..:-={{ UnderGround Information Network }}=-:.. COMMAND sendmail(8) SYSTEMS AFFECTED Systems running sendmail 8.6.7. Solaris 2.3, DEC OSF/1 V1.2, SunOS4.1. I know of no sun4 version of sendmail that is safe from this bug. I have tested 8 versions of sendmail, including all the latest patches for both SunOS 4.13 and Solaris 2.3, and all are vulnerable. Systems that dont have this problem are: Ultrix 4.2A. Convex OS 10.x is vulnerable, OS 11.0 is not. Amdahl UTS 2.1 uses smail rather than sendmail and are not vulnerable. Apple A/UX 3.1 is vulnerable. BSD/386 V1.1 is vulnerable. DG/UX systems are at risk of the -d problem. Ultirx 4.3, 4.3A, 4.4, DECnet-Ultirx 4.2, and DEC OSF/1 1.2, 1.3, 1.3A, 2.0 are all effected. OSF OSF/1 R1.3 are affected. SCO TCP/IP Release 1.2.0 for SCO XENIX and 1.2.1 for SCO UNIX are affected. SCO Opend Desktop Release 3.0, Open Desktop Lite Release 3.0, Open Server Network System Release 3.0, Open Server Enterprise System Release 3.0 are all vulnerable. SunOS 4.1.x and all Solaris 2.x including Solaris x86 are vulnerable. PROBLEM It is possible to get root access by using wierd values for the -d flag. % sendmail -d3294967296 If this causes a segmentation fault then you'll likely have a bug in your version of sendmail. The problem is that numbers in this range may skip the range checks and result in accessing negative indexes into the debug array. Hence it is possible to write to locations in memory before the debug array. Whiout going into much detail, -dx.y writes y into the debug array as array[x]=y. Range checking is not performed properly on x, so it's possible to pass negative integers that pass the range check. Find a key location before the debug array, overwrite it, and your in business. SOLUTION Install the patches from your vendor. If you have source code, for BSD based versions, in trace.c function fTflag() starts with the lines: fTflag(s) register char *s; { int first, last; register int i; This should be changed to: fTflag(s) register char *s; { unsigned int first, last; register unsigned int i; Or simply grab the latest version of sendmail and install it. Note that the Solaris patch procedures will leave the old (pre-patched) versions of sendmail in their broken SUID state under /var/sadm/patch. This should be fixed.