{"vuid":"VU#3278","idnumber":"3278","name":"SunOS versions of sendmail use popen to return undeliverable mail","keywords":["sendmail","popen","sunos"],"overview":"Older versions of sendmail (circa 1995) incorrectly used popen to process certain arguments.","clean_desc":"There is a problem with the way that the older (circa 1995) versions of Sun Microsystems, Inc. version of sendmail processes the -oR option. This problem has been verified as existing in the version of sendmail that is in SunOS 4.1.X, including patches 100377-19 (for SunOS 4.1.3), 101665-04 (for SunOS 4.1.3_U1), and 102423-01 (for SunOS 4.1.4). The -oR option specifies the host, called the mail hub, to which mail should be forwarded when a user on a client of that hub receives mail. This host can be identified with the -oR option on the command line as -oRhost_name or in the configuration file as: ORhost_name or by NFS mounting the /var/spool/mail directory from a file server, probably from the mail hub. In this case, the host name of the file server is used as the forwarding host identified as host_name above. All these configurations are vulnerable. For additional information, see CERT Advisory CA-95-11. Specifically, the problem is that sendmail used popen to process these arguments. By correctly setting IFS and passing in appropriate values to the -oR option, local users could execute arbitrary commands with the privileges of the sendmail. An exploit exists for this problem.","impact":"Local users can obtain root access.","resolution":"Upgrade to the most recent version of sendmail.","workarounds":"","sysaffected":"","thanks":"Thanks to 8lgm for reporting this vulnerability.","author":"This document was written by Larry Rogers and Shawn Hernan.","public":["http://www.alw.nih.gov/Security/8lgm/8lgm-Advisory-21.html","http://www.auscert.org.au/render.html?it=1853&cid=1978"],"cveids":[""],"certadvisory":"CA-1995-11","uscerttechnicalalert":null,"datecreated":"1998-05-21T15:36:28Z","publicdate":"1995-08-24T00:00:00Z","datefirstpublished":"2003-06-04T18:43:54Z","dateupdated":"2003-06-04T18:44:05Z","revision":4,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"14","cam_exploitation":"15","cam_internetinfrastructure":"16","cam_population":"1","cam_impact":"20","cam_easeofexploitation":"10","cam_attackeraccessrequired":"5","cam_scorecurrent":"0.84375","cam_scorecurrentwidelyknown":"0.95625","cam_scorecurrentwidelyknownexploited":"1.05","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":0.84375,"vulnote":null}