[8lgm]-Advisory-20.UNIX.SunOS-sendmailV5.1-Aug-1995

===========================================================================
          [8lgm]-Advisory-20.UNIX.SunOS-sendmailV5.1-Aug-1995

PROGRAM:

	sendmail(8)

VULNERABLE VERSIONS:

	SunOS 4.1.*
	Sendmail v5 sources
	Potentially other vendor v5 based sendmails

DESCRIPTION:

	The method used by sendmail version 5 to open a control file
	is insecure.  A race condition exists whereby another process
	may obtain a control-file file descriptor, opened for write
	access.

IMPACT:

	Local users can write their own control files, and run programs
	as any user, bar root.  This increases chances of obtaining root
	access on the local system.

REPEAT BY:

	A program to exploit this vulnerability is available as of now.
	This program has been tested with the latest Sun patch, and should
	work on other platforms.  To obtain this program, send mail to 
	8lgm-fileserver@8lgm.org, with a line in the body of the message
	containing:-

	SEND grabfd.c

DISCUSSION:

	Sendmail v5, during execution, sets umask(0), which is an insecure
	mask.  In order not to leave open control files with mode 666, 
	sendmail v5 uses chmod(2) to set a secure file mode.  However
	this is a race condition, as we can obtain an open file descriptor
	for write by opening the control file before the call to chmod(2).

WORKAROUND:

	Change the mode on /usr/spool/mqueue to 700.  This will prevent
	normal users gaining access to the queue files directly.

FIX:

	Contact vendor for fix.

	Patch source to use a more restrictive umask.

STATUS UPDATE:

	The file:

	[8lgm]-Advisory-20.UNIX.SunOS-sendmailV5.1-Aug-1995.README

	will be created on www.8lgm.org.  This will contain updates on 
	any further versions which are found to be vulnerable, and any
	other information received pertaining to this advisory.

-----------------------------------------------------------------------

FEEDBACK AND CONTACT INFORMATION:

	majordomo@8lgm.org	(Mailing list requests - try 'help'
				 for details)

	8lgm@8lgm.org		(Everything else)

8LGM FILESERVER:

	All [8LGM] advisories may be obtained via the [8LGM] fileserver.
	For details, 'echo help | mail 8lgm-fileserver@8lgm.org'

8LGM WWW SERVER:

	[8LGM]'s web server can be reached at http://www.8lgm.org.
	This contains details of all 8LGM advisories and other useful
	information.
===========================================================================