[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[linux-security] another sendmail root exploit
- To: linux-security
- Subject: [linux-security] another sendmail root exploit
- From: Martin Siegert <firstname.lastname@example.org>
- Date: Mon, 31 Mar 2003 20:14:13 -0800
- User-Agent: Mutt/1.4i
remote root exploit possible in sendmail
There is a vulnerability in Sendmail versions 8.12.8 and prior. The
address parser performs insufficient bounds checking in certain conditions
due to a char to int conversion, making it possible for an attacker to
take control of the application. This problem is not related to the recent
message-oriented vulnerability that was fixed in 8.12.8.
The bug is in parseaddr.c in prescan() function, which, in certain
conditions, will run past the buffer size limit and overwrite stack
variables, reaching to and past the stored instruction pointer itself.
This function is called quite generously accross the code for processing
The impact is believed to be a root compromise. This has been confirmed as a
local root compromise, and it is not unlikely that a remote attack is
possible as well. Only platforms with 'char' type signed by default are
vulnerable as-is, and little endian systems would be easier to exploit.
Systems that use Sendmail privilege separation are safer against the local
attack, but even then it is still possible to compromise the smmsp account
and control the submission queue.
versions 8.12.8 and earlier
upgrade to version 8.12.9 or a patched version fro your distribution
rpm -Fvh sendmail-8.11.6-1.62.3.i386.rpm \
rpm -Fvh sendmail-8.11.6-25.70.i386.rpm \
rpm -Fvh sendmail-8.11.6-25.71.i386.rpm \
rpm -Fvh sendmail-8.11.6-25.72.i386.rpm \
rpm -Fvh sendmail-8.11.6-25.73.i386.rpm \
rpm -Fvh sendmail-8.12.8-5.80.i386.rpm \
rpm -Fvh sendmail-8.12.8-5.90.i386.rpm \