Sendmail Decode Vulnerability
CVE 1999-0096
Impact
A user may be able to write to any file owned by any user. For example,
they would be able to add
.rhost
files and therefore be able to access the system.
Background
Sendmail, first
released circa 1983, is a mail router program, and was designed to route
email between peers on a network and also to route mail between networks.
Note that sendmail is a routing program, and not an application that
an ordinary user would use to format and send messages. Instead, sendmail
accepts formatted messages from an email program
(such as Outlook Express,
Eudora or
Pegasus), and then sends them to the appropriate recipients. The message is sent
using the Simple
Mail Transfer Protocol (SMTP), which was designed to be a reliable
and effective transport for mail messages.
The Problem
The problem lies in the fact that in older versions of sendmail, the
uuencode and uudecode
programs (used to decode and encode email messages respectively) are referenced
in the /etc/aliases file. This file is used by sendmail to
either properly route email messages to mail accounts or perform certain actions when mail is
sent to a particular email address. For instance, the aliases file on a system
running sendmail in the acme.com domain may contain a line
of text that looks like this:
Decode: "|/usr/bin/uudecode"
This means, essentially, that whenever an email message is sent to decode@acme.com,
the uudecode program will be launched, and will run with the same privileges as the
sendmail program itself. The vulnerability lies in the fact that certain commands
may be placed into the message, which would then be executed and run with the same privileges as
the sendmail process. By this method, a hacker could write files to the system,
modify files or alter system files, all of which could make it easier for the hacker to
break into the target system at a later date (and thus, the entire network). It is important to
note that by executing commands this way, a malicious user is able to bypass all system
security, especially if he or she is able to modify various access files (or even read
the password file itself).
Resolution
The resolution to this problem is to simply delete any of the offending aliases from the
aliases file (usually located in the /etc or /usr/lib directories).
If you are not sure where your alias file is, try either of the following commands:
whereis aliases or find / -name aliases -print (please note that the find command
may take a bit of time to complete its actions). Once you have located the aliases file, remove
all references to aliases, such as decode and encode. You must have superuser
privileges to modify this file, and the file may be modified with any standard text editor. If
you wish, you may comment out any lines containing the aliases instead of deleting them (simply
place a # at the beginning of the line to do so). Once you have commented out or deleted
the text lines containing the appropriate aliases, save the file and then run a program named
newaliases, which will update the sendmail program with the new
aliases file.
Where Can I Read More About this?
The Sendmail Hole page contains a wealth
of information about various sendmail vulnerabilities. Another good source
of information, about sendmail and security issues in general, is the National
Institutes of Health's Improving
the Security of Your Site by Breaking Into it site. And, finally, you may wish to view the
CAIC
Sendmail Decode Advisory.