Note: This is an archival copy of Security Sun Alert 200355 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000250.1.
Solaris 9 Operating System
Solaris 7 Operating System
Solaris 8 Operating System
Date of Workaround Release
Date of Resolved Release
A local or remote unprivileged user may be able to gain unauthorized root access or cause a denial of service due to a buffer overflow in the sendmail(1M) daemon within the prescan() function.
This issue is described in CERT Vulnerability VU#784980 (see http://www.kb.cert.org/vuls/id/784980) which is referenced in CERT Advisory CA-2003-25 (see http://www.cert.org/advisories/CA-2003-25.html).
This issue can occur in the following releases:
Note: Solaris 2.6 will not be evaluated regarding the potential impact of the issue described in this Sun Alert document.
By default, all systems are potentially vulnerable to this issue. Systems are vulnerable if they have a sendmail daemon running. This can be confirmed by the following commands:
1) To determine if a sendmail process is running on the system, do the following:
$ /usr/bin/ps -e | grep sendmail 20038 ? 0:03 sendmail
2) If there is a sendmail process present, the following command will confirm if the process is the sendmail daemon:
$ /usr/bin/mconnect connecting to host localhost (127.0.0.1), port 25 connection open 220 an.example.com ESMTP Sendmail 8.12.8+Sun/8.12.8; Wed, 5 Mar 2003 17:47:49 -0700 (MST) help 214-2.0.0 This is sendmail version 8.12.8+Sun 214-2.0.0 Topics: 214-2.0.0 HELO EHLO MAIL RCPT DATA 214-2.0.0 RSET NOOP QUIT HELP VRFY 214-2.0.0 EXPN VERB ETRN DSN 214-2.0.0 For more info use "HELP <topic>". 214-2.0.0 To report bugs in the implementation contact Sun Microsystems 214-2.0.0 Technical Support. 214-2.0.0 For local information send email to Postmaster at your site. 214 2.0.0 End of HELP info quit 221 2.0.0 an.example.com closing connection
Note: On sendmail version 8.12.x (available in Solaris 9) the file, "/etc/mail/helpfile", may have been modified by the system administrator which could obscure the version number.
3) If the sendmail daemon is not running (and therefore not available) the output from mconnect(1) would be:
$ /usr/bin/mconnect connecting to host localhost (127.0.0.1), port 25 connect: Connection refused
There are no reliable symptoms that would show the described issue has been exploited to gain unauthorized root access to a host.
Until patches can be applied, sites may wish to block access to the affected service from untrusted networks such as the Internet or disable the daemon where possible. Use a firewall or other packet-filtering technology to block the appropriate network ports. Consult your vendor or your firewall documentation for detailed instructions on how to configure the ports.
To disable sendmail(1M) the following commands can be executed as root:
# /etc/init.d/sendmail stop # mv /etc/rc2.d/S88sendmail /etc/rc2.d/not-S88sendmail
This will prevent e-mail messages from being received on the system until sendmail(1M) is started again and re-enabled with the commands:
# /etc/init.d/sendmail start # mv /etc/rc2.d/not-S88sendmail /etc/rc2.d/S88sendmail
This issue is addressed in the following releases:
This solution has no attachment