NASIRC BULLETIN #93-06 November 4, 1993 UNIX SECURITY VULNERABILITY IN SENDMAIL(8) =========================================================================== __ __ __ ___ ___ ____ ____ /_/\ /_/| /_/ / _/\ /_/| / __/ \ / __/\ | |\ \| || / \ \ | /\/ | || | /\ \/ | | \/ | ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | | | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\ |_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/ NASA Automated Systems Incident Response Capability =========================================================================== **THIS BULLETIN APPLIES TO ALL UNIX PLATFORMS** NASIRC has received additional information regarding the vulnerability in the sendmail program which was initially described in NASIRC Bulletin #93-04. The information in this bulletin supercedes the sendmail portion of that previously issued NASIRC bulletin. At this time, there are no known patches available for any vendor implementation that fully address this vulnerability. Until there are vendor patches available, NASIRC recommends that all implementations of sendmail be considered vulnerable. Additionally, code which exploits this vulnerability has been posted to the public Internet community. Systems are at great risk from being exploited if they do not take steps to patch this security hole. Included with this advisory is an appendix describing tips that can be used by system administrators who are concerned about the possible exploitation of this vulnerability at their site. ============================================================ ADDITIONAL INFORMATION: A vulnerability exists in most versions of sendmail that, if exploited by remote or local users via SMTP, allows programs to execute on behalf of any system user (other than root). This vulnerability affects the final destination sendmail host, and can be exploited through an intermediate mail machine. Therefore, all sendmail recipient machines within a domain are potentially vulnerable. SUGGESTED WORKAROUNDS: NASIRC recommends three possible approaches to this problem. Although although these approaches address all known aspects of this vulnerability, they are suggested only until vendor patches for this sendmail vulnerability are available. Familiarity with sendmail and its installation and configuration, is recommended before implementing these modifications. In order to protect your entire site it is necessary to apply the selected approach to *ALL* systems running sendmail at the site, and not just a mail gateway. A. Approach 1 This approach involves modifying the sendmail configuration to restrict the sendmail program mailer facility. To restrict sendmail's program mailer facility, obtain and install the sendmail restricted shell program (smrsh 1.2) by Eric Allman (the original author of sendmail), following the directions included with the program. 1. Where to obtain the program Copies of this program may be obtained via anonymous FTP from from ftp.uu.net in the /pub/security/smrsh directory. Checksum information: BSD Sum 30114 5 README 25757 2 smrsh.8 46786 5 smrsh.c System V Sum 56478 10 README 42281 4 smrsh.8 65517 9 smrsh.c MD5 Checksum MD5 (README) = fc4cf266288511099e44b664806a5594 MD5 (smrsh.8) = 35aeefba9714f251a3610c7b1714e355 MD5 (smrsh.c) = d4822ce7c273fc8b93c68e39ec67739c 2. Impacts of this approach While this approach allows a site to specify which programs can be run by sendmail (e.g. vacation(1)), attempts to invoke programs that are not included in the allowed set, or attempts using shell meta-characters (see smrsh program listing for a complete set of disallowed characters), will fail, resulting in log output to the syslog(3) facility. Programs that are specified in a site's /etc/aliases file should be considered for inclusion in the allowable program list. Since .forward files allow user-specified programs to be run by sendmail, a survey of the contents of the system's .forward files may be required to prevent failure to deliver user mail. *** WARNING *************************************************** * It is very important that sites *NOT* include interpreter * * programs (e.g. /bin/sh, /bin/csh, /bin/perl, /bin/uudecode, * * /bin/sed, ...) in the list of allowed programs. * *************************************************************** B. Approach 2 Like approach 1, this approach involves modifying the sendmail configuration. However, this approach completely disables the sendmail program mailer facility. This is a drastic, but quick action that can be taken while a site installs one of the other suggestions. Before implementing this approach, save a copy of the current sendmail configuration file. To implement this approach edit the sendmail.cf file: change from: Mprog, P=/bin/sh, F=slFDM, S=10, R=20, A=sh -c $u to: Mprog, P=/bin/none, F=, S=10, R=20, A= Any changes to the sendmail.cf file will require that the sendmail process be restarted to ensure that the new configuration is used. See item 3 in Appendix A for more details. 1. Impacts of this approach Attempts to invoke programs through sendmail will not be successful. C. Approach 3 To the best of our knowledge, Eric Allman's public domain implementation of sendmail, sendmail 8.6.4, does not appear to be susceptible to this vulnerability. A working solution would then be to replace a site's sendmail, with sendmail 8.6.4. 1. Where to obtain the program Copies of this version of sendmail may be obtained via anonymous FTP from ftp.cs.berkeley.edu in the /ucb/sendmail directory. Checksum information: BSD Sum sendmail.8.6.4.base.tar.Z: 07718 428 sendmail.8.6.4.cf.tar.Z: 28004 179 sendmail.8.6.4.misc.tar.Z: 57299 102 sendmail.8.6.4.xdoc.tar.Z: 33954 251 System V Sum 64609 856 sendmail.8.6.4.base.tar.Z 42112 357 sendmail.8.6.4.cf.tar.Z 8101 203 sendmail.8.6.4.misc.tar.Z 50037 502 sendmail.8.6.4.xdoc.tar.Z MD5 Checksum MD5 (sendmail.8.6.4.base.tar.Z) = 59727f2f99b0e47a74d804f7ff654621 MD5 (sendmail.8.6.4.cf.tar.Z) = cb7ab7751fb8b45167758e9485878f6f MD5 (sendmail.8.6.4.misc.tar.Z) = 8eaa6fbe9e9226667f719af0c1bde755 MD5 (sendmail.8.6.4.xdoc.tar.Z) = a9da24e504832f21a3069dc2151870e6 2. Impacts of this workaround Depending upon the currently installed sendmail program, switching to a different sendmail may require significant effort for the system administrator to become familiar with the new program. The site's sendmail configuration file may require considerable modification in order to provide existing functionality. In some cases, the site's sendmail configuration file may be incompatible with the sendmail 8.6.4 configuration file. -------------------------------- Security checklists, toolkits and guidance are available from the NASIRC online archives. Contact the NASIRC Helpdesk for more information and assistance with toolkits or security measures. NASIRC ACKNOWLEDGES: The ARPA/CERT for their effort and diligence in the coordination with the vendor and internet communities, and for providing the information contained in Appendix A. We also acknowledge the participation of many of the other FIRST teams in the development and testing of the workarounds to this serious vulnerability. ================================================================== For further assistance, please contact the NASIRC Helpdesk: Phone: 1-800-7-NASIRC Fax: 1-301-441-1853 Internet Email: nasirc@nasa.gov 24 Hour/Emergency Pager: 1-800-759-7243/Pin:5460866 ================================================================== *** PLEASE NOTE NEW EMAIL AND FAX CONTACT INFORMATION*** This bulletin may be forwarded without restrictions to sites and system administrators within the NASA community ----------------- PLEASE NOTE: Users outside of the NASA community may receive NASIRC bulletins. If you are not part of the NASA community, please contact your agency's response team to report incidents. Your agency's team will coordinate with NASIRC, who will ensure the proper internal NASA team(s) are notified. NASIRC is a member of the Forum of Incident Response and Security Teams (FIRST), a world-wide organization which provides for coordination between incident response teams in handling computer-security-related issues. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. ============================== Appendix A ================================ This appendix describes tips that can be used by system administrators who are concerned about the possible exploitation of this vulnerability at their site. There are two actions that can be taken by system administrators to try to detect the exploitation of this vulnerability at their sites. - Examine all bounced mail to look for unusual occurrences. - Examine syslog files for unusual occurrences of "|" characters In order to do this, sendmail must be configured to direct bounced mail to the postmaster (or other designated person who will examine the bounced mail). Sendmail must also be configured to provide adequate logging. 1) To direct bounced mail to the postmaster, place the following entry in the options part of the general configuration information section of the sendmail.cf file. # Cc my postmaster on error replies I generate OPpostmaster 2) To set sendmail's logging level, place the following entry in the options part of the general configuration information section of the sendmail.cf file. Note that the logging level should be 9 or higher in order to provide adequate logging. # log level OL9 3) Once changes have been made in the sendmail configuration file, it will be necessary to kill all existing sendmail processes, refreeze the configuration file (if needed - see the note below), and restart the sendmail program. Here is an example from SunOS 4.1.2: As root: # /usr/bin/ps -aux | /usr/bin/grep sendmail root 130 0.0 0.0 168 0 ? IW Oct 2 0:10 /usr/lib/sendmail -bd -q # /bin/kill -9 130 (kill the current sendmail process) # /usr/lib/sendmail -bz (create the configuration freeze file) # /usr/lib/sendmail -bd -q30m (run the sendmail daemon) **Note: Some sites do not use frozen configuration files and some do. If your site is using frozen configuration files, there will be a file named sendmail.fc in the same directory as the sendmail configuration file (sendmail.cf).