• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Multiple Vendor vacation(1) Vulnerability

Severity: HIGH

Description:

Certain versions of the vacation(1) program which ship with multiple commercial and free UNIX's is vulnerable to a remote and local attack. The vacation program itself is a utility which is used in conjunction with a users .forward file to process incoming mail to be automatically replied to with a pre-written message. Typically a message informing the sender that the receiver is away on vacation. This is installed by placing a .forward file into your directory containing a line as follows:

\user, "|/usr/bin/vacation user"

The problem lies in that when vacation responds to an incoming message, it invokes the sendmail command, specifying the address of the sender on the command line. By specifying a sendmail command line option rather than a valid email address, it is possible to cause sendmail to be invoked with an alternate configuration file. This alternate configuration file can be previously sent to the system via a separate email message, or via anonymous FTP. When parsed, this new sendmail configuration file can cause sendmail to execute arbitrary commands on the remote system.

Affected Products:

• FreeBSD FreeBSD 1.1.5 .1
• FreeBSD FreeBSD 2.0.0
• FreeBSD FreeBSD 2.0.5
• HP HP-UX (VVOS) 10.24.0
• HP HP-UX 10.0.0
• HP HP-UX 10.0.01
• HP HP-UX 10.1.0 0
• HP HP-UX 10.10.0
• HP HP-UX 10.16.0
• HP HP-UX 10.20.0
• HP HP-UX 10.30.0
• HP HP-UX 10.34.0
• HP HP-UX 10.8.0
• HP HP-UX 10.9.0
• HP HP-UX 11.0.0
• IBM AIX 4.1.0
• IBM AIX 4.1.1
• IBM AIX 4.1.2
• IBM AIX 4.1.3
• IBM AIX 4.1.4
• IBM AIX 4.1.5
• IBM AIX 4.2.0
• NetBSD NetBSD 1.0.0
• NetBSD NetBSD 1.1.0
• NetBSD NetBSD 1.2.0
• NetBSD NetBSD 1.2.1
• NetBSD NetBSD 1.3.0
• NetBSD NetBSD 1.3.1
• NetBSD NetBSD 1.3.2
• OpenBSD OpenBSD 2.0.0
• Sun Solaris 2.3.0
• Sun Solaris 2.4.0
• Sun Solaris 2.4.0_x86
• Sun Solaris 2.5.0
• Sun Solaris 2.5.0_x86
• Sun Solaris 2.5.1
• Sun Solaris 2.5.1_x86
• Sun Solaris 2.6
• Sun Solaris 2.6_x86
• Sun SunOS 4.1.3
• Sun SunOS 4.1.3 _U1
• Sun SunOS 4.1.4

References:

• FreeBSD: FreeBSD Security Information
• Hewlett Packard: HP Electronic Support Center for Europe
• Hewlett Packard: HP Electronic Support Center for US, Canada, Asia-Pacific, & Latin-America
• IBM: AIX Fix Distribution Service
• IBM: IBM Support Databases
• NetBSD: NetBSD Security Page
• OpenBSD: OpenBSD Security Information
• Sun Microsystems: Sun Patch Access Page
• Sun Microsystems: Sun Patches List

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.