Note: This is an archival copy of Security Sun Alert 200828 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000625.1.
Solaris 9 Operating System
Solaris 2.6 Operating System
Solaris 7 Operating System
Solaris 8 Operating System
Date of Workaround Release
Date of Resolved Release
A local or remote unprivileged user may be able to gain unauthorized root access or cause a denial of service due to a buffer overflow in the sendmail(1M) daemon.
Note this is a separate, further issue to the sendmail issue described by Sun Alert: 51181, CERT Advisory CA-2003-07.
This issue is also described in CERT Vulnerability VU#897604 (see http://www.kb.cert.org/vuls/id/897604) which is referenced in CERT Advisory CA-2003-12 (see http://www.cert.org/advisories/CA-2003-12.html).
This issue was discovered by Michal Zalewski. We would like to thank sendmail.org for bringing this issue to our attention.
This issue can occur in the following releases:
Note: By default, all systems are potentially vulnerable to this issue. Systems are vulnerable if they have a sendmail daemon running. This can be confirmed by the following commands:
1) Determine if a sendmail process is running on the system:
$ /usr/bin/ps -e | grep sendmail 20038 ? 0:03 sendmail
2) If there is a sendmail process present, the following command will confirm if the process is the sendmail daemon:
$ /usr/bin/mconnect connecting to host localhost (127.0.0.1), port 25 connection open 220 an.example.com ESMTP Sendmail 8.12.8+Sun/8.12.8; Wed, 5 Mar 2003 17:47:49 -0700 (MST) help 214-2.0.0 This is sendmail version 8.12.8+Sun 214-2.0.0 Topics: 214-2.0.0 HELO EHLO MAIL RCPT DATA 214-2.0.0 RSET NOOP QUIT HELP VRFY 214-2.0.0 EXPN VERB ETRN DSN 214-2.0.0 For more info use "HELP <topic>". 214-2.0.0 To report bugs in the implementation contact Sun Microsystems 214-2.0.0 Technical Support. 214-2.0.0 For local information send email to Postmaster at your site. 214 2.0.0 End of HELP info quit 221 2.0.0 an.example.com closing connection
Note: On sendmail version 8.12.x (available in Solaris 9) the file, "/etc/mail/helpfile", may have been modified by the system administrator which could obscure the version number.
3) If the sendmail daemon is not running (and therefore not available) the output from mconnect(1) would be:
$ /usr/bin/mconnect connecting to host localhost (127.0.0.1), port 25 connect: Connection refused
There are no reliable symptoms that would show the described issue has been exploited to gain unauthorized root access to a host. The denial of service symptom would show that sendmail is no longer running.
If the sendmail(1M) daemon is no longer running the system may have encountered the described issue. The following command can be executed to check if the sendmail(1M) daemon is running on the system:
$ /usr/bin/ps -ef | grep sendmail root 336 1 0 Jan 20 ? 0:03 /usr/lib/sendmail -bd -q15m
Until patches can be applied, sites may wish to block access to the affected service from untrusted networks such as the Internet or disable the daemon where possible. Use a firewall or other packet-filtering technology to block the appropriate network ports. Consult your vendor or your firewall documentation for detailed instructions on how to configure the ports. To disable sendmail(1M) the following commands can be executed as root:
# /etc/init.d/sendmail stop
Note: This will prevent e-mail messages from being received on the system until sendmail(1M) is started again with the command:
# /etc/init.d/sendmail start
This issue is addressed in the following releases:
This solution has no attachment