Old Sendmail 8.8.*
------------------

CVE:
CVE-1999-0206, CVE-1999-0206, CVE-1999-0130, CVE-1999-0129, CVE-1999-0047,
CVE-1999-0478, CAN-1999-0684, CAN-1999-0098

Details:
An old version of Sendmail was found running. Numerous bugs are known to
exist in these versions:

 - Problem with environment variables that the resolver will examine 
during queue runs and daemon mode.
 - A buffer overflow when converting 7-bit MIME to 8-bit, allowing for 
remote root.
 - By lying about argv[0] and sending a signal, a local root shell is 
possible.
 - Elevating permissions gained by hard linking to files that were group 
writable.
 - The TryNullList option is NOT safe, can be used to DoS MX hosts that 
use the null MX list, allowing for privilege escalation local and remote. 
 - Sendmail will run as GID of caller even if RunAsUser is specified.
 - Buffer overflow allowing remote root in MIME code.
 - Sendmail on HP-UX <9.07 allows symlink that points nowhere, allowing a 
root-owned file in an arbitrary directory.
 - Unauthorized reads and DoS by allowing symlinks when rebuilding alias 
or maps files in world-writable dirs.
 - Problems when some files are links and a dir in path is world-writable.
 - When GID for RunAsUser is specified numerically, it is ignored.
 - DoS condition in HP-UX.
 - File problems, including unauthorized file reads if unsafe paths are 
used, problems when maps or alias files are in world-writable dirs, and
local root if the ServiceSwitchFile option is a link in a world writable
directory.
 - Bytes can be pushed back into the sender's input if a tty is passed to 
a mailer, allowing local root.
 - Privilege escalation if DontInitGroups list is empty.
 - Alternate GID for RunAsUser option doesn't work in 8.8.7-8.8.8 because 
of a check for non-suid bins.
 - Hijack of SMTP port possible using a half-open scan, argv[0], and 
SIGHUP.
 - Buffer overflow in SMTP HELO allowing root access.


Fix:
Upgrade to the latest version of Sendmail. 


Related URLs:
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-96.06a.sendmail.8.8.0-8.8.1.Vulnerability
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-96.15.sendmail.group.perms.vul
http://www.securityfocus.com/bid/685
http://www.securityfocus.com/bid/715
http://www.securityfocus.com/bid/716
http://www.securityfocus.com/bid/774
http://www.cert.org/advisories/CA-1997-05.html
http://www.sendmail.org/

$Id: sendmail8-8,v 1.1 2001/07/02 14:18:51 loveless Exp $
