COMMAND

    vacation

SYSTEMS AFFECTED

    AIX  4.1  (if  public  domain  sendmail 8 installed), 4.2, FreeBSD
    (versions prior to  August 28, 1997.),  NetBSD (versions prior  to
    NetBSD-current  19970828),  OpenBSD  (versions  prior  to July 29,
    1997), Solaris (all versions of  Solaris are vulnerable ONLY if  a
    public  domain  version  of  sendmail  has been installed), Linux,
    HP 9000 series 700/800 running HP-UX releases 9.X, 10.X and 11.0.

PROBLEM

    Following text is  mostly based on  Secure Networks Inc.  Security
    Advisory.  Vacation is used by the recipient of email messages  to
    notify the sender that they are not currently reading their  mail.
    This is installed by placing  a .forward file into your  directory
    containing a line as follows:

        \user, "|/usr/bin/vacation user"

    When  vacation  responds  to  an  incoming message, it invokes the
    sendmail  command,  specifying  the  address  of the sender on the
    command  line.   By  specifying  a  sendmail  command  line option
    rather  than  a  valid  email  address,  it  is  possible to cause
    sendmail  to  be  invoked  with  an  alternate configuration file.
    This alternate configuration  file can be  previously sent to  the
    system via a seperate email  message, or via anonymous FTP.   When
    parsed, this  new sendmail  configuration file  can cause sendmail
    to execute arbitrary commands on the remote system.

    By  specifying  the  originating  address  of  an email message to
    consist  of  a  path  to  an  alternate  configuration  file (i.e.
    -C/var/mail/user), the vacation program will invoke sendmail,  and
    use  /var/mail/user  as  the  configuration  file.   If the user's
    mailbox contains  valid sendmail  configuration options,  sendmail
    will treat the user's mail spool as a sendmail configuration file.
    Sendmail  can  be  induced  execute  arbitrary shell commands from
    its configuration file.  Variations on this attack may be possible
    using  sendmail  options  other  than  -C.  Remote individuals can
    obtain access  to the  account of  any user  running the  vacation
    program.

    Originally this bug was discovered  back in 1994 (3 years  ago) by
    Liudvikas Bukys.

SOLUTION

    Until these fixes are applied, the vacation program should be
    disabled by removing exec permissions.

    IBM AIX
    =======

        AIX 4.1:  IX70228
        AIX 4.2:  IX70233

    If disabling vacation is not  desirable, there is a temporary  fix
    available via anonymous ftp:

        ftp://testcase.software.ibm.com/aix/fromibm/vacation.security.tar.Z

    HP-UX
    =====
    Install the applicable patch:

        HP-UX revision 11.X for HP9000 Series 7/800:       PHNE_16295
        HP-UX revision 10.24 for HP9000 Series 7/800:      PHNE_16955
        HP-UX revision 10.20 for HP9000 Series 7/800:      PHNE_14042
        HP-UX revision 10.0X-10 for HP9000 Series 7/800:   PHNE_16726
        HP-UX revision 9.X  for HP9000 Series 7/800:       PHNE_16725

    OpenBSD 2.1
    ===========
    This problem  is present  in OpenBSD-current  prior to  August 29,
    1997.

    FreeBSD
    =======
    FreeBSD has corrected this  problem in 2.1-stable, 2.2-stable  and
    3.0-current as of August 28, 1997.  This problem will be fixed  in
    the upcoming 2.2.5-RELEASE and 3.0-RELEASE versions of FreeBSD.

    NetBSD
    ======
    Upgrade  to  a  version  of  NetBSD-current newer than 19970828 or
    apply the fix provided below.

    SunOS
    =====
    The  following  patches  are  available  in  relation to the above
    problem:

        OS version          Patch ID
        ----------          --------
        SunOS 5.6           105518-01
        SunOS 5.6_x86       105519-01
        SunOS 5.5.1         105520-01
        SunOS 5.5.1_x86     105521-01
        SunOS 5.5           105533-01
        SunOS 5.5_x86       105534-01
        SunOS 5.4           102066-21
        SunOS 5.4_x86       102064-19
        SunOS 5.3           101782-02
        SunOS 4.1.4         105466-01*
        SunOS 4.1.3_U1      105465-01*

        * Patches are  available only for  Sun's implementation of  V8
          sendmail.   Sun  recommends  that  customers  using Sun's V5
          sendmail upgrade to Sun's V8 sendmail.

    Other
    =====
    Obtain a patched version of vacation at the following location:

        ftp://ftp.secnet.com/pub/patches/vacation.tar.Z

    The following  patch, suggested  independently by  Eric Allman and
    Keith  Bostic,  solves  the  problem.   Note  that  SNI  has *not*
    verified  that  sendmail  versions  other  than sendmail version 8
    properly emulate  getopt() in  their interpretation  of the option
    "--".   If  you  are  applying  this  patch to an operating system
    which ships  with a  modified or  older version  of sendmail,  you
    should verify  that the  sendmail command-line  options which  are
    *not* done using getopt() do not get parsed if they are  preceeded
    by a '--' option.

    The following line:

    execl(_PATH_SENDMAIL, "sendmail", "-f", myname, from, NULL);

    should be substituted with:

    execl(_PATH_SENDMAIL, "sendmail", "-f", myname, "--", from, NULL);

    in vacation.c