[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[irix-security] Multiple Local Sendmail Vulnerabilities
- To: irix-security@sfu.ca
- Subject: [irix-security] Multiple Local Sendmail Vulnerabilities
- From: Martin Siegert <siegert@sfu.ca>
- Date: Thu, 17 Jan 2002 19:02:23 -0800
- User-Agent: Mutt/1.2.5.1i
Topic
=====
several vulnerabilities in sendmail can lead to a local root exploit
Problem Description
===================
The Sendmail mail delivery subsystem is vulnerable to multiple
local attacks that lead to information loss, disclosure of
possibly sensitive information and possible mail system compromise.
Sendmail versions before 8.12.1, without the "RestrictQRun"
option enabled, allow local users to obtain potentially
sensitive information about the mail queue by setting flags to
enable debug mode.
All versions of Sendmail allow any user to process the whole
mail queue unless this feature is disabled by the administrator.
Due to a programming bug, specific attacker-specified mail delivery
options will be honored. It is possible to, for example, force Sendmail
to drop queue contents by setting initial message hop count above the
limit.
Systems that do not allow users to run the queue ("RestrictQRun"
option) are not vulnerable to these exploits. "RestrictQRun" is
not set by default.
The sendmail daemon is installed by default on IRIX.
Workaround
==========
The steps below can be used to configure sendmail so that users
are not allowed to run the queue.
1) Become the root user on the system.
% /bin/su -
Password:
#
2) Edit the file /etc/sendmail.mc
# vi /etc/sendmail.mc
{Add the following line}
define(`confPRIVACY_FLAGS', `restrictqrun')dnl
{Save the file and exit}
3) Rebuild the sendmail.cf file from the modified
sendmail.mc file.
# /usr/etc/configmail mc2cf
4) Stop and restart sendmail
# /etc/init.d/mail stop
# /etc/init.d/mail start
5) Return to previous level.
# exit
%
Solution
========
Currently, there are no patches available from SGI to address these issues.