Sendmail decode/uudecode alias could allow remote file creation (Email_UUDecode_Alias)

About this signature or vulnerability

Proventia Network IPS, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology, IBM Security Host Protection for Desktops, IBM Security Host Protection for Servers (Unix):

This signature replaces Email_Decode.

This signature detects when an email is sent to the special address of "uudecode". This may indicate an attacker's attempt to execute code on the server by using an old email alias.

This signature replaces Email_Decode.

This signature detects when an email is sent to the special address of "uudecode". This may indicate an attacker's attempt to execute code on the server by using an old email alias.


Default risk level

Medium risk vulnerability  Medium

Sensors that have this signature

Proventia Network IPS: 2.0, Proventia Network IDS: A Series, Proventia-G 1.1 and earlier: G Series, Proventia Network MFS: 1.0, IBM Security Host Protection for Servers (Windows): 2.1.14.2400, IBM Security Host Protection for Servers (Windows): 1.0.914.0, RealSecure Server Sensor: 7.0, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 1.0, IBM Security Host Protection for Desktops: 8.0.614.1, IBM Security Host Protection for Servers (Unix): 2.2.2

Systems affected

IBM AIX, Wind River BSDOS, HP HP-UX, SGI IRIX, Linux Kernel, Sun Solaris, Sendmail Sendmail, Data General DG/UX, SCO SCO Unix, Compaq Tru64

Type

Unauthorized Access Attempt

Vulnerability description

A common configuration for older mail transfer agents (MTAs) is to include an alias for the decode user. All mail sent to this user is sent to the uudecode program, which automatically converts and stores files. A remote attacker can send mail to the decode or uudecode alias that is present on some systems to create or overwrite files on the remote host. This allows an attacker to gain remote access to the system.

How to remove this vulnerability

Disable mail aliases for decode and uudecode. If the /etc/aliases or /usr/lib/aliases (mail alias) file contains entries for these programs, remove them or disable them by placing # at the beginning of the line, and then executing the newaliases command. For more information on Unix mail aliases, refer to the man page for aliases. Disabled aliases would be similar to these examples:

# decode: |/usr/bin/uudecode
# uudecode: |/usr/bin/uuencode -d

References

CIAC Information Bulletin A-14
Additional information on the vulnerability in the UNIX DECODE alias
http://www.ciac.org/ciac/bulletins/a-14.shtml

CIAC Information Bulletin A-13
Vulnerability in DECODE alias
http://www.ciac.org/ciac/bulletins/a-13.shtml

Sun Microsystems, Inc. Security Bulletin #00122
New security patches for tar and sendmail
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/122&type=0&nav=sec.sba

ISS X-Force
Sendmail decode/uudecode alias could allow remote file creation
http://www.iss.net/security_center/static/126.php

CVE
CVE-1999-0096
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0096