Sendmail Consortium's Restricted Shell (SMRSH) in Sendmail 8.12.6, 8.11.6-15, and possibly other versions after 8.11 from 5/19/1998, allows attackers to bypass the intended restrictions of smrsh by inserting additional commands after (1) "||" sequences or (2) "/" characters, which are not properly filtered or verified.

smrsh (supplied by Sendmail) is designed to prevent the execution of commands outside of the restricted environment. However, when commands are entered using either double pipes (||) or a mixture of dot and slash characters, a user may be able to bypass the checks performed by smrsh. This can lead to the execution of commands outside of the restricted environment.

The remote Sendmail server is vulnerable to a remote buffer overflow that may allow an attacker to remotely gain a root shell on this host.

A vulnerability was discovered by zen-parse and Pedram Amini in the sendmail MTA. They found two ways to exploit smrsh, an application intended as a replacement for the sh shell for use with sendmail; the first by inserting specially formatted commands in the ~/.forward file and secondly by calling smrsh directly with special options. These can be exploited to give users with no shell account, or those not permitted to execute certain programs or commands, the ability to bypass these restrictions.

The sendmail packages shipped with Red Hat Linux Advanced Server have a security bug if sendmail is configured to use smrsh. This security errata release fixes the problem.

[Updated 06 Feb 2003] Added fixed packages for Advanced Workstation 2.1

SMRSH (the SendMail Restricted SHell) is a /bin/sh replacement for Sendmail. It provides the ability to limit the set of executable programs available to Sendmail.

A bug in the version of smrsh packaged as part of Sendmail 8.12.6 and 8.11.6 allows attackers to bypass shrsh's intended restrictions. This can be done by inserting additional commands after '||' or '/' characters, which are not properly filtered or verified. A sucessful attack would allow an attacker who has a local account on a system to execute arbitrary binaries as themselves by utilizing their .forward file.

Because sendmail as shipped with Red Hat Linux Advanced Server is not configured to use smrsh, this issue only affects users who have customized their sendmail configuration to use smrsh.

Users who have configured sendmail to use smrsh should update to these errata packages which contain a backported security fix, and are therefore not vulnerable to this issue.

smrsh (supplied by Sendmail) is designed to prevent the execution of commands outside of the restricted environment.  However, when commands are entered using either double pipes (||) or a mixture of dot and slash characters, a user may be able to bypass the checks performed by smrsh.  This can lead to the execution of commands outside of the restricted environment. 

In addition, a function in headers.c does not properly sanitize input supplied via the 'Address Field' causing an exploitable buffer overflow condition.  However, Nessus has not checked for this.

ID	Name	Product	Family	Severity
2039	Sendmail < 8.12.8 Double Pipe smrsh Bypass Overflow	Nessus Network Monitor	SMTP Servers	high
2020	Sendmail < 8.12.8 Header Handling Remote Overflow	Nessus Network Monitor	SMTP Servers	high
13981	Mandrake Linux Security Advisory : sendmail (MDKSA-2002:083)	Nessus	Mandriva Local Security Checks	medium
12335	RHEL 2.1 : sendmail (RHSA-2002:259)	Nessus	Red Hat Local Security Checks	medium
11321	Sendmail 8.8.8 - 8.12.7 Multiple Vulnerabilities (Bypass, OF)	Nessus	SMTP problems	critical

Detections

Analytics

CVE-2002-1165

critical

Tenable Plugins

high

high

medium

medium

critical