[ SOURCE: http://www.secureroot.com/security/advisories/9640294728.html ] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================ CERT(*) Advisory CA-96.04 Original issue date: February 22, 1996 Last revised: April 28, 1998 Corrected URL for obtaining RFCs. A complete revision history is at the end of this file. Topic: Corrupt Information from Network Servers - - ----------------------------------------------------------------------------- The CERT Coordination Center has received reports of intruders exploiting systems by corrupting data provided by a Domain Name Service (DNS) server. Although these reports have focused only on DNS, this vulnerability could apply to any network service from which data is received and subsequently used. Section III.A contains a pointer to two subroutines that address the DNS problem. These subroutines, written in the C programming language, can be used to validate host names and IP addresses according to RFCs 952 and 1123, as well as names containing characters drawn from common practice, namely "_" and "/". In the specific case of sendmail, the problem has already been addressed by patches (see Section III.B). The CERT staff has received information that the next minor release of BIND nameserver will be enforcing RFC952 (as modified by RFC1123) hostname conformance as part of its SECURITY measures. Following The BIND release, hostnames that fail to conform to these rules will be unreachable from sites running these servers. Hostnames (A records) are restricted to the following characters only: "A" - "Z", "a" - "z", "0" - "9", "." and "-" These characters are specifically excluded: "_" and "/". For a full description of what is allowed in a hostname, please refer to RFC952 and RFC1123, available from ftp://ftp.isi.edu/in-notes/rfc952.txt ftp://ftp.isi.edu/in-notes/rfc1123.txt RFC952: DOD INTERNET HOST TABLE SPECIFICATION, October 1985 RFC1123: Requirements for Internet Hosts -- Application and Support, October 1989 The latest release of Bind is available from: ftp://ftp.isc.org/isc/bind/src/ Please see the README file in that directory for more information. This information is also included in the latest software versions directory: ftp://info.cert.org/pub/latest_sw_versions/bind - - ----------------------------------------------------------------------------- I. Description Information provided by an information server may be of a form that could cause programs to operate in unexpected ways. The subroutines and programs transferring data from that information server could check the data for correctness of form; however, programs that *use* that data are ultimately responsible for ensuring adherence to the documents that define the correct form. For example, consider a program that uses the host name returned by gethostbyname() as part of the string given to the popen() or system() subroutines. Because gethostbyname() may use an information server beyond your control, the data returned could be of a form that causes the popen() or system() subroutines to execute other commands besides the command specified by that program. This advisory speaks to a specific instance of a problem caused by the information returned by DNS, but information from any server should be checked for validity. Examples of other information servers are YP, NIS, NIS+, and netinfo. II. Impact Programs that do not check data provided by information servers may operate in unpredictable ways and give unexpected results. In particular, exploitation of this vulnerability may allow remote access by unauthorized users. Exploitation can also lead to root access by both local and remote users. III. Solution For programs that you write or have written, consider integrating the general solution in Section A below. In the specific case of the sendmail mail delivery program, Eric Allman, the original author of sendmail, has produced patches that address the problem. Section B provides details about these, along with vendor information and additional steps you should take to protect sendmail. A. General solution for Internet host names Use the host name and IP address validation subroutines available at the locations listed below. Include them in all programs that use the result of the host name lookups in any way. ftp://info.cert.org/pub/tools/ValidateHostname/IsValid.c ftp://ftp.cert.dfn.de/pub/tools/net/ValidateHostname/IsValid.c The IsValid.c file contains code for the IsValidHostname and IsValidIPAddress subroutines. This code can be used to check host names and IP addresses for validity according to RFCs 952 and 1123, well as names containing characters drawn from common practice, namely "_" and "/". The following files are in the directory (from the README): IsValid.l The lex/flex file containing the code for IsValidHostname and IsValidIPAddress MD5 (IsValid.l) = 2d35040aacae4fb12906eb1b48957776 IsValid-raw.c The C file created by running flex on IsValid.l MD5 (IsValid-raw.c) = 367c77d3ef84bc63a5c23d90eeb69330 IsValid.c The editted file created by internalizing variable and function definitions in IsValid-raw.c MD5 (IsValid.c) = ffe45f1256210aeb71691f4f7cdad27f IsValid.diffs The set of diffs between IsValid-raw.c and IsValid.c MD5 (IsValid.diffs) = 3619022cf31d735151f8e8c83cce3744 htest.c A main routing for testing IsValidHostname and IsValidIPAddress MD5 (htest.c) = 2d50b2bffb537cc4e637dd1f07a187f4 B. Specific solutions in the case of sendmail Install a patch from your vendor when it becomes available (see B.1) or install Eric Allman's patch (B.2). In both cases, install the sendmail restricted shell program (B.3). 1. Install a patch from your vendor. Below is a summary of the vendors who have reported status to us as of the date of this advisory. More complete information is provided in the appendix, which we will update as we receive more information. If your vendor's name is not on this list, please contact the vendor directly. Vendor or Source ---------------- Eric Allman Hewlett-Packard Co. IBM Corporation Silicon Graphics Inc. Sun Microsystems, Inc. 2. Install a patch to sendmail. If you are presently running sendmail 8.6.12, there is a patch that makes version 8.6.13. Similarly, if you are presently running sendmail 8.7.3, there is a patch that makes version 8.7.4. The patches are available for anonymous FTP from ftp://info.cert.org/pub/tools/sendmail/ ftp://ftp.cs.berkeley.edu/ucb/src/sendmail/ ftp://ftp.auscert.org.au/pub/mirrors/ftp.cs.berkeley.edu/ucb/sendmail/ ftp://ftp.cert.dfn.de/pub/tools/net/sendmail/ Checksums for the 8.6.13 release: MD5 (sendmail.8.6.13.base.tar.Z) = e8cf3ea19876d9b9def5c0bcb793d241 MD5 (sendmail.8.6.13.cf.tar.Z) = 4492026fa9e750cd33974322cb5a6fb9 MD5 (sendmail.8.6.13.misc.tar.Z) = 7ec5d31656e93e08a3892f0ae542b674 MD5 (sendmail.8.6.13.xdoc.tar.Z) = e4d3caebcdc4912ed2ecce1a77e45712 Checksum for the 8.6.13 patch: MD5 (sendmail.8.6.13.patch) = 6390b792cb5513ff622da8791d6d2073 Checksum for the 8.7.4 release: MD5 (sendmail.8.7.4.tar.Z) = 4bf774a12752497527aae11e2bdbab36 Checksum for the 8.7.4 patch: MD5 (sendmail.8.7.4.patch) = ef828ad91fe56e4eb6b0cacced864cd5 3. Run smrsh as additional protection for sendmail. With all versions of sendmail, we recommend that you install and use the sendmail restricted shell program (smrsh). We urge you to do this whether you use the vendor's supplied sendmail, install sendmail yourself, or patch an earlier version of sendmail. Beginning with version 8.7.1, smrsh is included in the sendmail distribution, in the subdirectory smrsh. See the RELEASE_NOTES file for a description of how to integrate smrsh into your sendmail configuration file. ......................................................................... Appendix A: Vendor Information Below is information we have received from vendors concerning the vulnerability described in this advisory. If you do not see your vendor's name, please contact the vendor directly for information. - - ----------------------- Eric Allman (original author of sendmail) Install a patch to sendmail. If you are presently running sendmail 8.6.12, there is a patch that makes version 8.6.13. Similarly, if you are presently running sendmail 8.7.3, there is a patch that makes version 8.7.4. The patches are available for anonymous FTP from ftp://info.cert.org/pub/tools/sendmail/ ftp://ftp.cs.berkeley.edu/ucb/src/sendmail/ ftp://ftp.auscert.org.au/pub/mirrors/ftp.cs.berkeley.edu/ucb/sendmail/ ftp://ftp.cert.dfn.de/pub/tools/net/sendmail/ Checksums for the 8.6.13 release: MD5 (sendmail.8.6.13.base.tar.Z) = e8cf3ea19876d9b9def5c0bcb793d241 MD5 (sendmail.8.6.13.cf.tar.Z) = 4492026fa9e750cd33974322cb5a6fb9 MD5 (sendmail.8.6.13.misc.tar.Z) = 7ec5d31656e93e08a3892f0ae542b674 MD5 (sendmail.8.6.13.xdoc.tar.Z) = e4d3caebcdc4912ed2ecce1a77e45712 Checksum for the 8.6.13 patch: MD5 (sendmail.8.6.13.patch) = 6390b792cb5513ff622da8791d6d2073 Checksum for the 8.7.4 release: MD5 (sendmail.8.7.4.tar.Z) = 4bf774a12752497527aae11e2bdbab36 Checksum for the 8.7.4 patch: MD5 (sendmail.8.7.4.patch) = ef828ad91fe56e4eb6b0cacced864cd5 - - ---------------------- Hewlett-Packard Company Vulnerable, watch file for updates. - - ---------------------- IBM Corporation IBM is working on fixes for sendmail. - - ---------------------- Silicon Graphics Inc. It is HIGHLY RECOMMENDED that these measures be done on ALL SGI systems running IRIX 3.x, 4.x, 5.x and 6.x. The issue will be permanently corrected in a future release of IRIX. **** IRIX 3.x **** Silicon Graphics Inc, no longer supports the IRIX 3.x operating system and therefore has no patches or binaries to provide. However, two possible actions still remain: 1) upgrade the system to a supported version of IRIX (see below) and then install the patch or 2) obtain the sendmail source code from anonymous FTP at ftp.cs.berkeley.edu and compile the program manually. Please, note that SGI will not assist with or support 3rd party sendmail programs. **** IRIX 4.x **** As of the date of this document, SGI does not have a IRIX 4.x binary replacement that addresses this particular issue. If in the future, a replacement binary is generated, additional advisory information will be provided. However, two other possible actions are: 1) upgrade the system to a supported version of IRIX (see below) and then install the patch or 2) obtain the sendmail source code from anonymous FTP at ftp.cs.berkeley.edu and compile the program manually. Please, note that SGI will not assist with or support 3rd party sendmail programs. **** IRIX 5.0.x, 5.1.x **** For the IRIX operating systems versions 5.0.x and 5.1.x, an upgrade to 5.2 or better is required first. When the upgrade is completed, then the patches described in the following sections can be applied depending on the final version of the upgrade. **** IRIX 5.2, 5.3, 6.0, 6.0.1, 6.1 **** For the IRIX operating system versions 5.2, 5.3, 6.0, 6.0.1, and 6.1 an inst-able patch has been generated and made available via anonymous FTP and your service/support provider. The patch is number 1146 and will install on IRIX 5.2, 5.3, 6.0 and 6.0.1. The SGI anonymous FTP site is sgigate.sgi.com (204.94.209.1) or its mirror, ftp.sgi.com. Patch 1146 can be found in the following directories on the FTP server: ~ftp/Security or ~ftp/Patches/5.2 ~ftp/Patches/5.3 ~ftp/Patches/6.0 ~ftp/Patches/6.0.1 ~ftp/Patches/6.1 ##### Checksums #### The actual patch will be a tar file containing the following files: Filename: patchSG0001146 Algorithm #1 (sum -r): 15709 3 patchSG0001146 Algorithm #2 (sum): 16842 3 patchSG0001146 MD5 checksum: 055B660E1D5C1E38BC3128ADE7FC9A95 Filename: patchSG0001146.eoe1_man Algorithm #1 (sum -r): 26276 76 patchSG0001146.eoe1_man Algorithm #2 (sum): 1567 76 patchSG0001146.eoe1_man MD5 checksum: 883BC696F0A57B47F1CBAFA74BF53E81 Filename: patchSG0001146.eoe1_sw Algorithm #1 (sum -r): 61872 382 patchSG0001146.eoe1_sw Algorithm #2 (sum): 42032 382 patchSG0001146.eoe1_sw MD5 checksum: 412AB1A279A030192EA2A082CBA0D6E7 Filename: patchSG0001146.idb Algorithm #1 (sum -r): 39588 4 patchSG0001146.idb Algorithm #2 (sum): 10621 4 patchSG0001146.idb MD5 checksum: 259DD47E4574DAF9041675D64C39102E Past SGI Advisories and security patches can be obtained via anonymous FTP from ftp://sgigate.sgi.com or its mirror ftp://ftp.sgi.com - - ---------------------- Sun Microsystems, Inc. Included below is information concerning sendmail patches as outlined in Sun Microsystems Security Bulletin: #00133, 8 March 1996. The complete bulletin is available from ftp://info.cert.org/pub/vendors/sun/sun_bulletin_00133. Here are our estimates for the availability of fixes incorporating