[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] another sendmail root exploit

To: linux-security
Subject: [linux-security] another sendmail root exploit
From: Martin Siegert <siegert@sfu.ca>
Date: Mon, 31 Mar 2003 20:14:13 -0800
User-Agent: Mutt/1.4i

Topic
=====
remote root exploit possible in sendmail

Problem Description
===================
There is a vulnerability in Sendmail versions 8.12.8 and prior. The
address parser performs insufficient bounds checking in certain conditions
due to a char to int conversion, making it possible for an attacker to
take control of the application. This problem is not related to the recent
message-oriented vulnerability that was fixed in 8.12.8.

The bug is in parseaddr.c in prescan() function, which, in certain
conditions, will run past the buffer size limit and overwrite stack
variables, reaching to and past the stored instruction pointer itself.
This function is called quite generously accross the code for processing
e-mail addresses.

The impact is believed to be a root compromise. This has been confirmed as a
local root compromise, and it is not unlikely that a remote attack is
possible as well. Only platforms with 'char' type signed by default are
vulnerable as-is, and little endian systems would be easier to exploit.
Systems that use Sendmail privilege separation are safer against the local
attack, but even then it is still possible to compromise the smmsp account
and control the submission queue.

Affected Versions
=================
versions 8.12.8 and earlier

Solution
========
upgrade to version 8.12.9 or a patched version fro your distribution

RedHat 6.x
----------
rpm -Fvh sendmail-8.11.6-1.62.3.i386.rpm \
         sendmail-cf-8.11.6-1.62.3.i386.rpm \
         sendmail-doc-8.11.6-1.62.3.i386.rpm

RedHat 7.0
----------
rpm -Fvh sendmail-8.11.6-25.70.i386.rpm \
         sendmail-cf-8.11.6-25.70.i386.rpm \
         sendmail-devel-8.11.6-25.70.i386.rpm \
         sendmail-doc-8.11.6-25.70.i386.rpm

RedHat 7.1
----------
rpm -Fvh sendmail-8.11.6-25.71.i386.rpm \
         sendmail-cf-8.11.6-25.71.i386.rpm \
         sendmail-devel-8.11.6-25.71.i386.rpm \
         sendmail-doc-8.11.6-25.71.i386.rpm

RedHat 7.2
----------
rpm -Fvh sendmail-8.11.6-25.72.i386.rpm \
         sendmail-cf-8.11.6-25.72.i386.rpm \
         sendmail-devel-8.11.6-25.72.i386.rpm \
         sendmail-doc-8.11.6-25.72.i386.rpm

RedHat 7.3
----------
rpm -Fvh sendmail-8.11.6-25.73.i386.rpm \
         sendmail-cf-8.11.6-25.73.i386.rpm \
         sendmail-devel-8.11.6-25.73.i386.rpm \
         sendmail-doc-8.11.6-25.73.i386.rpm

RedHat 8.0
----------
rpm -Fvh sendmail-8.12.8-5.80.i386.rpm \
         sendmail-cf-8.12.8-5.80.i386.rpm \
         sendmail-devel-8.12.8-5.80.i386.rpm \
         sendmail-doc-8.12.8-5.80.i386.rpm

RedHat 9
--------
rpm -Fvh sendmail-8.12.8-5.90.i386.rpm \
         sendmail-cf-8.12.8-5.90.i386.rpm \
         sendmail-devel-8.12.8-5.90.i386.rpm \
         sendmail-doc-8.12.8-5.90.i386.rpm

Follow-Ups:
- Re: [linux-security] another sendmail root exploit (SuSE, Mandrake)
  - From: Martin Siegert <siegert@sfu.ca>

Prev by Date: [linux-security] supported RedHat distributions
Next by Date: [linux-security] openssl timing attacks
Prev by thread: [linux-security] openssl timing attacks
Next by thread: Re: [linux-security] another sendmail root exploit (SuSE, Mandrake)
Index(es):
- Date
- Thread