CERT ADVISORY - Sendmail Vulnerability
CERT Advisory
cert-advisory-request at cert.org
Fri Nov 5 02:47:47 UTC 1993
=============================================================================
CA-93:16 CERT Advisory
November 4, 1993
Sendmail Vulnerability
-----------------------------------------------------------------------------
The CERT Coordination Center is working on eliminating a vulnerability in
sendmail(8). This vulnerability potentially affects all systems running
sendmail.
CERT is working with the vendor community to address this vulnerability. At
this time, there are no known patches available for any vendor implementation
that fully address this vulnerability. Until there is complete vendor
information, CERT recommends that all implementations of sendmail be
considered susceptible.
This advisory supersedes the sendmail portion of the CERT advisory (CA-93:15)
of October 21, 1993.
CERT will continue to work with the vendors and will alert the community
when patches become available.
Included with this advisory is an appendix describing tips that can be used
by system administrators who are concerned about the possible exploitation
of this vulnerability at their site.
-----------------------------------------------------------------------------
I. Description
A vulnerability exists in most versions of sendmail that allows
unauthorized remote or local users to execute programs as any system
user other than root.
This vulnerability affects the final destination sendmail host
and can be exploited through an intermediate mail machine. Therefore,
all sendmail recipient machines within a domain are potentially
vulnerable.
II. Impact
Anyone (remote or local) can execute programs on the affected hosts
as any userid other than root.
III. Approaches
CERT suggests three possible approaches to this problem. Although
these approaches address all known aspects of this vulnerability,
they are suggested only until vendor patches for this sendmail
vulnerability are available.
Familiarity with sendmail and its installation and configuration,
is recommended before implementing these modifications.
In order to protect your entire site it is necessary to apply the selected
approach to *ALL* systems running sendmail at the site, and not just
the mail hub.
A. Approach 1
This approach involves modifying the sendmail configuration
to restrict the sendmail program mailer facility.
To restrict sendmail's program mailer facility, obtain
and install the sendmail restricted shell program (smrsh 1.2)
by Eric Allman (the original author of sendmail), following the
directions included with the program.
1. Where to obtain the program
Copies of this program may be obtained via anonymous FTP from
info.cert.org, in the /pub/tools/smrsh directory, or via
anonymous FTP from ftp.uu.net in the /pub/security/smrsh
directory.
Checksum information:
BSD Sum
30114 5 README
25757 2 smrsh.8
46786 5 smrsh.c
System V Sum
56478 10 README
42281 4 smrsh.8
65517 9 smrsh.c
MD5 Checksum
MD5 (README) = fc4cf266288511099e44b664806a5594
MD5 (smrsh.8) = 35aeefba9714f251a3610c7b1714e355
MD5 (smrsh.c) = d4822ce7c273fc8b93c68e39ec67739c
2. Impacts of this approach
While this approach allows a site to specify which programs
can be run by sendmail (e.g. vacation(1)), attempts to invoke
programs that are not included in the allowed set, or attempts
using shell meta-characters (see smrsh program listing for a
complete set of disallowed characters), will fail, resulting in
log output to the syslog(3) facility. Programs that are specified
in a site's /etc/aliases file should be considered for inclusion
in the allowable program list.
Since .forward files allow user-specified programs to be
run by sendmail, a survey of the contents of the system's
.forward files may be required to prevent failure to deliver
user mail.
*** WARNING ***************************************************
* It is very important that sites *NOT* include interpreter *
* programs (e.g. /bin/sh, /bin/csh, /bin/perl, /bin/uudecode, *
* /bin/sed, ...) in the list of allowed programs. *
***************************************************************
B. Approach 2
Like approach 1, this approach involves modifying the sendmail
configuration. However, this approach completely disables the
sendmail program mailer facility. This is a drastic, but quick
action that can be taken while a site installs one of the
other suggestions. Before implementing this approach, save a copy
of the current sendmail configuration file.
To implement this approach edit the sendmail.cf file:
change from:
Mprog, P=/bin/sh, F=slFDM, S=10, R=20, A=sh -c $u
to:
Mprog, P=/bin/false, F=, S=10, R=20, A=
Any changes to the sendmail.cf file will require that the
sendmail process be restarted to ensure that the new configuration
is used. See item 3 in Appendix A for more details.
1. Impacts of this approach
Attempts to invoke programs through sendmail will not
be successful.
C. Approach 3
To the best of our knowledge, Eric Allman's public domain
implementation of sendmail, sendmail 8.6.4, does not appear to
be susceptible to this vulnerability. A working solution would
then be to replace a site's sendmail, with sendmail 8.6.4.
1. Where to obtain the program
Copies of this version of sendmail may be obtained via
anonymous FTP from ftp.cs.berkeley.edu in the
/ucb/sendmail directory.
Checksum information:
BSD Sum
sendmail.8.6.4.base.tar.Z: 07718 428
sendmail.8.6.4.cf.tar.Z: 28004 179
sendmail.8.6.4.misc.tar.Z: 57299 102
sendmail.8.6.4.xdoc.tar.Z: 33954 251
System V Sum
64609 856 sendmail.8.6.4.base.tar.Z
42112 357 sendmail.8.6.4.cf.tar.Z
8101 203 sendmail.8.6.4.misc.tar.Z
50037 502 sendmail.8.6.4.xdoc.tar.Z
MD5 Checksum
MD5 (sendmail.8.6.4.base.tar.Z) = 59727f2f99b0e47a74d804f7ff654621
MD5 (sendmail.8.6.4.cf.tar.Z) = cb7ab7751fb8b45167758e9485878f6f
MD5 (sendmail.8.6.4.misc.tar.Z) = 8eaa6fbe9e9226667f719af0c1bde755
MD5 (sendmail.8.6.4.xdoc.tar.Z) = a9da24e504832f21a3069dc2151870e6
2. Impacts of this workaround
Depending upon the currently installed sendmail program,
switching to a different sendmail may require significant
effort for the system administrator to become familiar with
the new program. The site's sendmail configuration file
may require considerable modification in order to provide
existing functionality. In some cases, the site's sendmail
configuration file may be incompatible with the sendmail 8.6.4
configuration file.
---------------------------------------------------------------------------
The CERT Coordination Center wishes to thank the members of the following
response teams for their assistance in analyzing and testing both the
problem and the solutions: SERT, ASSIST, CIAC, and DFN-CERT. CERT would
especially like to thank Eric Allman, Matt Blaze, Andy Sherman, Gene Spafford,
Tim Seaver, and many others who have provided technical assistance with
this effort.
---------------------------------------------------------------------------
If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in Forum of Incident
Response and Security Teams (FIRST).
Internet E-mail: cert at cert.org
Telephone: 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
and are on call for emergencies during other hours.
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
Past advisories, information about FIRST representatives, and other
information related to computer security are available via anonymous FTP
from info.cert.org.
Appendix A
This appendix describes tips that can be used by system administrators
who are concerned about the possible exploitation of this vulnerability at
their site.
There are two actions that can be taken by system administrators to try
to detect the exploitation of this vulnerability at their sites.
- Examine all bounced mail to look for unusual occurrences.
- Examine syslog files for unusual occurrences of "|" characters
In order to do this, sendmail must be configured to direct bounced mail to
the postmaster (or other designated person who will examine the bounced mail).
Sendmail must also be configured to provide adequate logging.
1) To direct bounced mail to the postmaster, place the following entry in
the options part of the general configuration information section of
the sendmail.cf file.
# Cc my postmaster on error replies I generate
OPpostmaster
2) To set sendmail's logging level, place the following entry in the options
part of the general configuration information section of the sendmail.cf
file. Note that the logging level should be 9 or higher in order to provide
adequate logging.
# log level
OL9
3) Once changes have been made in the sendmail configuration file,
it will be necessary to kill all existing sendmail processes,
refreeze the configuration file (if needed - see the note below),
and restart the sendmail program.
Here is an example from SunOS 4.1.2:
As root:
# /usr/bin/ps -aux | /usr/bin/grep sendmail
root 130 0.0 0.0 168 0 ? IW Oct 2 0:10 /usr/lib/sendmail -bd -q
# /bin/kill -9 130 (kill the current sendmail process)
# /usr/lib/sendmail -bz (create the configuration freeze file)
# /usr/lib/sendmail -bd -q30m (run the sendmail daemon)
**Note: Some sites do not use frozen configuration files and some do. If
your site is using frozen configuration files, there will be a file
named sendmail.fc in the same directory as the sendmail configuration
file (sendmail.cf).
More information about the NANOG
mailing list