Tutorial - Sendmail Information

Sendmail Decode Vulnerability

CVE 1999-0096

Impact

A user may be able to write to any file owned by any user. For example, they would be able to add .rhost files and therefore be able to access the system.

Background

Sendmail, first released circa 1983, is a mail router program, and was designed to route email between peers on a network and also to route mail between networks. Note that sendmail is a routing program, and not an application that an ordinary user would use to format and send messages. Instead, sendmail accepts formatted messages from an email program (such as Outlook Express, Eudora or Pegasus), and then sends them to the appropriate recipients. The message is sent using the Simple Mail Transfer Protocol (SMTP), which was designed to be a reliable and effective transport for mail messages.

The Problem

The problem lies in the fact that in older versions of sendmail, the uuencode and uudecode programs (used to decode and encode email messages respectively) are referenced in the /etc/aliases file. This file is used by sendmail to either properly route email messages to mail accounts or perform certain actions when mail is sent to a particular email address. For instance, the aliases file on a system running sendmail in the acme.com domain may contain a line of text that looks like this:

Decode: "|/usr/bin/uudecode"

This means, essentially, that whenever an email message is sent to decode@acme.com, the uudecode program will be launched, and will run with the same privileges as the sendmail program itself. The vulnerability lies in the fact that certain commands may be placed into the message, which would then be executed and run with the same privileges as the sendmail process. By this method, a hacker could write files to the system, modify files or alter system files, all of which could make it easier for the hacker to break into the target system at a later date (and thus, the entire network). It is important to note that by executing commands this way, a malicious user is able to bypass all system security, especially if he or she is able to modify various access files (or even read the password file itself).

Resolution

The resolution to this problem is to simply delete any of the offending aliases from the aliases file (usually located in the /etc or /usr/lib directories). If you are not sure where your alias file is, try either of the following commands: whereis aliases or find / -name aliases -print (please note that the find command may take a bit of time to complete its actions). Once you have located the aliases file, remove all references to aliases, such as decode and encode. You must have superuser privileges to modify this file, and the file may be modified with any standard text editor. If you wish, you may comment out any lines containing the aliases instead of deleting them (simply place a # at the beginning of the line to do so). Once you have commented out or deleted the text lines containing the appropriate aliases, save the file and then run a program named newaliases, which will update the sendmail program with the new aliases file.

Where Can I Read More About this?

The Sendmail Hole page contains a wealth of information about various sendmail vulnerabilities. Another good source of information, about sendmail and security issues in general, is the National Institutes of Health's Improving the Security of Your Site by Breaking Into it site. And, finally, you may wish to view the CAIC Sendmail Decode Advisory.