Note: This is an archival copy of Security Sun Alert 201526 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001138.1.
Article ID : 1001138.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2003-03-02
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

sendmail(1M) Parses Headers Incorrectly in Certain Corner Cases

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 2.6 Operating System
Solaris 7 Operating System
Solaris 8 Operating System

Bug Id
4809539

Date of Resolved Release
03-MAR-2003

Impact

A local or remote unprivileged user may be able to gain unauthorized root access or cause a denial of service due to a buffer overflow in the sendmail(1M) daemon.

This is described in ISS Security Bulletin 21950 available from http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950.

This issue is also described in CERT Vulnerability VU#398025 (see http://www.kb.cert.org/vuls/id/398025) which is referenced in CERT Advisory CA-2003-07 (see http://www.cert.org/advisories/CA-2003-07.html).

Sun acknowledges with thanks, Internet Security Systems (ISS), (http://www.iss.net) for bringing this issue to our attention.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 2.6 without patch 105395-08
  • Solaris 7 without patch 107684-08
  • Solaris 8 without patch 110615-08
  • Solaris 9 without patch 113575-03

x86 Platform

  • Solaris 2.6 without patch 105396-08
  • Solaris 7 without patch 107685-08
  • Solaris 8 without patch 110616-08
  • Solaris 9 without patch 114137-02

Note: By default, all systems are potentially vulnerable to this issue. Systems are vulnerable if they have a sendmail daemon running. This can be confirmed by the following commands:

1) Determine if a sendmail process is running on the system: 

	$ /usr/bin/ps -e | grep sendmail
	20038 ?        0:03 sendmail

2) If there is a sendmail process present, the following command will confirm if the process is the sendmail daemon: 

	$ /usr/bin/mconnect
connecting to host localhost (127.0.0.1), port 25
connection open
220 an.example.com ESMTP Sendmail 8.12.8+Sun/8.12.8; Wed, 5 Mar 2003
17:47:49 -0700 (MST)
help
214-2.0.0 This is sendmail version 8.12.8+Sun
214-2.0.0 Topics:
214-2.0.0       HELO    EHLO    MAIL    RCPT    DATA
214-2.0.0       RSET    NOOP    QUIT    HELP    VRFY
214-2.0.0       EXPN    VERB    ETRN    DSN
214-2.0.0 For more info use "HELP <topic>".
214-2.0.0 To report bugs in the implementation contact Sun Microsystems
214-2.0.0 Technical Support.
214-2.0.0 For local information send email to Postmaster at your site.
214 2.0.0 End of HELP info
quit
221 2.0.0 an.example.com closing connection

Note: On sendmail version 8.12.x (available in Solaris 9) the file, "/etc/mail/helpfile", may have been modified by the system administrator which could obscure the version number.

3) If the sendmail daemon is not running (and therefore not available) the output from mconnect(1) would be: 

	$ /usr/bin/mconnect
        connecting to host localhost (127.0.0.1), port 25
connect: Connection refused

Symptoms

There are no reliable symptoms that would show the described issue has been exploited to gain unauthorized root access to a host. The denial of service symptom would show that sendmail is no longer running.

If the sendmail(1M) daemon is no longer running the system may have encountered the described issue. The following command can be executed to check if the sendmail(1M) daemon is running on the system: 

	$ /usr/bin/ps -ef | grep sendmail
root   336     1  0   Jan 20 ?        0:03 /usr/lib/sendmail -bd -q15m

Workaround

Until patches can be applied, sites may wish to block access to the affected service from untrusted networks such as the Internet or disable the daemon where possible. Use a firewall or other packet-filtering technology to block the appropriate network ports. Consult your vendor or your firewall documentation for detailed instructions on how to configure the ports. To disable sendmail(1M) the following commands can be executed as root: 

	# /etc/init.d/sendmail stop

Note: This will prevent e-mail messages from being able to be received on the system until sendmail(1M) is started again with the command: 

	# /etc/init.d/sendmail start

Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 2.6 with patch 105395-08 or later
  • Solaris 7 with patch 107684-08 or later
  • Solaris 8 with patch 110615-08 or later
  • Solaris 9 with patch 113575-03 or later

x86 Platform

  • Solaris 2.6 with patch 105396-08 or later
  • Solaris 7 with patch 107685-08 or later
  • Solaris 8 with patch 110616-08 or later
  • Solaris 9 with patch 114137-02 or later

Note: It is necessary to restart sendmail after the patch installation for the fix to take effect. Execute the following commands as root. 

	# /etc/init.d/sendmail stop
	# /etc/init.d/sendmail start


Modification History
Date: 06-MAR-2003
  • Updated Contributing Factors with additional information



References

105395-08
107684-08
110615-08
113575-03
105396-08
107685-08
110616-08
114137-02




Attachments
This solution has no attachment