-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
AA-96.10                        AUSCERT Advisory
                    smtpd-SIGHUP sendmail vulnerability
                                18 November 1996

Last Revised: 7 February 1997
    Added vendor information pointer

- ---------------------------------------------------------------------------
AUSCERT has received information that sendmail versions 8.7.x to 8.8.2
(inclusive) contain a serious security vulnerability.

This vulnerability may allow local users to gain root privileges.

Exploit details involving this vulnerability have been widely distributed.

AUSCERT recommends that sites takes the steps outlined in Section 3
as soon as possible.
- ---------------------------------------------------------------------------

1.  Description

    A vulnerability exists in all versions of sendmail from 8.7.x to 8.8.2
    that allows local users to gain root privileges.

    A user can invoke sendmail in "daemon" mode by naming it to be "smtpd".
    Due to a coding error, this bypasses the usual check that only root
    can start the daemon.  As of 8.7, sendmail will restart itself when
    it gets a SIGHUP signal.  By manipulating the environment in which
    sendmail is run it is possible to force sendmail into executing an
    arbitrary program with root privileges.

    AUSCERT has been informed that sendmail versions prior to 8.8.x are
    no longer supported.  Sites using older versions of sendmail will need
    to upgrade to the current version of sendmail.

    Sites can determine their version of sendmail by executing:

  % cat /dev/null | sendmail -d0 -bt | grep Version

2.  Impact

    Local users can gain root privileges.

3.  Workarounds/Solution

    AUSCERT recommends that sites upgrade to the current version of
    sendmail (see Section 3.1).

    CERT/CC have also released an advisory on this problem (CA-96.24).
    This advisory contains specific vendor information and an additional
    workaround that was not available at the original time of writing this
    advisory.  To obtain this vendor information, sites are encouraged to
    retrieve CA-96.24 titled CA-96.24.sendmail.daemon.mode from:

  ftp://info.cert.org/pub/cert_advisories/
  ftp://ftp.auscert.org.au/pub/cert/cert_advisories/

3.1 Upgrade to current version of sendmail

    Eric Allman has released a new version of sendmail (8.8.3) which fixes
    this vulnerability.  

    There is no patch for 8.7.6.  Sites running 8.7.x or previous versions
    will need to upgrade to 8.8.3.

    Sendmail 8.8.3 can be obtained from the following locations.

        ftp://ftp.sendmail.org/ucb/src/sendmail/
        ftp://ftp.cert.dfn.de/pub/tools/net/sendmail/
        ftp://ftp.auscert.org.au/pub/mirrors/ftp.cs.berkeley.edu/ucb/sendmail/

    The MD5 checksum for this distribution is:

        MD5 (sendmail.8.8.3.patch) = 5b550b509b98912bea453b7a2c25d378
        MD5 (sendmail.8.8.3.tar.gz) = 0cb58caae93a19ac69ddd40660e01646
        MD5 (sendmail.8.8.3.tar.Z) = 7f7c5463012f8d7af368a79d417c72de

- ---------------------------------------------------------------------------
AUSCERT thanks Eric Allman for his rapid response to this vulnerability
and his assistance in the preparation of this advisory.
- ---------------------------------------------------------------------------

The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate.  However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures.  AUSCERT takes no responsibility for the
consequences of applying the contents of this document.

If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AUSCERT is located at The University of Queensland within the Prentice
Centre.  AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).

AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT and AUSCERT
Advisories, and other computer security information.

AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:  (07) 3365 4477
Telephone:  (07) 3365 4417 (International: +61 7 3365 4417)
    AUSCERT personnel answer during Queensland business hours
    which are GMT+10:00 (AEST).
    On call after hours for emergencies.

Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld.  4072.
AUSTRALIA


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History

7 Feb 1997  Added a pointer to CERT advisory CA-96.24 which
    contained specific vendor information not previously
    available.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBMvsytyh9+71yA2DNAQHeRQP/ZS8ppGN9+Us+OTvzkBESSNfjKZESmxxP
jSR64+6NR831HPgDVrAt5wsvREp9CcGy9QYV27vMgF8NUp9jtH+iAL1D02210yh4
8Ko1YiAfBQvCj0HNZyOchvLTcxRwT/5lh7RENgYFc4TknwxR+UtVYCIs0/z5a3zB
IvqBTRkw8gc=
=clQy
-----END PGP SIGNATURE-----