ISS Security Advisory - A remote root vulnerability has been discovered in Sendmail v5.79 to 8.12.7 in the crackaddr() function which is used to parse headers. This vulnerability is especially dangerous because the exploit can be delivered within an email message and the attacker doesn't need any specific knowledge of the target to launch a successful attack.
a777b9ea2ee630fe2497afce3a91ff81fed5df586e37de4d937c084f3d483e7f
-----BEGIN PGP SIGNED MESSAGE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Internet Security Systems Security Brief
March 3, 2002
Remote Sendmail Header Processing Vulnerability
Synopsis:
ISS X-Force has discovered a buffer overflow vulnerability in the
Sendmail
Mail Transfer Agent (MTA). Sendmail is the most common MTA and has
been
documented to handle between 50% and 75% of all Internet email
traffic.
Impact:
Attackers may remotely exploit this vulnerability to gain "root" or
superuser
control of any vulnerable Sendmail server. Sendmail and all other
email
servers are typically exposed to the Internet in order to send and
receive
Internet email. Vulnerable Sendmail servers will not be protected by
legacy
security devices such as firewalls and/or packet filters. This
vulnerability
is especially dangerous because the exploit can be delivered within
an email
message and the attacker doesn't need any specific knowledge of the
target to
launch a successful attack.=20
Affected Versions:
Sendmail versions from 5.79 to 8.12.7 are vulnerable
Note: The affected versions of Sendmail commercial, Sendmail open
source
running on all platforms are known to be vulnerable.
For the complete ISS X-Force Security Advisory, please visit:=20
http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=3D21950
______
About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
pioneer and world leader in software and services that protect
critical
online resources from an ever-changing spectrum of threats and
misuse.
Internet Security Systems is headquartered in Atlanta, GA, with
additional operations throughout the Americas, Asia, Australia,
Europe
and the Middle East.
Copyright (c) 2003 Internet Security Systems, Inc. All rights
reserved
worldwide.
Permission is hereby granted for the electronic redistribution of
this
document. It is not to be edited or altered in any way without the
express written consent of the Internet Security Systems X-Force. If
you wish to reprint the whole or any part of this document in any
other
medium excluding electronic media, please email xforce@iss.net for
permission.=20
Disclaimer: The information within this paper may change without
notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard
to
this information or its use. Any use of this information is at the
user's risk. In no event shall the author/distributor (Internet
Security
Systems X-Force) be held liable for any damages whatsoever arising
out
of or in connection with the use or spread of this information.
X-Force PGP Key available on MIT's PGP key server and PGP.com's key
server,
as well as at http://www.iss.net/security_center/sensitive.php
Please send suggestions, updates, and comments to: X-Force
xforce@iss.net of Internet Security Systems, Inc.