(SCO Issues Fix for UnixWare) Sendmail Race Condition in Signal Handler May Let Remote Users Trigger a Buffer Overflow to Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1016140 |
|
SecurityTracker URL: http://securitytracker.com/id/1016140
|
|
CVE Reference:
CVE-2006-0058
(Links to External Site)
|
Date: May 23 2006
|
Impact:
Execution of arbitrary code via network, Root access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 8.13.6
|
Description:
A vulnerability was reported in Sendmail. A remote user may be able to execute arbitrary code on the target system.
Under certain specific timing conditions, a remote user can send specially crafted e-mail data to the target system to exploit a race condition in a signal handler and trigger a buffer overflow. This may allow the remote user to execute arbitrary code on the target system with the privileges of the sendmail process.
ISS discovered this vulnerability.
The original advisory is available at:
http://xforce.iss.net/xforce/xfdb/24584
|
Impact:
A remote user can execute arbitrary code on the target system with the privileges of the sendmail process (typically root privileges).
|
Solution:
SCO has issued a fix for UnixWare 7.1.3 and 7.1.4.
The SCO advisory is available at:
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2006.24
|
Vendor URL: www.sendmail.org/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
UNIX (Open UNIX-SCO)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Mon, 22 May 2006 09:02:40 -0700
Subject: [Full-disclosure] SCOSA-2006.24 Sendmail Arbitrary Code Execution
|
--------------060607040301010603080703
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
--
Dr. Ronald Joe Record
SCO Security Officer
rr@sco.com
--------------060607040301010603080703
Content-Type: text/plain;
name="SCOSA-2006.24.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="SCOSA-2006.24.txt"
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SCO Security Advisory
Subject: Sendmail Arbitrary Code Execution Vulnerability
Advisory number: SCOSA-2006.24
Issue date: 2006 May 21
Cross reference: fz533700
CVE-2006-0058
______________________________________________________________________________
1. Problem Description
Sendmail could allow a remote attacker to execute arbitrary code as
root, caused by a signal race vulnerability.
The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2006-0058 to
this issue.
2. Vulnerable Supported Versions
System Binaries
----------------------------------------------------------------------
UnixWare 7.1.3 sendmail
mailstats
praliiases
rmail
smrsh
makemap
UnixWare 7.1.4 sendmail
mailstats
praliiases
rmail
smrsh
makemap
3. Solution
The proper solution is to install the latest packages.
4. UnixWare 7.1.3
4.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2006.24
4.2 Verification
MD5 (p533700.713.image) = 2c33879a5f676c79efe1e78cadb2aeb8
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
4.3 Installing Fixed Binaries
The following packages should be installed on your system before
you install this fix:
UnixWare 7.1.3 Maintenance Pack 5
http://www.sco.com/support/update/download/release.php?rid=96
Upgrade the affected binaries with the following sequence:
Download p533700.713.image to the /var/spool/pkg directory
# pkgadd -d /var/spool/pkg/p533700.713.image
5. UnixWare 7.1.4
5.1 Location of Fixed Binaries
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2006.24
5.2 Verification
MD5 (p533700.714.image) = 0a3a7c95a68e1ca3e5916e40e9dfa0ae
md5 is available for download from
ftp://ftp.sco.com/pub/security/tools
5.3 Installing Fixed Binaries
The following packages should be installed on your system before
you install this fix:
UnixWare 7.1.4 Maintenance Pack 3
http://www.sco.com/support/update/download/release.php?rid=126
Upgrade the affected binaries with the following sequence:
Download p533700.714.image to the /var/spool/pkg directory
# pkgadd -d /var/spool/pkg/p533700.714.image
6. References
Specific references for this advisory:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0058
http://www.securityfocus.com/archive/1/428536/100/0/threaded
http://www.sendmail.org/
SCO security resources:
http://www.sco.com/support/security/index.html
SCO security advisories via email
http://www.sco.com/support/forums/security.html
This security fix closes SCO incidents fz533700.
7. Disclaimer
SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers intended
to promote secure installation and use of SCO products.
8. Acknowledgments
Marc Bejarano is credited with the discovery of this vulnerability.
______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (SCO_SV)
iD8DBQFEcSxeaqoBO7ipriERAtnOAJ4l8SWkkFxTYf8T8iD9P4UFQBqX0QCfZld8
m4gPf3unHlkCKdp/9PbXL9Y=
=vpKs
-----END PGP SIGNATURE-----
--------------060607040301010603080703
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--------------060607040301010603080703--
|
|
