Sun Sendmail -oR Vulnerability
=============================================================================
CERT(sm) Advisory CA-95:11
Original issue date: September 19, 1995
Last revised: September 21, 1996
              This advisory is superseded by CA-96.20.
              A complete revision history is at the end of this file.
Topic: Sun Sendmail -oR Vulnerability
- -----------------------------------------------------------------------------
                 *** SUPERSEDED BY CA-96.20 ***
The CERT Coordination Center has received reports of problems with the -oR
option in sendmail. The problem is present in the version of sendmail that is
available from Sun Microsystems, Inc. in SunOS 4.1.X, including patches
100377-19 (for SunOS 4.1.3), 101665-04 (for SunOS 4.1.3_U1), and 102423-01
(for SunOS 4.1.4).
***This vulnerability is widely known and is currently being actively
   exploited by intruders.***
The CERT staff recommends installing the appropriate patches as soon as they
are available from Sun Microsystems. Alternatives are installing a wrapper
or installing sendmail version 8.6.12; see Section III for details. (Although
sendmail 8.7 recently became available, we have not yet reviewed it.)
We will update this advisory as we receive additional information.
Please check advisory files regularly for updates that relate to your site.
- -----------------------------------------------------------------------------
I.  Description
    There is a problem with the way that the Sun Microsystems, Inc.
    version of sendmail processes the -oR option.  This problem has been
    verified as existing in the version of sendmail that is in SunOS
    4.1.X, including patches 100377-19 (for SunOS 4.1.3), 101665-04 (for
    SunOS 4.1.3_U1), and 102423-01 (for SunOS 4.1.4).
    The -oR option specifies the host, called the mail hub, to which mail
    should be forwarded when a user on a client of that hub receives
    mail.  This host can be identified with the -oR option on the command
    line as
        -oRhost_name
     or in the configuration file as:
        ORhost_name
     or by NFS mounting the /var/spool/mail directory from a file server,
     probably from the mail hub.  In this case, the host name of the file
     server is used as the forwarding host identified as host_name above.
     All these configurations are vulnerable.
II. Impact
     By exploiting the vulnerabilities, local users may be able to
     gain unauthorized root access and subsequently read any file on the
     system, overwrite or destroy files, or run programs on the system.
     Remote users cannot exploit this vulnerability.
III. Solutions
     A. Install a patch from Sun Microsystems.
        Check with your local SunService and SunSoft Support Services
        organizations or SunSolve Online at the URL
http://sunsolve1.sun.com
     B. Install the sendmail wrapper available from
        ftp://info.cert.org/pub/tools/sendmail/sendmail_wrapper
        ftp://ftp.cs.berkeley.edu/pub/sendmail/sendmail_wrapper.c
        ftp://ftp.auscert.org.au:/pub/auscert/tools/sendmail_wrapper.c
        MD5 = f4049cc56075ddb142f5bd70a53ba341
        If you already have this wrapper and are running any version
        prior to version 1.6, you should immediately upgrade. Details
        can be found in section 3.1 of AUSCERT advisory (AA-95.09b), available
        from
        ftp://ftp.auscert.org.au/pub/auscert/auscert-advisory
     C. An alternative to using the patch or wrapper is to install the latest
        version of sendmail (as of the issue date of this advisory, it was
        version 8.6.12) and the sendmail restricted shell program ("smrsh").
        1. Install sendmail 8.6.12 or later.
           Information on latest versions is available from
             ftp://info.cert.org/pub/latest_sw_versions/
           Sendmail is available by anonymous FTP from
         ftp://ftp.cs.berkeley.edu/ucb/sendmail/
         ftp://info.cert.org/pub/tools/sendmail/
         ftp://ftp.auscert.org.au/pub/mirrors/ftp.cs.berkeley.edu/ucb/sendmail/
         ftp://ftp.cert.dfn.de/pub/tools/net/sendmail/
           Checksums for 8.6.12
           MD5 (sendmail.8.6.12.base.tar.Z) = 31591dfb0dacbe0a7e06147747a6ccea
           MD5 (sendmail.8.6.12.cf.tar.Z) = c60becd7628fad715df8f7e13dcf3cc6
           MD5 (sendmail.8.6.12.misc.tar.Z) = 6212390ca0bb4b353e29521f1aab492f
           MD5 (sendmail.8.6.12.patch) = 10961687c087ef30920b13185eef41e8
           MD5 (sendmail.8.6.12.xdoc.tar.Z) = 8b2252943f365f303b6302b71ef9a841
           A note on configuration:
           Depending upon the currently installed sendmail program, switching
           to a different sendmail may require significant effort, such as
           rewriting the sendmail.cf file.  We strongly recommend that if
           you change to sendmail 8.6.12, you also change to the
           configuration files that are provided with that version.
           In addition, a paper is available to help you convert your sendmail
           configuration files from Sun's version of sendmail to one that
           works with version 8.6.12: "Converting Standard Sun Config Files to
           Sendmail Version 8" by Rick McCarty of Texas Instruments Inc.
           This paper is included in the sendmail.8.6.12.misc.tar.Z file and
           is located in contrib/converting.sun.configs.
        2. Install the sendmail restricted shell program
           To restrict the sendmail program mailer facility, install
           the sendmail restricted shell program (smrsh) by Eric Allman
           (the original author of sendmail), following the directions
           included with the program.
           Copies of this program may be obtained from
             ftp://info.cert.org/pub/tools/smrsh
             ftp://ftp.uu.net/pub/security/smrsh
             The checksums are
             MD5 (README)  = fc4cf266288511099e44b664806a5594
             MD5 (smrsh.8) = 35aeefba9714f251a3610c7b1714e355
             MD5 (smrsh.c) = d4822ce7c273fc8b93c68e39ec67739c
- ---------------------------------------------------------------------------
The CERT Coordination Center thanks AUSCERT for providing the sendmail
wrapper.
- ---------------------------------------------------------------------------
If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident
Response and Security Teams (FIRST).
If you wish to send sensitive incident or vulnerability information to
CERT staff by electronic mail, we strongly advise that the email be
encrypted.  The CERT Coordination Center can support a shared DES key, PGP
(public key available via anonymous FTP on info.cert.org), or PEM (contact
CERT staff for details).
Internet email: cert@cert.org
Telephone: +1 412-268-7090 (24-hour hotline)
           CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
           and are on call for emergencies during other hours.
Fax: +1 412-268-6989
Postal address:  CERT Coordination Center
                 Software Engineering Institute
                 Carnegie Mellon University
                 Pittsburgh, PA 15213-3890
                 USA
CERT advisories and bulletins are posted on the USENET newsgroup
comp.security.announce. If you would like to have future advisories and
bulletins mailed to you or to a mail exploder at your site, please send mail
to cert-advisory-request@cert.org.
Past CERT publications, information about FIRST representatives, and
other information related to computer security are available for anonymous
FTP from info.cert.org.
Copyright 1995, 1996 Carnegie Mellon University
This material may be reproduced and distributed without permission provided it
is used for noncommercial purposes and the copyright statement is included.
CERT is a service mark of Carnegie Mellon University.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision history
Sep. 21, 1996 Superseded by CA-96.20.
Aug. 30, 1996  Information previously in the README was inserted
               into the advisory.
Sep. 25, 1995  Sec. III.B - added note to upgrade if a site is using the
                sendmail wrapper prior to version 1.6. Updated
                pointers and checksum.