ESMTP Mail Service at nimue.ids.pl ready. mail from: myself
451 Cannot open hash database /etc/aliases: Invalid argument rcpt to:
lcamtuf
503 Need MAIL before RCPT
This vulnerability and problem text were produced by Michal Zalewski
<[email protected]>
Relevant products and architectures (all languages)
Product Architecture Vulnerable
Qube1 MIPS yes
Qube2 MIPS yes
RaQ1 MIPS yes
RaQ2 MIPS yes
RaQ3 x86 yes
Conflicts:
-RaQ 1-
After installing the RPM you will need to move /etc/sendmail.cf.rpmsave
to /etc/sendmail.cf and restart sendmail
-Qube1-
See *Note
RPMS:
-RaQ 3-
ftp://ftp.cobaltnet.com/pub/experimental/security/i386/sendmail-8.9.3-C7.i386.rpm
-RaQ 2 Qube 2-
ftp://ftp.cobaltnet.com/pub/experimental/security/mips/sendmail-8.9.3-C7.mips.rpm
-RaQ 1 Qube 1-
ftp://ftp.cobaltnet.com/pub/experimental/security/mips/sendmail-8.8.8-1C4.mips.rpm
SRPMS:
-RaQ 3 RaQ 2 Qube 2-
ftp://ftp.cobaltnet.com/pub/experimental/security/srpms/sendmail-8.9.3-C7.src.rpm
-RaQ 1 Qube 1-
ftp://ftp.cobaltnet.com/pub/experimental/security/mips/sendmail-8.8.8-1C4.mips.rpm
MD5 sums Package Name
-------------------------------------------------------------
sendmail-8.9.3-C7.i386.rpm 9b28a5650f77a3d7bbeec2db064c2e82
sendmail-8.9.3-C7.mips.rpm 9a27c638b77d833c41d42bfad7b21b7b
sendmail-8.9.3-C7.src.rpm 3c6ce162b6de3cd072ed3f99e2200d3e
sendmail-8.8.8-1C4.mips.rpm 5590d0a0955fef086e219aa67245aa86
sendmail-8.8.8-1C4.src.rpm 10bb1f7ac3e6b1b817f4b6e4d17504ca
You can verify each rpm using the following command:
rpm --checksig [package]
To install, use the following command, while logged in as root:
rpm -U [package]
The package file format (pkg) for this fix is currently in testing, and
will be available in the near future.
Jeff Bilicki
Cobalt Networks
*Note for Qube 1
After installing the RPM you will need to move /etc/sendmail.cf.rpmsave
to /etc/sendmail.cf
If you are installing this sendmail on a Qube 1 you will need to do a
couple of thing before installing the rpm. After Qube1 we moved all the
rc scripts into initscripts-cobalt, due to the way the rpm was built you
might need to do the following. (This will be automated when the
package is released)
1. Type as root:
cp /etc/rc.d/init.d/sendmail /root/sendmail.tmp
2. Install the rpm using: rpm -U sendmail-8.8.8-1C4.mips.rpm
3. Type as root:
mv /root/sendmail.tmp /etc/rc.d/init.d/sendmail
mv /etc/rc.d/rc0.d/K30sendmail.rpmsave /etc/rc.d/rc0.d/K30sendmail
mv /etc/rc.d/rc1.d/K30sendmail.rpmsave /etc/rc.d/rc1.d/K30sendmail
mv /etc/rc.d/rc2.d/S60sendmail.rpmsave /etc/rc.d/rc2.d/S60sendmail
mv /etc/rc.d/rc3.d/S80sendmail.rpmsave /etc/rc.d/rc3.d/S80sendmail
mv /etc/rc.d/rc5.d/S80sendmail.rpmsave /etc/rc.d/rc5.d/S80sendmail
mv /etc/rc.d/rc6.d/K30sendmail.rpmsave /etc/rc.d/rc6.d/K30sendmail