Cobalt Networks -- Security Advisory -- 11.24.1999
Problem:
Sendmail up to the recent 8.9.x versions - allows any user with a shell
access to pass the '-bi' parameter to /usr/sbin/sendmail. This will
result in aliases database rebuild. The alias database is opened in the
following way:
5366 open("/etc/aliases.db", O_RDWR|O_TRUNC) = 6
There's approx 0.1 sec delay due to /etc/aliases.db processing (on many
common systems). Meantime, luser might deliver any signals to the
Sendmail process, like SIGKILL. After that, /etc/aliases.db will be left
in an unusable state (no EOF marker), causing DoS:
220 Marchew ESMTP Mail Service at nimue.ids.pl ready. mail from: myself
451 Cannot open hash database /etc/aliases: Invalid argument rcpt to:
lcamtuf
503 Need MAIL before RCPT
This vulnerability and problem text were produced by Michal Zalewski
<lcamtuf@xxxxxx>
Relevant products and architectures (all languages)
Product Architecture Vulnerable
Qube1 MIPS yes
Qube2 MIPS yes
RaQ1 MIPS yes
RaQ2 MIPS yes
RaQ3 x86 yes
Conflicts:
-RaQ 1-
After installing the RPM you will need to move /etc/sendmail.cf.rpmsave
to /etc/sendmail.cf and restart sendmail
-Qube1-
See *Note
RPMS:
-RaQ 3-
ftp://ftp.cobaltnet.com/pub/experimental/security/i386/sendmail-8.9.3-C7.i386.rpm
-RaQ 2 Qube 2-
ftp://ftp.cobaltnet.com/pub/experimental/security/mips/sendmail-8.9.3-C7.mips.rpm
-RaQ 1 Qube 1-
ftp://ftp.cobaltnet.com/pub/experimental/security/mips/sendmail-8.8.8-1C4.mips.rpm
SRPMS:
-RaQ 3 RaQ 2 Qube 2-
ftp://ftp.cobaltnet.com/pub/experimental/security/srpms/sendmail-8.9.3-C7.src.rpm
-RaQ 1 Qube 1-
ftp://ftp.cobaltnet.com/pub/experimental/security/mips/sendmail-8.8.8-1C4.mips.rpm
MD5 sums Package Name
-------------------------------------------------------------
sendmail-8.9.3-C7.i386.rpm 9b28a5650f77a3d7bbeec2db064c2e82
sendmail-8.9.3-C7.mips.rpm 9a27c638b77d833c41d42bfad7b21b7b
sendmail-8.9.3-C7.src.rpm 3c6ce162b6de3cd072ed3f99e2200d3e
sendmail-8.8.8-1C4.mips.rpm 5590d0a0955fef086e219aa67245aa86
sendmail-8.8.8-1C4.src.rpm 10bb1f7ac3e6b1b817f4b6e4d17504ca
You can verify each rpm using the following command:
rpm --checksig [package]
To install, use the following command, while logged in as root:
rpm -U [package]
The package file format (pkg) for this fix is currently in testing, and
will be available in the near future.
Jeff Bilicki
Cobalt Networks
*Note for Qube 1
After installing the RPM you will need to move /etc/sendmail.cf.rpmsave
to /etc/sendmail.cf
If you are installing this sendmail on a Qube 1 you will need to do a
couple of thing before installing the rpm. After Qube1 we moved all the
rc scripts into initscripts-cobalt, due to the way the rpm was built you
might need to do the following. (This will be automated when the
package is released)
1. Type as root:
cp /etc/rc.d/init.d/sendmail /root/sendmail.tmp
2. Install the rpm using: rpm -U sendmail-8.8.8-1C4.mips.rpm
3. Type as root:
mv /root/sendmail.tmp /etc/rc.d/init.d/sendmail
mv /etc/rc.d/rc0.d/K30sendmail.rpmsave /etc/rc.d/rc0.d/K30sendmail
mv /etc/rc.d/rc1.d/K30sendmail.rpmsave /etc/rc.d/rc1.d/K30sendmail
mv /etc/rc.d/rc2.d/S60sendmail.rpmsave /etc/rc.d/rc2.d/S60sendmail
mv /etc/rc.d/rc3.d/S80sendmail.rpmsave /etc/rc.d/rc3.d/S80sendmail
mv /etc/rc.d/rc5.d/S80sendmail.rpmsave /etc/rc.d/rc5.d/S80sendmail
mv /etc/rc.d/rc6.d/K30sendmail.rpmsave /etc/rc.d/rc6.d/K30sendmail
Zeffie's Sun Cobalt User Forums
Zeffie's Sun Cobalt Restore CD's
Zeffie's Sun Cobalt Updates
Sun Cobalt Users List
Sun Cobalt Security List
Sun Cobalt Developers List
Copyright 2007 by Electronic Consultants Inc.