Vulnerabilities > CVE-2001-0713 - Unspecified vulnerability in Sendmail

047910
CVSS 4.6 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
local
low complexity
sendmail
nessus
NVD
Published: 2001-10-30
Updated: 2008-09-05

Summary

Sendmail before 8.12.1 does not properly drop privileges when the -C option is used to load custom configuration files, which allows local users to gain privileges via malformed arguments in the configuration file whose names contain characters with the high bit set, such as (1) macro names that are one character long, (2) a variable setting which is processed by the setoption function, or (3) a Modifiers setting which is processed by the getmodifiers function.

Vulnerable Configurations

Part Description Count
Application
Sendmail
39

Nessus

NASL familySMTP problems
NASL idSENDMAIL_CUSTOM_CONFIG.NASL
descriptionThe remote Sendmail server, according to its version number, may be vulnerable to a
last seen2020-06-01
modified2020-06-02
plugin id11086
published2002-08-18
reporterThis script is Copyright (C) 2002-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/11086
titleSendmail -C Malformed Configuration Privilege Escalation
code
#
# (C) Tenable Network Security, Inc.
#

# References:
# From: "Michal Zalewski" <[email protected]>
# To: [email protected]
# CC: [email protected]
# Subject: RAZOR advisory: multiple Sendmail vulnerabilities

include("compat.inc");

if (description)
{
  script_id(11086);
  script_version("1.22");
  script_cvs_date("Date: 2018/09/17 21:46:53");

  script_cve_id("CVE-2001-0713");
  script_bugtraq_id(3377);

  script_name(english: "Sendmail -C Malformed Configuration Privilege Escalation");
  script_summary(english: "Checks Sendmail version number for 'custom config file'");

  script_set_attribute(attribute:"synopsis", value:
"The remote server is vulnerable to a privilege escalation attack.");
  script_set_attribute(attribute:"description", value:
"The remote Sendmail server, according to its version number, may be
vulnerable to a 'Mail System Compromise' when a user supplies a custom
configuration file. 

Although the mail server is supposed to run as a non-privileged user, a
programming error allows the local attacker to regain the extra
dropped privileges and run commands as root.");
  script_set_attribute(attribute:"solution", value:"Upgrade to the latest version of Sendmail.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2001-0713");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2001/10/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2002/08/18");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:sendmail:sendmail");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2002-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"SMTP problems");

  script_dependencies("sendmail_detect.nbin");
  script_require_keys("installed_sw/Sendmail");
  exit(0);
}

include("vcf.inc");

app_info = vcf::get_app_info(app:"Sendmail");

constraints = [{ "fixed_version" : "8.12.1" }];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);

References