(Vulnerability in MMDF/Sendmail) Re: SCO UNIX Contains Multiple Vulnerabilities That Allow Users to Crash Applications and May Allow Users to Execute Arbitrary Code on the Server
SecurityTracker Alert ID: 1001183|
SecurityTracker URL: http://securitytracker.com/id/1001183
(Links to External Site)
Date: Mar 28 2001
Denial of service via local system, User access via local system|
Exploit Included: Yes |
Version(s): SCO 5.0.6|
Secure Network Operations Strategic Reconnaissance Team issued several advisories for vulnerabilities in SCO UNIX utilities and applications, including lpusers, lpshut, lpadmin, lpforms, recon, and sendmail.|
It is reported that SCO OpenServer 5.0.6 ships with a previously known to be vulnerable buggy MMDF package (sendmail 8.9.3). SCO Security Bulletin 2000.06 reportedly states "Recently Network Associates, Inc. issued a SECURITY ADVISORY against all versions of MMDF prior to the beta release 2.44a-B4." However, OpenServer 5.0.6 ships with version 2.43.3b of MMDF.
In this version, sendmail contains a buffer overflow in its handling of command line arguments.
A local user can cause the sendmail application to crash and may be able to cause arbitrary code to be executed on the server with the with the inherited privileges of the mmdf subsystem (uid and gid = mmdf).|
No solution was available at the time of this entry.|
Vendor URL: www.sco.com (Links to External Site)
UNIX (Open UNIX-SCO)|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Date: Tue, 27 Mar 2001 13:39:54 +0100|
Subject: SCO 5.0.6 MMDF issues (sendmail 8.9.3)
Strategic Reconnaissance Team Security Advisory(SRT2001-01)
Topic: SCO 5.0.6 MMDF issues (sendmail 8.9.3)
Release Date: 03/27/01
SCO OpenServer 5.0.6 ships with a previously known buggy MMDF package.
SCO Security Bulletin 2000.06 states "Recently Network Associates, Inc.
issued a SECURITY ADVISORY against all versions of MMDF prior to the
beta release 2.44a-B4" however SCO still released OpenServer 5.0.6 with
version 2.43.3b of MMDF. The sendmail 8.9.3 binary has poor handling of
command line arguments resulting in a buffer overflow.
/opt/K/SCO/MMDF/2.43.3b/usr/lib/sendmail `perl -e 'print "A" x 3000'`
Memory fault - core dumped
This problem makes it possible to overwrite memory space of the running
and potentially execute code with the inherited privileges of the mmdf
uid=17(mmdf) gid=22(mmdf) groups=22(mmdf)
chmod -s /opt/K/SCO/MMDF/2.43.3b/usr/lib/sendmail
upgrade to a newer version of MMDF.
.: Systems Affected
SCO OpenServer 5.0.6 upgrade from 5.0.x and 5.0.6 fresh install.
.: Proof of Concept
To be released at a later time. Existing 5.0.x sendmail exploits may be valid.
.: Vendor Status
Vendor was notified on 03/22/01. Vendor lab tests confirmed the issue. Patch
status is unknown.
Original SCO advisory
ęCopyright 2001 Secure Network Operations , Inc. All Rights Reserved.
Strategic Reconnaissance Team | email@example.com
http://recon.snosoft.com | http://www.snosoft.com