Date: Thu, 21 Nov 2002 15:35:43 -0800
From: security@caldera.com
To: bugtraq@securityfocus.com, announce@lists.caldera.com,
Subject: Security Update: [CSSA-2002-052.0] Linux: sendmail smrsh bypass vulnerabilities
--yr/DzoowOgTDcSCF
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
To: bugtraq@securityfocus.com announce@lists.caldera.com security-alerts@li=
nuxsecurity.com full-disclosure@lists.netsys.com
___________________________________________________________________________=
___
SCO Security Advisory
Subject: Linux: sendmail smrsh bypass vulnerabilities=20
Advisory number: CSSA-2002-052.0
Issue date: 2002 November 21
Cross reference:
___________________________________________________________________________=
___
1. Problem Description
From the iDEFENSE Security Advisory 10.01.02:
It is possible for an attacker to bypass the restrictions
imposed by The Sendmail Consortium's Restricted Shell (SMRSH)
and execute a binary of his choosing by inserting a special
character sequence into his .forward file. SMRSH is an
application intended as a replacement for sh for use in
Sendmail.
2. Vulnerable Supported Versions
System Package
----------------------------------------------------------------------
OpenLinux 3.1.1 Server prior to sendmail-8.11.6-11.i386.rpm
prior to sendmail-cf-8.11.6-11.i386.rpm
prior to sendmail-doc-8.11.6-11.i386.rpm
OpenLinux 3.1.1 Workstation prior to sendmail-8.11.6-11.i386.rpm
prior to sendmail-cf-8.11.6-11.i386.rpm
prior to sendmail-doc-8.11.6-11.i386.rpm
OpenLinux 3.1 Server prior to sendmail-8.11.6-11.i386.rpm
prior to sendmail-cf-8.11.6-11.i386.rpm
prior to sendmail-doc-8.11.6-11.i386.rpm
OpenLinux 3.1 Workstation prior to sendmail-8.11.6-11.i386.rpm
prior to sendmail-cf-8.11.6-11.i386.rpm
prior to sendmail-doc-8.11.6-11.i386.rpm
3. Solution
The proper solution is to install the latest packages. Many
customers find it easier to use the Caldera System Updater, called
cupdate (or kcupdate under the KDE environment), to update these
packages rather than downloading and installing them by hand.
4. OpenLinux 3.1.1 Server
4.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-052.0/RPMS
4.2 Packages
801885a99b80d0efed1356ecad6768be sendmail-8.11.6-11.i386.rpm
fdc3ec861fb77a8d5efd80c711c77dfe sendmail-cf-8.11.6-11.i386.rpm
d33bbd8db1d0347a5b03487b2c4e01c8 sendmail-doc-8.11.6-11.i386.rpm
4.3 Installation
rpm -Fvh sendmail-8.11.6-11.i386.rpm
rpm -Fvh sendmail-cf-8.11.6-11.i386.rpm
rpm -Fvh sendmail-doc-8.11.6-11.i386.rpm
4.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-052.0/SRPMS
4.5 Source Packages
17e678b9e82b3ea5e06b036efec4f4ad sendmail-8.11.6-11.src.rpm
5. OpenLinux 3.1.1 Workstation
5.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-052.0/=
RPMS
5.2 Packages
b27b55dc5bd43eaad0436859ec7550c3 sendmail-8.11.6-11.i386.rpm
ecf5c724d092d9d3a6b97f5634325cb5 sendmail-cf-8.11.6-11.i386.rpm
2c4f99b24b5807d3e4a15b144a7660fa sendmail-doc-8.11.6-11.i386.rpm
5.3 Installation
rpm -Fvh sendmail-8.11.6-11.i386.rpm
rpm -Fvh sendmail-cf-8.11.6-11.i386.rpm
rpm -Fvh sendmail-doc-8.11.6-11.i386.rpm
5.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-052.0/=
SRPMS
5.5 Source Packages
c9f0ecff09724880e8a01bbce9cf0364 sendmail-8.11.6-11.src.rpm
6. OpenLinux 3.1 Server
6.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-052.0/RPMS
6.2 Packages
9e2dd5db944ef26a1655c61946861449 sendmail-8.11.6-11.i386.rpm
75e3ace99d3b19a81bf5464768788ba0 sendmail-cf-8.11.6-11.i386.rpm
8872f76c94f6f23b7aad009053592cbf sendmail-doc-8.11.6-11.i386.rpm
6.3 Installation
rpm -Fvh sendmail-8.11.6-11.i386.rpm
rpm -Fvh sendmail-cf-8.11.6-11.i386.rpm
rpm -Fvh sendmail-doc-8.11.6-11.i386.rpm
6.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-052.0/SRPMS
6.5 Source Packages
146c778258b59082f0ee0ba235bfbc7b sendmail-8.11.6-11.src.rpm
7. OpenLinux 3.1 Workstation
7.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-052.0/RP=
MS
7.2 Packages
d267d43ae1a996598d5d4b605ff6ae49 sendmail-8.11.6-11.i386.rpm
a4dfa76da9d2bb9e6bc5ec96b82a0e02 sendmail-cf-8.11.6-11.i386.rpm
860b4aa74905e1d9093fb0d121f77dc8 sendmail-doc-8.11.6-11.i386.rpm
7.3 Installation
rpm -Fvh sendmail-8.11.6-11.i386.rpm
rpm -Fvh sendmail-cf-8.11.6-11.i386.rpm
rpm -Fvh sendmail-doc-8.11.6-11.i386.rpm
7.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-052.0/SR=
PMS
7.5 Source Packages
0dcc6753c98c6b618297dc5c03c22932 sendmail-8.11.6-11.src.rpm
8. References
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2002-1165
SCO security resources:
http://www.sco.com/support/security/index.html
This security fix closes SCO incidents sr869922, fz526234,
erg712134.
9. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers intended
to promote secure installation and use of SCO products.
10. Acknowledgements
zen-parse (zen-parse@gmx.net) and Pedram Amini
(pamini@idefense.com) discovered and researched these
vulnerabilities.
___________________________________________________________________________=
___
--yr/DzoowOgTDcSCF
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAj3dbc4ACgkQbluZssSXDTGBaQCdFhaSzmaLY+XEUP9DAUL1p7nj
7kwAn0Rzs7BzSi+OyVG9rGKEdipe9cf4
=2Xbf
-----END PGP SIGNATURE-----
--yr/DzoowOgTDcSCF--
