-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ====================================================================== Network Associates, Inc. SECURITY ADVISORY February 15, 2000 Remote Vulnerability in the MMDF SMTP Daemon ====================================================================== SYNOPSIS An implementation fault in MMDF allows arbitrary individuals to obtain mail management privileges via the SMTP daemon. An attacker can subsequently gain root access via a few trivial steps. ====================================================================== VULNERABLE HOSTS This vulnerability has been confirmed and is known to be exploitable on all versions of MMDF prior to the beta release 2.44a-B4 (The current public release is 2.43). The version of MMDF included in the default SCO OpenServer installation (2.43.3b) is also vulnerable. ====================================================================== TECHNICAL DETAILS The "MAIL FROM:" and "RCPT TO:" SMTP commands exist to allow a client to relay to the server the source and destination addresses of a mail message. The MMDF server performs some basic sanity checks on the addresses given as arguments to these commands. If the supplied data is for some reason invalid, an error message to that effect is printed. During this process, the entire input string is copied to a fixed-size local buffer without any bounds checking, using the function sprintf(). Should the size of the input exceed the size of this buffer, the call stack of the MMDF server can be overwritten. While MMDF's "RCPT TO:" handling code performs checks on the address which make exploitation impossible, the "MAIL FROM:" command has no such checking and is easily exploitable. Although the MMDF server is run as the unprivileged user mmdf by inetd, the 'smptd' binary is setuid root and is stored in a directory owned by user mmdf. This allows an attacker to execute commands as root by replacing the 'smtpsrvr' binary with an arbitrary program or script. ====================================================================== RESOLUTION SCO has developed a patch to address this issue. More information is available at: http://www.sco.com/security. Because of the remotely exploitable nature of this vulnerability, this is considered to be a high risk to users of MMDF and should be resolved immediately. ====================================================================== CREDITS Discovery and documentation of this vulnerability was conducted by Shawn Bracken at the Security Research Labs of Network Associates. ====================================================================== ABOUT THE NETWORK ASSOCIATES SECURITY LABS The Security Labs at Network Associates hosts some of the most important research in computer security today. With over 30 security advisories published in the last 2 years, the Network Associates security research teams have been responsible for the discovery of many of the Internet's most serious security flaws. This advisory represents our ongoing commitment to provide critical information to the security community. For more information about the Security Labs at Network Associates, see our website at http://www.nai.com or contact us at . ====================================================================== NETWORK ASSOCIATES SECURITY LABS PGP KEY - - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP 5.5.5 mQGiBDXGgDsRBADVOnID6BtEhKlm2cNalho28YP0JAh+J4iRUIaiWshzI0tc0KPc fvs+0xYwiqjxmeHi2sdIEPQ7S+ltA3Dlp6/DFojWBr2XB9hfWy4uiKBUHqnsKYnB Gpkh6nIx7DIwn+u0PXMXbJCG3LYf8daiPVdzC2VFtbRvJL4wZc6NLQViFQCg/9uS DuH/0NE6mO8Cu4iVrUT5Wk8D/ArOpV5T5yIuXHZO1/ZBVeHccVVvHe8wHK4D9WUs FsB8fgYLNgdFMMjtam7QQSBY/P1KKBzaFqZhkfS4WVMAFEy94NHXG+KTCPhXkZzp OPPqwWqZgfvOg0Bm20O/GhzQkB6JfFJqcfR87Ej0+fcDKrTTxAELWHGS7c9Qdn6P bfwHA/4oLNwYrtgWNkjGcG018Pu2jKT7YuP9zBTMu28IBiWdPLGL9Wle4d5cdDVx Es4iVl8FMtxlgTWCgMnBLS4nyM3pCn1HF+8Gi+IVKUXWCkqt/rtBMsrOMfrOgEIu BWnTZcTR7kcWtH7xDFNyZ47U4pElLXwATVDty/FczAJnpeht2LQyTmV0d29yayBB c3NvY2lhdGVzIFNlY3VyaXR5IExhYnMgPHNlY2xhYnNAbmFpLmNvbT6JAEsEEBEC AAsFAjXGgDsECwMCAQAKCRCheCy6j9WBEtgDAKDpYMwQZP0Ipx7X0ivnTxxJkA/W vACg4LZv0lmWqmnd7XCe4OIJ05aT6hK5Ag0ENcaAOxAIAPZCV7cIfwgXcqK61qlC 8wXo+VMROU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh 01D49Vlf3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5u/2RXscB qtNbno2gpXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98iLMcfFst jvbzySPAQ/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlAGBGNfISn CnLWhsQDGcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqrol7DVeky CzsAAgIH/RZcJoRkhCf9O4Er+rciBNG3QqM3tek23oxGuVwqRxtGlGKuf+YaUDIA vZhARftupZYJf/+AM9pyjjsF7ON/Df5oIXXhqzrDySw47dNB3I1FG7vwAUBRfYgG NRP+zvf1nld+FgAXag1DIQteXYPtoMUJP8ZgvbELYVdZS2TapOHUv7r4rOY+UUjl U+FkQPp9KCNreaNux4NxwT3tzXl1KqqkliC8sYxvMCkJ+JO71TKGplO9dXsf3O8p 2r33+LngmLs4O7inrUlmAUKq3jmCK50J7RsZjd6PlK/0JwcjFkOZeYrxTguZzCR4 QYmo8nEHqEMSKQci0VUf9KH4lHf6xmGJAEYEGBECAAYFAjXGgDsACgkQoXgsuo/V gRK5LACgoAqLFk10kAMu6xb3ftO4+INJs14Ani+1hujlYRxYphN97c5ci8WtILNZ =L3C6 - - ---- -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 Comment: Crypto Provided by Network Associates iQA/AwUBOKryrqF4LLqP1YESEQLtlQCeIHRGxr5MxhJItvC7SUma4FeJux4AoMP0 P64+u7xPKBcLtNmiXy7QcCh1 =dVD0 -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All versions of the publicly available MMDF prior to version 2.44.b4 are vulnerable. The version of MMDF distributed with SCO OpenServer was found to be vulnerable, and NAI's advisory was based on this information. The latest stable version is 2.44 and NOT 2.43 as previously stated. The latest version of MMDF, which has not been vulnerable to these attacks for some time, has been recently updated and is available at: ftp://www.mathematik.uni-kl.de/pub/Sources/mail+news/mmdf/ - -rw-r--r-- 1 mmdf mail 1416811 Feb 21 22:59 mmdf-2.44-final.tar.gz Also, as previously mentioned, patches for the vulnerable version shipped with SCO OpenServer are available from: http://www.sco.com/security. Please feel free to contact us with any additional questions. NAI Security Labs seclabs@nai.com -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 Comment: Crypto Provided by Network Associates iQA/AwUBOLNP6qF4LLqP1YESEQIJegCguaPr65jZFdQUvi1+3idzAVyB3WcAnA5L x3moOvs7biru0kZr7U1xnCm3 =i6aM -----END PGP SIGNATURE-----