[8lgm]-Advisory-24.UNIX.CERT.Advisory.CA-95:11.20-9-1995

PROGRAM:

sendmail_wrapper.c

VULNERABLE VERSIONS:

SunOS 4.1.*

DESCRIPTION:

• As a Solution to advisory:

  [[8lgm]-Advisory-21.UNIX.SunOS-sendmailV5.22-Aug-1995

• CERT advises the following.

  B. Install the sendmail wrapper available from ftp://ftp.cs.berkeley.edu/ucb/sendmail/sendmail_wrapper.c
  ftp://ftp.auscert.org.au/pub/auscert/tools/sendmail_wrapper.c

  Checksum:

  MD5 (sendmail_wrapper.c) = fb53f92b6fc539766cd69e8b08909ba1

This wrapper uses syslog(3) to report potential attacks. However this is performed in an insecure manner, and can be exploited as described in:

[8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995

IMPACT:

Local users can therefore obtain superuser privileges.

FIX:

In order to use syslog(3) in a secure manner, strings must be limited in length. Therefore to fix the call to syslog(3) we can do:

syslog( LOG_MAIL | LOG_ERR, "Possible SunOS sendmail attack specifying '-%c %.500s' by uid %d\n", argv[ i][ 1], cp, getuid());

STATUS UPDATE:

The file:

[8lgm]-Advisory-24.UNIX.CERT.Advisory.CA-95:11.20-9-1995.README

will be created on www.8lgm.org. This will contain updates on any further versions which are found to be vulnerable, and any other information received pertaining to this advisory.

FEEDBACK AND CONTACT INFORMATION:

	majordomo@8lgm.org	(Mailing list requests - try 'help'
				 for details)

	8lgm@8lgm.org		(Everything else)

8LGM FILESERVER:

All [8LGM] advisories may be obtained via the [8LGM] fileserver. For details, 'echo help | mail 8lgm-fileserver@8lgm.org'

8LGM WWW SERVER:

[8LGM]'s web server can be reached at http://www.8lgm.org. This contains details of all 8LGM advisories and other useful information.