[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] another sendmail root exploit

remote root exploit possible in sendmail

Problem Description
There is a vulnerability in Sendmail versions 8.12.8 and prior. The
address parser performs insufficient bounds checking in certain conditions
due to a char to int conversion, making it possible for an attacker to
take control of the application. This problem is not related to the recent
message-oriented vulnerability that was fixed in 8.12.8.

The bug is in parseaddr.c in prescan() function, which, in certain
conditions, will run past the buffer size limit and overwrite stack
variables, reaching to and past the stored instruction pointer itself.
This function is called quite generously accross the code for processing
e-mail addresses.

The impact is believed to be a root compromise. This has been confirmed as a
local root compromise, and it is not unlikely that a remote attack is
possible as well. Only platforms with 'char' type signed by default are
vulnerable as-is, and little endian systems would be easier to exploit.
Systems that use Sendmail privilege separation are safer against the local
attack, but even then it is still possible to compromise the smmsp account
and control the submission queue.

Affected Versions
versions 8.12.8 and earlier

upgrade to version 8.12.9 or a patched version fro your distribution

RedHat 6.x
rpm -Fvh sendmail-8.11.6-1.62.3.i386.rpm \
         sendmail-cf-8.11.6-1.62.3.i386.rpm \

RedHat 7.0
rpm -Fvh sendmail-8.11.6-25.70.i386.rpm \
         sendmail-cf-8.11.6-25.70.i386.rpm \
         sendmail-devel-8.11.6-25.70.i386.rpm \

RedHat 7.1
rpm -Fvh sendmail-8.11.6-25.71.i386.rpm \
         sendmail-cf-8.11.6-25.71.i386.rpm \
         sendmail-devel-8.11.6-25.71.i386.rpm \

RedHat 7.2
rpm -Fvh sendmail-8.11.6-25.72.i386.rpm \
         sendmail-cf-8.11.6-25.72.i386.rpm \
         sendmail-devel-8.11.6-25.72.i386.rpm \

RedHat 7.3
rpm -Fvh sendmail-8.11.6-25.73.i386.rpm \
         sendmail-cf-8.11.6-25.73.i386.rpm \
         sendmail-devel-8.11.6-25.73.i386.rpm \

RedHat 8.0
rpm -Fvh sendmail-8.12.8-5.80.i386.rpm \
         sendmail-cf-8.12.8-5.80.i386.rpm \
         sendmail-devel-8.12.8-5.80.i386.rpm \

RedHat 9
rpm -Fvh sendmail-8.12.8-5.90.i386.rpm \
         sendmail-cf-8.12.8-5.90.i386.rpm \
         sendmail-devel-8.12.8-5.90.i386.rpm \