what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

mz.sendmail.txt

mz.sendmail.txt
Posted Apr 1, 2003
Authored by Michal Zalewski | Site lcamtuf.coredump.cx

There is a vulnerability in Sendmail versions 8.12.8 and prior. The address parser performs insufficient bounds checking in certain conditions due to a char to int conversion, making it possible for an attacker to take control of the application. This problem is not related to the recent ISS vulnerability announcement.

tags | advisory
SHA-256 | e56c207e41ff83acb9da15ebf18f6f1fbeb72d0a5ba1c4f489470c49b23fc690

mz.sendmail.txt

Change Mirror Download

CVE: CAN-2003-0161
CERT: VU#897604

********************************************************
*** FORCED RELEASE -- VENDOR NOTIFIED AS OF 03/18/03 ***
********************************************************

There is a vulnerability in Sendmail versions 8.12.8 and prior. The
address parser performs insufficient bounds checking in certain conditions
due to a char to int conversion, making it possible for an attacker to
take control of the application. This problem is not related to the recent
ISS vulnerability announcement.

The impact is believed to be a root compromise. I've confirmed this is a
local issue, and my initial impression is that a remote attack possibility
is not that unlikely. Only platforms with 'char' type signed by default
are vulnerable as-is, and little endian systems would be easier to
exploit. Systems that use Sendmail privilege separation are safer against
the _local_ attack, but even then it is still possible to compromise the
smmsp account and control the submission queue.

The bug lurks in parseaddr.c in prescan() function, which, in certain
conditions, will run past the buffer size limit and overwrite stack
variables, reaching to and past the stored instruction pointer itself.
This function is called quite generously accross the code for processing
e-mail addresses.

It is possible for the attacker to repeatedly skip the length check
location in this function because of an unfortunate construction of a
"special" control value check. A special value, NOCHAR, is defined as -1.
There is a variable 'c', also used to store last read character, declared
as int, and the variable will be sometimes assigned the value of NOCHAR to
indicate a special condition.

Unfortunately, the input character - type char - defaults to a signed type
on many modern platforms, and ASCII value 0xff ((char)-1) will be
converted to 0xffffffff ((int)-1) upon assignment. This makes character
0xff indistinguishable from NOCHAR after being stored in 'c', and makes it
possible for the attacker to spoof NOCHAR and skip the length check.

Since precise control of the overwrite process is possible (length, offset
and layout are up to the attacker), even though the values are mostly
fixed, it is reasonable to expect that this vulnerability will be easy to
exploit on little endian systems. Even on big endian systems, it might be
still possible to alter important control variables on the stack, and you
are generally advised to upgrade.

I've notified the vendor on March 18, and got a response on the next day.
Sendmail is releasing version 8.12.9, and the official notice is as
follows:

Sendmail, Inc., and the Sendmail Consortium announce the availability
of sendmail 8.12.9. It contains a fix for a critical security
problem discovered by Michal Zalewski whom we thank for bringing
this problem to our attention. Sendmail urges all users to either
upgrade to sendmail 8.12.9 or apply a patch for your sendmail version.
Remember to check the PGP signatures of patches or releases obtained via
FTP or HTTP (to check the correctness of the patches in this
announcement please verify the PGP signature of it). For those not
running the open source version, check with your vendor for a patch.

SECURITY: Fix a buffer overflow in address parsing due to
a char to int conversion problem which is potentially
remotely exploitable. Problem found by Michal Zalewski.

Please visit http://www.sendmail.org for more details and patches, and
check with your vendor for the availability of a new or patched package.

--
------------------------- bash$ :(){ :|:&};: --
Michal Zalewski * [http://lcamtuf.coredump.cx]
Did you know that clones never use mirrors?
--------------------------- 2003-03-19 00:21 --

[ http://lcamtuf.coredump.cx/photo/current ]







































































































































































































Mister Trouble never hangs around
When he hears this Mighty sound:
"Here I come to save the day!"
That means that Mighty Mouse is on the way!
Yes sir, when there is a wrong to right
Mighty Mouse will join the fight
On the sea or on the land
He gets the situation well in hand
So though we are in danger
We never despair
'Cause we know that where there's danger
He is there!
He is there! On the land! On the sea! In the air!
We're not worryin' at all
We're just listenin' for his call:
"Here I come to save the day!"
That means that Mighty Mouse is on the way!






































Mr. Trouble never hangs around
When he hears this mighty sound...
"Here I come to save the day!"
That means that Mighty Mouse is on the way.
Yessir when there is a wrong to right
Mighty Mouse will join the fight
On the sea or on the land
He gets the situation well in hand
So though we are in danger
We never despair
Cause we know that where there's danger
He is there!
He is there!
On the land!
On the sea!
In the air!
We're not worryin' at all
We're just listenin' for his call
"Here I come to save the day!"
That means that Mighty Mouse is on the way!








Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close