MCI Telecommunications 

                        internetMCI Security Group


Report Name: iMCI MIIGS Security Alert 
Report Number: iMCISE:IMCIAUSCERT:111996:01:P1R1
Report Date: 11/19/96
Report Format: Formal
Report Classification: MCI Informational  
Report Reference: http://www.security.mci.net
Report Distribution: iMCI Security, 
		     MCI Internal Internet Gateway Security (MIIGS), 
		     MCI Emergency Alert LiSt (MEALS)
                     (names on file)

----------------------------------------------------------------------------
--- 

-----BEGIN PGP SIGNED MESSAGE-----

Content-Type: text/plain; charset=us-ascii

===========================================================================
AA-96.10                        AUSCERT Advisory
                    smtpd-SIGHUP sendmail vulnerability
                                18 November 1996

Last Revised: --

- ---------------------------------------------------------------------------
AUSCERT has received information that sendmail versions 8.7.x to 8.8.2
(inclusive) contain a serious security vulnerability.

This vulnerability may allow local users to gain root privileges.

Exploit details involving this vulnerability have been widely distributed.

AUSCERT recommends that sites takes the steps outlined in Section 3
as soon as possible.
- ---------------------------------------------------------------------------

1.  Description

    A vulnerability exists in all versions of sendmail from 8.7.x to 8.8.2
    that allows local users to gain root privileges.

    A user can invoke sendmail in "daemon" mode by naming it to be "smtpd".
    Due to a coding error, this bypasses the usual check that only root
    can start the daemon.  As of 8.7, sendmail will restart itself when
    it gets a SIGHUP signal.  By manipulating the environment in which
    sendmail is run it is possible to force sendmail into executing an
    arbitrary program with root privileges.

    AUSCERT has been informed that sendmail versions prior to 8.8.x are
    no longer supported.  Sites using older versions of sendmail will need
    to upgrade to the current version of sendmail.

    Sites can determine their version of sendmail by executing:

    % cat /dev/null | sendmail -d0 -bt | grep Version

2.  Impact

    Local users can gain root privileges.

3.  Workarounds/Solution

    AUSCERT recommends that sites upgrade to the current version of
    sendmail (see Section 3.1).

3.1 Upgrade to current version of sendmail

    Eric Allman has released a new version of sendmail (8.8.3) which fixes
    this vulnerability.  

    There is no patch for 8.7.6.  Sites running 8.7.x or previous versions
    will need to upgrade to 8.8.3.

    Sendmail 8.8.3 can be obtained from the following locations.

        ftp://ftp.sendmail.org/ucb/src/sendmail/
        ftp://ftp.cert.dfn.de/pub/tools/net/sendmail/
        ftp://ftp.auscert.org.au/pub/mirrors/ftp.cs.berkeley.edu/ucb/sendmail/

    The MD5 checksum for this distribution is:

        MD5 (sendmail.8.8.3.patch) = 5b550b509b98912bea453b7a2c25d378
        MD5 (sendmail.8.8.3.tar.gz) = 0cb58caae93a19ac69ddd40660e01646
        MD5 (sendmail.8.8.3.tar.Z) = 7f7c5463012f8d7af368a79d417c72de

- ---------------------------------------------------------------------------
AUSCERT thanks Eric Allman for his rapid response to this vulnerability
and his assistance in the preparation of this advisory.
- ---------------------------------------------------------------------------

The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate.  However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures.  AUSCERT takes no responsibility for the
consequences of applying the contents of this document.

If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AUSCERT is located at The University of Queensland within the Prentice
Centre.  AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).

AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT and AUSCERT
Advisories, and other computer security information.

AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:  (07) 3365 4477
Telephone:  (07) 3365 4417 (International: +61 7 3365 4417)
        AUSCERT personnel answer during Queensland business hours
        which are GMT+10:00 (AEST).
        On call after hours for emergencies.

Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld.  4072.
AUSTRALIA


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBMpBx/Ch9+71yA2DNAQEJFAP9FROC3sS/5N+veWWqsap//G4rd6JqXiN1
hB4Qk+WiwxA3v38/3ozIHUTWkG5Pe41nTnYcPOpfMvcxp2gc63Q6KyHfP3mopm4M
RzhMJNhj82Zk8mKTIxVmQh5D/GRctKsP5MZJNO2Is5Aed3UDDX+imeAluB+OWx6g
CZksxK77jV8=
=0sry
-----END PGP SIGNATURE-----
-+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+
This message was posted through the FIRST mailing list server.  if you
wish to unsubscribe from this mailing list, send the message body of
"unsubscribe first-teams" to first-majordomo@FIRST.ORG
-+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+



===============================================================