COMMAND

    sendmail

SYSTEMS AFFECTED

    sendmail 8.xx

PROBLEM

    Michal  Zalewski  found  following.   Sendmail  up to recent 8.9.x
    versions - any user may pass -bi parameter to  /usr/sbin/sendmail.
    This will result in aliases  database rebuild.  There's no  reason
    to allow such things, but  no matter - something rather  stupid is
    done during rebuild:

        5366  open("/etc/aliases.db", O_RDWR|O_TRUNC) = 6

    What a bad luck! There's approx 0.1 sec delay due to  /etc/aliases
    processing (on tested system).  Meantime, luser might deliver  any
    signals to sendmail process... SIGKILL is quite good.  After that,
    /etc/aliases.db will be  left in unusable  state (no EOF  marker),
    causing DoS:

        220 Marchew ESMTP Mail Service at nimue.ids.pl ready.
        mail from: myself
        451 Cannot open hash database /etc/aliases: Invalid argument
        rcpt to: lcamtuf
        503 Need MAIL before RCPT

    Exploit is trivial.

SOLUTION

    Solution  is  trivial  too.   Sendmail  has limited the newaliases
    command to root  and trusted users  for 8.10.0.Beta7.    They also
    deprecated the AutoRebuildAliases option  since if set, a  similar
    attack  may   be  possible.    It  is   intended  to   remove  the
    AutoRebuildAliases functionality in a future version.  Below is  a
    patch against sendmail 8.9.3 for those who want to protect against
    this denial of service attack.  The sendmail 8.9.3 patch:

    --- main.c~orig	Sat Jan  9 15:31:13 1999
    +++ main.c	Wed Nov 17 19:04:44 1999
    @@ -984,6 +984,18 @@
 		    usrerr("Permission denied");
 		    finis(FALSE, EX_USAGE);
 	    }
    +	if (OpMode == MD_INITALIAS &&
    +	    RealUid != 0 &&
    +	    RealUid != TrustedUid &&
    +	    !wordinclass(RealUserName, 't'))
    +	{
    +		if (LogLevel > 1)
    +			sm_syslog(LOG_ALERT, NOQID,
    +				  "user %d attempted to rebuild the alias map",
    +				  RealUid);
    + 		usrerr("Permission denied");
    + 		finis(FALSE, EX_USAGE);
    + 	}

 	    if (MeToo)
 		    BlankEnvelope.e_flags |= EF_METOO;

    Relevant products and architectures (all languages) for Cobalt:

        Product        Architecture        Vulnerable
        Qube1              MIPS                yes
        Qube2              MIPS                yes
        RaQ1               MIPS                yes
        RaQ2               MIPS                yes
        RaQ3               x86                 yes

    Conflicts:
    -RaQ 1-
      After   installing   the   RPM    you   will   need   to    move
      /etc/sendmail.cf.rpmsave   to   /etc/sendmail.cf   and   restart
      sendmail
    -Qube1-
      After   installing   the   RPM    you   will   need   to    move
      /etc/sendmail.cf.rpmsave to /etc/sendmail.cf

    If you are installing this sendmail  on a Qube 1 you will  need to
    do a couple of  thing before installing the  rpm.  After Qube1  we
    moved all the rc scripts  into initscripts-cobalt, due to the  way
    the rpm was built you might need to do the following.  (This  will
    be automated when the package is released):

        1. Type as root:
            cp /etc/rc.d/init.d/sendmail /root/sendmail.tmp
        2. Install the rpm using: rpm -U sendmail-8.8.8-1C4.mips.rpm
        3. Type as root:
           mv /root/sendmail.tmp /etc/rc.d/init.d/sendmail
           mv /etc/rc.d/rc0.d/K30sendmail.rpmsave /etc/rc.d/rc0.d/K30sendmail
           mv /etc/rc.d/rc1.d/K30sendmail.rpmsave /etc/rc.d/rc1.d/K30sendmail
           mv /etc/rc.d/rc2.d/S60sendmail.rpmsave /etc/rc.d/rc2.d/S60sendmail
           mv /etc/rc.d/rc3.d/S80sendmail.rpmsave /etc/rc.d/rc3.d/S80sendmail
           mv /etc/rc.d/rc5.d/S80sendmail.rpmsave /etc/rc.d/rc5.d/S80sendmail
           mv /etc/rc.d/rc6.d/K30sendmail.rpmsave /etc/rc.d/rc6.d/K30sendmail

    RPMS:

    -RaQ 3-
        ftp://ftp.cobaltnet.com/pub/experimental/security/i386/sendmail-8.9.3-C7.i386.rpm
    -RaQ 2 Qube 2-
        ftp://ftp.cobaltnet.com/pub/experimental/security/mips/sendmail-8.9.3-C7.mips.rpm
    -RaQ 1 Qube 1-
        ftp://ftp.cobaltnet.com/pub/experimental/security/mips/sendmail-8.8.8-1C4.mips.rpm

    SRPMS:

    -RaQ 3 RaQ 2 Qube 2-
        ftp://ftp.cobaltnet.com/pub/experimental/security/srpms/sendmail-8.9.3-C7.src.rpm
    -RaQ 1 Qube 1-
        ftp://ftp.cobaltnet.com/pub/experimental/security/mips/sendmail-8.8.8-1C4.mips.rpm

    For Debian

        http://security.debian.org/dists/stable/updates/source/sendmail_8.9.3-3slink1.diff.gz
        http://security.debian.org/dists/stable/updates/source/sendmail_8.9.3-3slink1.dsc
        http://security.debian.org/dists/stable/updates/source/sendmail_8.9.3.orig.tar.gz

        http://security.debian.org/dists/stable/updates/binary-alpha/sendmail_8.9.3-3slink1_alpha.deb
        
        http://security.debian.org/dists/stable/updates/binary-i386/sendmail_8.9.3-3slink1_i386.deb
        
        http://security.debian.org/dists/stable/updates/binary-m68k/sendmail_8.9.3-3slink1_m68k.deb
        
        http://security.debian.org/dists/stable/updates/binary-sparc/sendmail_8.9.3-3slink1_sparc.deb