Note: This is an archival copy of Security Sun Alert 200720 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000570.1.
Solaris 9 Operating System
Solaris 7 Operating System
Solaris 8 Operating System
Date of Resolved Release
There is a potential buffer overflow in sendmail(1M) involving the parsing of rulesets which affects sendmail(1M) versions earlier than 8.12.10. This could result in a local or remote unprivileged user gaining unauthorized root privileges.
Note: This issue does not affect the default configuration of sendmail(1M).
This issue is referenced in CERT Vulnerability Note VU#108964 which can be seen at http://www.kb.cert.org/vuls/id/108964 and CAN-2003-0681 at http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0681.
This issue can occur in the following releases:
Note: Only systems using the following non-standard rulesets are at risk: recipient (2), final (4), or mailer-specific envelope recipients rulesets.
To determine which version of sendmail(1M) is running on a system, run the following command:
$ /usr/bin/mconnect connecting to host localhost (127.0.0.1), port 25 connection open 220 an.example.com ESMTP Sendmail 8.9.3+Sun/8.9.3; Tue, 6 Apr 2004 14:46:17 +0100 (BST) help 214-This is Sendmail version 8.9.3+Sun 214-Topics: 214- HELO EHLO MAIL RCPT DATA 214- RSET NOOP QUIT HELP VRFY 214- EXPN VERB ETRN DSN 214-For more info use "HELP <topic>". 214-To report bugs in the implementation contact Sun Microsystems 214-Technical Support. 214-For local information send email to Postmaster at your site. 214 End of HELP info quit 221 an.example.com closing connection
To determine whether a system is configured with the vulnerable rulesets, view the "/etc/mail/sendmail.cf" file and the "*.mc" configuration files. The latter are normally located in "/usr/lib/mail/cf/" on Solaris, but this may vary depending on how sendmail(1M) has been set up on a system.
The following indicates that sendmail(1M) has been configured with these rulesets:
Srecipient=2 (version 8.10 or later) or S2 (version 8.9 and earlier)
$>2 or $>recipient
$>4 or $>final
There are no reliable symptoms that would indicate the described issue has been exploited.
If the system has been configured as detailed in "Contributing Factors", the affected lines in the "*.mc" configuration file may be modified. Comment out the affected lines in this file by inserting "dnl" at the beginning of the affected line. For example:
dnl <rest of line goes here>
Then generate the new "sendmail.cf" file from this revised "*.mc" file and copy this to "/etc/mail/sendmail.cf". Please refer to "/usr/lib/mail/README" for additional information on how to use the "*.mc" files.
Once the files have been modified, restart sendmail(1M) with the following commands:
# /etc/init.d/sendmail stop # /etc/init.d/sendmail start
For more detailed information please see the sendmail(1M) man pages or http://www.sendmail.org/m4/intro.html.
This issue is addressed in the following releases:
This solution has no attachment