Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » [CSSA-2002-052.0] Linux: sendmail smrsh bypass vulnerabilities

[CSSA-2002-052.0] Linux: sendmail smrsh bypass vulnerabilities

by Nikola Strahija on November 24th, 2002 It is possible for an attacker to bypass the restrictions imposed by The Sendmail Consortium's Restricted Shell (SMRSH) and execute a binary of his choosing by inserting a special character sequence into his .forward file. SMRSH is an application intended as a replacement for sh for use in Sendmail.


2. Vulnerable Supported Versions

System Package
----------------------------------------------------------------------

OpenLinux 3.1.1 Server prior to sendmail-8.11.6-11.i386.rpm
prior to sendmail-cf-8.11.6-11.i386.rpm
prior to sendmail-doc-8.11.6-11.i386.rpm

OpenLinux 3.1.1 Workstation prior to sendmail-8.11.6-11.i386.rpm
prior to sendmail-cf-8.11.6-11.i386.rpm
prior to sendmail-doc-8.11.6-11.i386.rpm

OpenLinux 3.1 Server prior to sendmail-8.11.6-11.i386.rpm
prior to sendmail-cf-8.11.6-11.i386.rpm
prior to sendmail-doc-8.11.6-11.i386.rpm

OpenLinux 3.1 Workstation prior to sendmail-8.11.6-11.i386.rpm
prior to sendmail-cf-8.11.6-11.i386.rpm
prior to sendmail-doc-8.11.6-11.i386.rpm


3. Solution

The proper solution is to install the latest packages. Many
customers find it easier to use the Caldera System Updater, called
cupdate (or kcupdate under the KDE environment), to update these
packages rather than downloading and installing them by hand.


4. OpenLinux 3.1.1 Server

4.1 Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-052.0/RPMS

4.2 Packages

801885a99b80d0efed1356ecad6768be sendmail-8.11.6-11.i386.rpm
fdc3ec861fb77a8d5efd80c711c77dfe sendmail-cf-8.11.6-11.i386.rpm
d33bbd8db1d0347a5b03487b2c4e01c8 sendmail-doc-8.11.6-11.i386.rpm

4.3 Installation

rpm -Fvh sendmail-8.11.6-11.i386.rpm
rpm -Fvh sendmail-cf-8.11.6-11.i386.rpm
rpm -Fvh sendmail-doc-8.11.6-11.i386.rpm

4.4 Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2002-052.0/SRPMS

4.5 Source Packages

17e678b9e82b3ea5e06b036efec4f4ad sendmail-8.11.6-11.src.rpm


5. OpenLinux 3.1.1 Workstation

5.1 Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-052.0/RPMS

5.2 Packages

b27b55dc5bd43eaad0436859ec7550c3 sendmail-8.11.6-11.i386.rpm
ecf5c724d092d9d3a6b97f5634325cb5 sendmail-cf-8.11.6-11.i386.rpm
2c4f99b24b5807d3e4a15b144a7660fa sendmail-doc-8.11.6-11.i386.rpm

5.3 Installation

rpm -Fvh sendmail-8.11.6-11.i386.rpm
rpm -Fvh sendmail-cf-8.11.6-11.i386.rpm
rpm -Fvh sendmail-doc-8.11.6-11.i386.rpm

5.4 Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2002-052.0/SRPMS

5.5 Source Packages

c9f0ecff09724880e8a01bbce9cf0364 sendmail-8.11.6-11.src.rpm


6. OpenLinux 3.1 Server

6.1 Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-052.0/RPMS

6.2 Packages

9e2dd5db944ef26a1655c61946861449 sendmail-8.11.6-11.i386.rpm
75e3ace99d3b19a81bf5464768788ba0 sendmail-cf-8.11.6-11.i386.rpm
8872f76c94f6f23b7aad009053592cbf sendmail-doc-8.11.6-11.i386.rpm

6.3 Installation

rpm -Fvh sendmail-8.11.6-11.i386.rpm
rpm -Fvh sendmail-cf-8.11.6-11.i386.rpm
rpm -Fvh sendmail-doc-8.11.6-11.i386.rpm

6.4 Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Server/CSSA-2002-052.0/SRPMS

6.5 Source Packages

146c778258b59082f0ee0ba235bfbc7b sendmail-8.11.6-11.src.rpm


7. OpenLinux 3.1 Workstation

7.1 Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-052.0/RPMS

7.2 Packages

d267d43ae1a996598d5d4b605ff6ae49 sendmail-8.11.6-11.i386.rpm
a4dfa76da9d2bb9e6bc5ec96b82a0e02 sendmail-cf-8.11.6-11.i386.rpm
860b4aa74905e1d9093fb0d121f77dc8 sendmail-doc-8.11.6-11.i386.rpm

7.3 Installation

rpm -Fvh sendmail-8.11.6-11.i386.rpm
rpm -Fvh sendmail-cf-8.11.6-11.i386.rpm
rpm -Fvh sendmail-doc-8.11.6-11.i386.rpm

7.4 Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1/Workstation/CSSA-2002-052.0/SRPMS

7.5 Source Packages

0dcc6753c98c6b618297dc5c03c22932 sendmail-8.11.6-11.src.rpm


8. References

Specific references for this advisory:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1165

SCO security resources:

http://www.sco.com/support/security/index.html

This security fix closes SCO incidents sr869922, fz526234,
erg712134.


9. Disclaimer

SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers intended
to promote secure installation and use of SCO products.


10. Acknowledgements

zen-parse ([email protected]) and Pedram Amini
([email protected]) discovered and researched these
vulnerabilities.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »