Home page logo
/

bugtraq logo Bugtraq mailing list archives

Mail Header Buffer Overflow In Sendmail
From: SGI Security Coordinator <agent99 () sgi com>
Date: Mon, 3 Mar 2003 09:09:17 -0800

-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________
                          SGI Security Advisory


Title    : Mail Header Buffer Overflow In Sendmail
Number   : 20030301-01-P
Date     : March 3, 2003
Reference: CERT VU#398025
Reference: CERT CA-2003-07
Reference: CVE CAN-2002-1337
Reference: SGI BUG 869098 875386 880975

Fixed in : IRIX 6.5.20 or patches 4975 and 4976
______________________________________________________________________________

- -----------------------
- --- Issue Specifics ---
- -----------------------

ISS and sendmail.org have reported that there is a vulnerability involving
mail header manipulation that can result in a remote user gaining
root access to a system receiving mail through sendmail.

http://www.sendmail.org/8.12.8.html
http://www.cert.org/advisories/CA-2003-07.html
http://www.kb.cert.org/vuls/id/398025
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1337

SGI has investigated the issue and recommends the following steps for
neutralizing the exposure.  It is HIGHLY RECOMMENDED that these measures be
implemented on ALL vulnerable SGI systems.

These issues have been corrected with patches and in future releases of
IRIX.


- --------------
- --- Impact ---
- --------------

The sendmail binary is installed by default on IRIX 6.5 systems as part of
eoe.sw.base.

To determine the version of IRIX you are running, execute the following
command:

  # /bin/uname -R

That will return a result similar to the following:

  # 6.5 6.5.19f

The first number ("6.5") is the release name, the second ("6.5.16f" in this
case) is the extended release name.  The extended release name is the
"version" we refer to throughout this document.


- ----------------------------
- --- Temporary Workaround ---
- ----------------------------

At this time, there is no effective workaround (other than disabling
sendmail) for these problems.  SGI recommends either upgrading to IRIX
6.5.20, or installing the appropriate patch from the listing below.


- ----------------
- --- Solution ---
- ----------------

SGI has provided a series of patches for these vulnerabilities. Our
recommendation is to upgrade to IRIX 6.5.20 when available, or install the
appropriate patch.

   OS Version     Vulnerable?     Patch #      Other Actions
   ----------     -----------     -------      -------------
   IRIX 3.x        unknown                     Note 1
   IRIX 4.x        unknown                     Note 1
   IRIX 5.x        unknown                     Note 1
   IRIX 6.0.x      unknown                     Note 1
   IRIX 6.1        unknown                     Note 1
   IRIX 6.2        unknown                     Note 1
   IRIX 6.3        unknown                     Note 1
   IRIX 6.4        unknown                     Note 1
   IRIX 6.5          yes                       Notes 2 & 3
   IRIX 6.5.1        yes                       Notes 2 & 3
   IRIX 6.5.2        yes                       Notes 2 & 3
   IRIX 6.5.3        yes                       Notes 2 & 3
   IRIX 6.5.4        yes                       Notes 2 & 3
   IRIX 6.5.5        yes                       Notes 2 & 3
   IRIX 6.5.6        yes                       Notes 2 & 3
   IRIX 6.5.7        yes                       Notes 2 & 3
   IRIX 6.5.8        yes                       Notes 2 & 3
   IRIX 6.5.9        yes                       Notes 2 & 3
   IRIX 6.5.10       yes                       Notes 2 & 3
   IRIX 6.5.11       yes                       Notes 2 & 3
   IRIX 6.5.12       yes                       Notes 2 & 3
   IRIX 6.5.13       yes                       Notes 2 & 3
   IRIX 6.5.14       yes                       Notes 2 & 3
   IRIX 6.5.15       yes           4975        Notes 2, 4 & 5
   IRIX 6.5.16       yes           4975        Notes 2, 4 & 5
   IRIX 6.5.17       yes           4975        Notes 2, 4 & 5
   IRIX 6.5.18       yes           4975        Notes 2, 4 & 5
   IRIX 6.5.19       yes           4976        Notes 2, 4 & 6
   IRIX 6.5.20        no

   NOTES

     1) This version of the IRIX operating has been retired. Upgrade to an
        actively supported IRIX operating system.  See
        http://support.sgi.com/irix/news/index.html#policy for more
        information.

     2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your
        SGI Support Provider or URL: http://support.sgi.com/irix/swupdates/

     3) Upgrade to IRIX 6.5.20

     4) Install the patch

     5) This patch also fixes the smrsh issue discussed in SGI Security
        Bulletin 20030101-01-P.

     6) This patch also fixes the relaying issue discussed in SGI Security
        Bulletin 20030101-01-P.


- ------------------------
- --- Acknowledgments ----
- ------------------------

SGI wishes to thank sendmail.org, ISS, CERT, and the users of the Internet
Community at large for their assistance in this matter.


                ##### Patch File Checksums ####

The actual patch will be a tar file containing the following files:

Filename:                 README.patch.4975
Algorithm #1 (sum -r):    61521 9 README.patch.4975
Algorithm #2 (sum):       25521 9 README.patch.4975
MD5 checksum:             36F1CC6821BD6AA156951FFEA349D653

Filename:                 patchSG0004975
Algorithm #1 (sum -r):    65365 4 patchSG0004975
Algorithm #2 (sum):       15609 4 patchSG0004975
MD5 checksum:             0B50824803A534AFEF6AE074254C6ECF

Filename:                 patchSG0004975.eoe_src
Algorithm #1 (sum -r):    02599 40 patchSG0004975.eoe_src
Algorithm #2 (sum):       47170 40 patchSG0004975.eoe_src
MD5 checksum:             A1427ED806F47C55D60FE10FD2D0E922

Filename:                 patchSG0004975.eoe_sw
Algorithm #1 (sum -r):    41601 664 patchSG0004975.eoe_sw
Algorithm #2 (sum):       1123 664 patchSG0004975.eoe_sw
MD5 checksum:             125B6C161F3D2C059ED9A59149CBE5CF

Filename:                 patchSG0004975.idb
Algorithm #1 (sum -r):    56619 3 patchSG0004975.idb
Algorithm #2 (sum):       22297 3 patchSG0004975.idb
MD5 checksum:             DB212D6419F6D3ED75EBF12BEBB3A0CB


Filename:                 README.patch.4976
Algorithm #1 (sum -r):    11333 9 README.patch.4976
Algorithm #2 (sum):       28069 9 README.patch.4976
MD5 checksum:             E9A15B90ACB4E6BA3C507D29A541F9AB

Filename:                 patch4976.pgp.and.chksums
Algorithm #1 (sum -r):    00000 0 patch4976.pgp.and.chksums
Algorithm #2 (sum):       0 0 patch4976.pgp.and.chksums
MD5 checksum:             D41D8CD98F00B204E9800998ECF8427E

Filename:                 patchSG0004976
Algorithm #1 (sum -r):    42535 3 patchSG0004976
Algorithm #2 (sum):       12972 3 patchSG0004976
MD5 checksum:             B38B1916E6F9DA5AAD5C40A9F06CBCE8

Filename:                 patchSG0004976.eoe_src
Algorithm #1 (sum -r):    01627 90 patchSG0004976.eoe_src
Algorithm #2 (sum):       15487 90 patchSG0004976.eoe_src
MD5 checksum:             F5202E76911399D770DFEC254952142A

Filename:                 patchSG0004976.eoe_sw
Algorithm #1 (sum -r):    34746 1096 patchSG0004976.eoe_sw
Algorithm #2 (sum):       7255 1096 patchSG0004976.eoe_sw
MD5 checksum:             CFAE2CE94C0D9A222AECE0FC74E9BF48

Filename:                 patchSG0004976.idb
Algorithm #1 (sum -r):    16935 2 patchSG0004976.idb
Algorithm #2 (sum):       10290 2 patchSG0004976.idb
MD5 checksum:             05D387D9FCF8CEA9520C7C41939B9A6D


- -------------
- --- Links ---
- -------------

SGI Security Advisories can be found at:
http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/advisories/

SGI Security Patches can be found at:
http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/patches/

SGI patches for IRIX can be found at the following patch servers:
http://support.sgi.com/irix/ and ftp://patches.sgi.com/

SGI freeware updates for IRIX can be found at:
http://freeware.sgi.com/

SGI fixes for SGI open sourced code can be found on:
http://oss.sgi.com/projects/

SGI patches and RPMs for Linux can be found at:
http://support.sgi.com/linux/ or
http://oss.sgi.com/projects/sgilinux-combined/download/security-fixes/

SGI patches for Windows NT or 2000 can be found at:
http://support.sgi.com/nt/

IRIX 5.2-6.4 Recommended/Required Patch Sets can be found at:
http://support.sgi.com/irix/ and ftp://patches.sgi.com/support/patchset/

IRIX 6.5 Maintenance Release Streams can be found at:
http://support.sgi.com/colls/patches/tools/relstream/index.html

IRIX 6.5 Software Update CDs can be obtained from:
http://support.sgi.com/irix/swupdates/

The primary SGI anonymous FTP site for security advisories and patches is
patches.sgi.com (216.32.174.211).  Security advisories and patches are
located under the URL ftp://patches.sgi.com/support/free/security/

For security and patch management reasons, ftp.sgi.com (mirrors
patches.sgi.com security FTP repository) lags behind and does not do a
real-time update.

- -----------------------------------------
- --- SGI Security Information/Contacts ---
- -----------------------------------------

If there are questions about this document, email can be sent to
security-info () sgi com 

                      ------oOo------

SGI provides security information and patches for use by the entire SGI
community.  This information is freely available to any person needing the
information and is available via anonymous FTP and the Web.

The primary SGI anonymous FTP site for security advisories and patches is
patches.sgi.com (216.32.174.211).  Security advisories and patches are
located under the URL ftp://patches.sgi.com/support/free/security/

The SGI Security Headquarters Web page is accessible at the URL:
http://www.sgi.com/support/security/

For issues with the patches on the FTP sites, email can be sent to
security-info () sgi com 

For assistance obtaining or working with security patches, please
contact your SGI support provider.

                      ------oOo------

SGI provides a free security mailing list service called wiretap and
encourages interested parties to self-subscribe to receive (via email) all
SGI Security Advisories when they are released. Subscribing to the mailing
list can be done via the Web
(http://www.sgi.com/support/security/wiretap.html) or by sending email to
SGI as outlined below.

% mail wiretap-request () sgi com
subscribe wiretap <YourEmailAddress such as midwatch () sgi com>
end
^d

In the example above, <YourEmailAddress> is the email address that you wish
the mailing list information sent to.  The word end must be on a separate
line to indicate the end of the body of the message. The control-d (^d) is
used to indicate to the mail program that you are finished composing the
mail message.


                      ------oOo------

SGI provides a comprehensive customer World Wide Web site. This site is
located at http://www.sgi.com/support/security/ .

                      ------oOo------

If there are general security questions on SGI systems, email can be sent to
security-info () sgi com 

For reporting *NEW* SGI security issues, email can be sent to
security-alert () sgi com or contact your SGI support provider.  A support
contract is not required for submitting a security report.

______________________________________________________________________________
      This information is provided freely to all interested parties
      and may be redistributed provided that it is not altered in any
      way, SGI is appropriately credited and the document retains and
      includes its valid PGP signature.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBPmOKhrQ4cFApAP75AQGCgQP+LQWKhquGwxA7Eo02KROYByVSG5mc1c93
X5vXPECAjcLLHJVL0ITObm20Oj0DRC8c6JwTmNfPLPlY62CUWXjb0fKTuogh0OhN
TV6ae39vWPVSmZFAikp+wED5eG6+bm5jremvqOqelrQNJ+MfN4CwPfGXn/ENS3pb
Us2/h+yOwyE=
=BORz
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
  • Mail Header Buffer Overflow In Sendmail SGI Security Coordinator (Mar 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault