what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

mz.sendmail.txt

mz.sendmail.txt
Posted Apr 1, 2003
Authored by Michal Zalewski | Site lcamtuf.coredump.cx

There is a vulnerability in Sendmail versions 8.12.8 and prior. The address parser performs insufficient bounds checking in certain conditions due to a char to int conversion, making it possible for an attacker to take control of the application. This problem is not related to the recent ISS vulnerability announcement.

tags | advisory
SHA-256 | e56c207e41ff83acb9da15ebf18f6f1fbeb72d0a5ba1c4f489470c49b23fc690

mz.sendmail.txt

Change Mirror Download

CVE: CAN-2003-0161
CERT: VU#897604

********************************************************
*** FORCED RELEASE -- VENDOR NOTIFIED AS OF 03/18/03 ***
********************************************************

There is a vulnerability in Sendmail versions 8.12.8 and prior. The
address parser performs insufficient bounds checking in certain conditions
due to a char to int conversion, making it possible for an attacker to
take control of the application. This problem is not related to the recent
ISS vulnerability announcement.

The impact is believed to be a root compromise. I've confirmed this is a
local issue, and my initial impression is that a remote attack possibility
is not that unlikely. Only platforms with 'char' type signed by default
are vulnerable as-is, and little endian systems would be easier to
exploit. Systems that use Sendmail privilege separation are safer against
the _local_ attack, but even then it is still possible to compromise the
smmsp account and control the submission queue.

The bug lurks in parseaddr.c in prescan() function, which, in certain
conditions, will run past the buffer size limit and overwrite stack
variables, reaching to and past the stored instruction pointer itself.
This function is called quite generously accross the code for processing
e-mail addresses.

It is possible for the attacker to repeatedly skip the length check
location in this function because of an unfortunate construction of a
"special" control value check. A special value, NOCHAR, is defined as -1.
There is a variable 'c', also used to store last read character, declared
as int, and the variable will be sometimes assigned the value of NOCHAR to
indicate a special condition.

Unfortunately, the input character - type char - defaults to a signed type
on many modern platforms, and ASCII value 0xff ((char)-1) will be
converted to 0xffffffff ((int)-1) upon assignment. This makes character
0xff indistinguishable from NOCHAR after being stored in 'c', and makes it
possible for the attacker to spoof NOCHAR and skip the length check.

Since precise control of the overwrite process is possible (length, offset
and layout are up to the attacker), even though the values are mostly
fixed, it is reasonable to expect that this vulnerability will be easy to
exploit on little endian systems. Even on big endian systems, it might be
still possible to alter important control variables on the stack, and you
are generally advised to upgrade.

I've notified the vendor on March 18, and got a response on the next day.
Sendmail is releasing version 8.12.9, and the official notice is as
follows:

Sendmail, Inc., and the Sendmail Consortium announce the availability
of sendmail 8.12.9. It contains a fix for a critical security
problem discovered by Michal Zalewski whom we thank for bringing
this problem to our attention. Sendmail urges all users to either
upgrade to sendmail 8.12.9 or apply a patch for your sendmail version.
Remember to check the PGP signatures of patches or releases obtained via
FTP or HTTP (to check the correctness of the patches in this
announcement please verify the PGP signature of it). For those not
running the open source version, check with your vendor for a patch.

SECURITY: Fix a buffer overflow in address parsing due to
a char to int conversion problem which is potentially
remotely exploitable. Problem found by Michal Zalewski.

Please visit http://www.sendmail.org for more details and patches, and
check with your vendor for the availability of a new or patched package.

--
------------------------- bash$ :(){ :|:&};: --
Michal Zalewski * [http://lcamtuf.coredump.cx]
Did you know that clones never use mirrors?
--------------------------- 2003-03-19 00:21 --

[ http://lcamtuf.coredump.cx/photo/current ]







































































































































































































Mister Trouble never hangs around
When he hears this Mighty sound:
"Here I come to save the day!"
That means that Mighty Mouse is on the way!
Yes sir, when there is a wrong to right
Mighty Mouse will join the fight
On the sea or on the land
He gets the situation well in hand
So though we are in danger
We never despair
'Cause we know that where there's danger
He is there!
He is there! On the land! On the sea! In the air!
We're not worryin' at all
We're just listenin' for his call:
"Here I come to save the day!"
That means that Mighty Mouse is on the way!






































Mr. Trouble never hangs around
When he hears this mighty sound...
"Here I come to save the day!"
That means that Mighty Mouse is on the way.
Yessir when there is a wrong to right
Mighty Mouse will join the fight
On the sea or on the land
He gets the situation well in hand
So though we are in danger
We never despair
Cause we know that where there's danger
He is there!
He is there!
On the land!
On the sea!
In the air!
We're not worryin' at all
We're just listenin' for his call
"Here I come to save the day!"
That means that Mighty Mouse is on the way!








Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close