COMMAND

    sendmail(8)

SYSTEMS AFFECTED

    Systems  running  sendmail  8.6.7.  Solaris  2.3,  DEC OSF/1 V1.2,
    SunOS4.1. I know of no sun4 version of sendmail that is safe  from
    this bug. I have tested 8 versions of sendmail, including all  the
    latest patches for  both SunOS 4.13  and Solaris 2.3,  and all are
    vulnerable. Systems that dont have this problem are: Ultrix  4.2A.
    Convex OS 10.x is vulnerable, OS 11.0 is not. Amdahl UTS 2.1  uses
    smail rather than sendmail and are not vulnerable. Apple A/UX  3.1
    is vulnerable. BSD/386  V1.1 is vulnerable.  DG/UX systems are  at
    risk  of  the  -d  problem.  Ultirx  4.3, 4.3A, 4.4, DECnet-Ultirx
    4.2,  and  DEC  OSF/1  1.2,  1.3,  1.3A, 2.0 are all effected. OSF
    OSF/1 R1.3 are affected. SCO  TCP/IP Release  1.2.0 for  SCO XENIX
    and 1.2.1  for SCO  UNIX are  affected. SCO  Opend Desktop Release
    3.0, Open  Desktop Lite  Release 3.0,  Open Server  Network System
    Release 3.0,  Open Server  Enterprise System  Release 3.0  are all
    vulnerable. SunOS 4.1.x and all Solaris 2.x including Solaris  x86
    are vulnerable.

PROBLEM

    It  is  possible  to  get  root  access  by using wierd values for
    the -d flag.

        % sendmail -d3294967296

    If this causes a segmentation fault then you'll likely have a  bug
    in your version of sendmail.  The problem is that numbers  in this
    range may skip the range  checks and result in accessing  negative
    indexes into  the debug  array. Hence  it is  possible to write to
    locations  in  memory  before  the  debug array. Whiout going into
    much detail, -dx.y  writes y into  the debug array  as array[x]=y.
    Range checking is  not performed properly  on x, so  it's possible
    to pass negative  integers that pass  the range check.  Find a key
    location  before  the  debug  array,  overwrite  it,  and  your in
    business.

SOLUTION

    Install the patches from your vendor. If you have source code, for
    BSD based versions, in  trace.c function fTflag() starts  with the
    lines:

        fTflag(s)
                register char *s;
        {
                int first, last;
                register int i;

        This should be changed to:

        fTflag(s)
                register char *s;
        {
                unsigned int first, last;
                register unsigned int i;

    Or simply grab the latest version of sendmail and install it. Note
    that the Solaris patch procedures will leave the old (pre-patched)
    versions  of   sendmail  in   their  broken   SUID  state    under
    /var/sadm/patch. This should be fixed.