Sendmail Vulnerabilities

CVE 1999-0047
CVE 1999-0095
CVE 1999-0206

Summary

Versions of sendmail prior to version 8.8.5 have a variety of vulnerabilities.  Older version of sendmail may also run
in DEBUG mode which could allow access from a malicious user.

Impact

Malicious users exploiting these vulnerabilities are able to gain unauthorized access, possibly even root access, to a target system.

Background

Sendmail, first released circa 1983, is a mail router program, and was designed to route email between peers on a network and also to route mail between networks. Note that sendmail is a routing program, and not an application that an ordinary user would use to format and send messages. Instead, sendmail accepts formatted messages from an email program (such as Outlook Express, Eudora or Pegasus), and then sends them to the appropriate recipients. The message is sent using the Simple Mail Transfer Protocol (SMTP), which was designed to be a reliable and effective transport for mail messages.

The Problems

There are two vulnerabilities in versions of sendmail up to and including version 8.7.5. By exploiting the first of these vulnerabilities, users who have local accounts can gain access to the default user, which is often daemon. By exploiting the second vulnerability, any local user can gain root access. Both of these vulnerabilities can only be exploited by local users (i.e., users who have accounts on the target machine). This vulnerability is described in CERT Advisory CA-96.20.

Versions 8.7 through 8.8.2 of sendmail have a vulnerability that can be used to gain root access. Sendmail is often run in daemon mode so it can "listen" for incoming mail connections on the standard SMTP networking port (usually port 25). The root user is the only user allowed to start sendmail in this way, and sendmail contains code intended to enforce this restriction. Due to a coding error, sendmail can be invoked in daemon mode in a way that bypasses the built-in check, and any local user is able to start sendmail in daemon mode. By manipulating the sendmail mail environment, the user can then have sendmail execute an arbitrary program with root privileges. This vulnerability can only be exploited by local users (i.e., users who have accounts on the target machine). This vulnerability is described in CERT Advisory CA-96.24. CERT Advisory CA-96.24 also describes additional vulnerabilities in versions 8.8.0 and 8.8.1 of sendmail.

Version 8 of sendmail (version 8.8.x up to and including 8.8.3) has a vulnerability that can be exploited by a local user to run programs with group permissions of other users. For the exploitation to be successful, group-writable files must be available on the same file system as a file that the attacker can convince sendmail to trust. This vulnerability can only be exploited by local users (i.e., users who have accounts on the target machine). This vulnerability is described in CERT Advisory CA-96.25.

CVE 1999-0047

Versions 8.8.3 and 8.8.4 of sendmail have a serious security vulnerability that allows remote users to execute arbitrary commands on the local system with root privileges. By sending a carefully crafted email message to a system running a vulnerable version of sendmail, intruders may be able to force sendmail to execute arbitrary commands with root privileges. Those commands are run on the same system where the vulnerable sendmail is running. This vulnerability may be exploited on systems despite firewalls and other network boundary protective measures. A hacker does not have to be a local user to exploit this vulnerability. This vulnerability is described in CERT Advisory CA-97.05.

CVE 1999-0095

An older vulnerability which keeps showing up from time to time is when sendmail runs in DEBUG mode.  The DEBUG
mode can allow a malicious user to gain access through sendmail.

Resolution

To correct these vulnerabilities, replace sendmail with a more recent version, currently 8.9. Another solution would be to obtain the latest fixed or patch versions of sendmail from the vendor.

Where can I read more about this?

To read more about the sendmail vulnerabilities, read CERT Advisories CA-97.05, CA-96.25, CA-96.24, and CA-96.20. Also, See the Admin Guide to Cracking for additional vulnerabilities in sendmail.