Hole in the vacation program

Description:The standard UNIX vacation program doesn't do enough checking on its input (specifically the From: line in the mail) before sending it to other programs (sendmail) for processing
Author:bukys@CS.ROCHESTER.EDU apparently reported it to CERT & SUN on June 1, 1994 but nothing happened. This vulnerability report is from "Secure Networks Inc." <sni@SILENCE.SECNET.COM>
Compromise:Run arbitrary commands remotely as the user running vacation
Vulnerable Systems:At least some versions of AIX, FreeBSD, NetBSD, and OpenBSD. Other systems if they have installed the vacation program themselves or a different version of sendmail.
Date:1 September 1997

Date: Tue, 2 Sep 1997 00:43:29 -0600
From: "Secure Networks Inc." <sni@SILENCE.SECNET.COM>
Subject: SNI-18: Vacation Vulnerability

X-Premail-Auth: Good signature from user "Secure Networks Inc.

                        #####   ##   ##   ######
                        ##      ###  ##     ##
                        #####   ## # ##     ##
                           ##   ##  ###     ##
                        ##### . ##   ## . ###### .

                           Secure Networks Inc.

                            Security Advisory
                            September 1, 1997

                         Vacation Vulnerability

This advisory addresses a vulnerability in the vacation program which
allows individuals to execute commands remotely on vulnerable systems.

Vacation is used by the recipient of email messages to notify the sender
that they are not currently reading their mail.  This is installed by
placing a .forward file into your directory containing a line as follows:

                     \user, "|/usr/bin/vacation user"

Problem Description

When vacation responds to an incoming message, it invokes the sendmail
command, specifying the address of the sender on the command line.  By
specifying a sendmail command line option rather than a valid email
address, it is possible to cause sendmail to be invoked with an
alternate configuration file.  This alternate configuration file can
be previously sent to the system via a seperate email message, or via
anonymous FTP.  When parsed, this new sendmail configuration file
can cause sendmail to execute arbitrary commands on the remote system.

Technical Details

By specifying the originating address of an email message to consist of
a path to an alternate configuration file (i.e. -C/var/mail/user), the
vacation program will invoke sendmail, and use /var/mail/user as the
configuration file.  If the user's mailbox contains valid sendmail
configuration options, sendmail will treat the user's mail spool as a
sendmail configuration file.  Sendmail can be induced execute arbitrary
shell commands from its configuration file.  Variations on this attack
may be possible using sendmail options other than -C.


Remote individuals can obtain access to the account of any user running
the vacation program.

Vulnerable Systems

The following assessments assume that an attacker can utilize the -C
command line option of sendmail to specify an alternate configuration
file and execute commands.  Other methods of causing sendmail to
execute commands via command line options may be present.

Operating systems which ship with a vulnerable version of vacation are:

AIX      Version 4.2 is vulnerable.  Version 4.1 is also vulnerable if
         public domain version of sendmail 8 has been installed.

FreeBSD  All versions prior to August 28, 1997.

NetBSD   All versions prior to NetBSD-current 19970828 are vulnerable.

OpenBSD  All versions prior to July 29, 1997

Solaris  All versions of Solaris are vulnerable ONLY if a public domain
         version of sendmail has been installed, other than Solaris

Linux    The two versions of vacation on the sunsite.unc.edu Linux
         archive are both vulnerable as of August 5, 1997.  Linux
         distributions we have verified do not ship with the vacation

HP-UX    HP-UX is vulnerable ONLY if a public domain version of
         sendmail, other than HP-UX sendmail has been installed.

BSD/OS (BSDI) is NOT vulnerable to this problem.
Silicon Graphics IRIX does NOT APPEAR to be vulnerable to this problem.

Fix Information


   Only the version of vacation shipped with AIX 4.2 is vulnerable.  The
   following APAR will be available soon:

     Abstract:  "SECURITY: /usr/bin/vacation vulnerability"
     AIX 4.1:  IX70228
     AIX 4.2:  IX70233

   Until these fixes are applied, the vacation program should be disabled
   with the following command (as root):

     # chmod -x /usr/bin/vacation

   If disabling vacation is not desirable, there is a temporary fix available
   via anonymous ftp:

   IBM and AIX are registered trademarks of International Business Machines


   The version of vacation shipped with HP-UX is vulnerable.  This
   vulnerability is exploitable by remote users only if the system
   administrator has installed a version of sendmail version 8, other
   than HP sendmail.  HP will be providing a fix in the near future.


   The version of vacation shipped with Solaris is vulnerable if a
   public domain version of sendmail, other than Solaris sendmail,
   has been installed on the system.  Sun Microsystems will be
   issuing a solution to this problem in the near future.

   As a short term workaround, the vacation program be disabled by
   changing the permissions as follows:

   # chmod -x /bin/vacation

OpenBSD 2.1

   This problem is present in OpenBSD-current prior to August 29, 1997.

   Update your vacation sources to the version in -current using anoncvs,
   or apply the fix provided below.  Then recompile the vacation program.
   See http://www.openbsd.org for information about anoncvs.


   FreeBSD has corrected this problem in 2.1-stable, 2.2-stable and
   3.0-current as of August 28, 1997.  The source change described in
   this advisory corrects the problem.  This problem will be fixed in
   the upcoming 2.2.5-RELEASE and 3.0-RELEASE versions of FreeBSD.


   This problem is present in NetBSD-current prior to 19970828 and is
   fixed in later releases.

   Upgrade to a version of NetBSD-current newer than 19970828 or apply
   the fix provided below.


   Obtain a patched version of vacation at the following location:


   To extract the archive when it is in the current directory, issue the

   % uncompress vacation.tar
   % tar -xvf vacation.tar

   Then follow the installation instructions in the README file included
   in the archive.  Please note that this version of vacation is taken
   from BSD sources, and may require modification to work on other

The following patch, suggested independently by Eric Allman and Keith
Bostic, solves the problem.

Note that SNI has *not* verified that sendmail versions other than
sendmail version 8 properly emulate getopt() in their interpretation of
the option "--".  If you are applying this patch to an operating system
which ships with a modified or older version of sendmail, you should
verify that the sendmail command-line options which are *not* done
using getopt() do not get parsed if they are preceeded by a '--' option.

The following line:

 execl(_PATH_SENDMAIL, "sendmail", "-f", myname, from, NULL);

should be substituted with:

 execl(_PATH_SENDMAIL, "sendmail", "-f", myname, "--", from, NULL);

in vacation.c

Additional Information

The provided generic fix was suggested by both Eric Allman
<eric@sendmail.org> and Keith Bostic <bostic@bsdi.com>

This problem was discovered by David Sacerdote <davids@secnet.com>,
and verified by David Sacerdote <davids@secnet.com> and
Oliver Friedrichs <oliver@secnet.com>.

You can subscribe to our security advisory mailing list by sending
mail to majordomo@secnet.com, containing the single line
subscribe sni-advisories

You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers or
http://www.secnet.com/papers and past advisories at
ftp://ftp.secnet.com/pub/advisories or http://www.secnet.com/advisories

You can contact Secure Networks Inc. at <sni@secnet.com> using
the following PGP key:

Type Bits/KeyID    Date       User ID
pub  1024/9E55000D 1997/01/13 Secure Networks Inc. <sni@secnet.com>
                              Secure Networks <security@secnet.com>

Version: 2.6.3ia


Copyright Notice

The contents of this advisory are Copyright (C) 1997 Secure Networks Inc,
and may be distributed freely in unmodified form provided that no fee is
charged for distribution, and that proper credit is given.

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: