SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (E-mail Server)  >   Sendmail Vendors:   Sendmail Consortium
Sendmail Mail Server 'Theoretical' Buffer Overflow May Allow Remote Users to Execute Arbitrary Code
SecurityTracker Alert ID:  1004633
SecurityTracker URL:  http://securitytracker.com/id/1004633
CVE Reference:   CVE-2002-0906   (Links to External Site)
Updated:  Dec 14 2004
Original Entry Date:  Jun 26 2002
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 8.12.5
Description:   A buffer overflow was reported in Sendmail. A remote user with control of a DNS server may be able to trigger the overflow if the server is configured in a specific manner.

Sendmail, Inc., and the Sendmail Consortium announced that there is 'theoretical' buffer overflow in 'sendmail'. According to the report, the vulnerable code is not used by any configuration shipped with sendmail.

The vulnerability occurs when the DNS map is used with the type TXT and sendmail queries a malicious DNS server.

According to the report, if your system uses a custom DNS map definition to query DNS TXT records (e.g., Kdnstxt dns -R TXT), then your system may be vulnerable.

Sendmail credits Joost Pol of PINE Internet and Anton Rang of Sun Microsystems with independently reporting this flaw.
Impact:   A remote user could cause sendmail to execute arbitrary code under a certain specific configuration. The code would likely run with root privileges (although that is not explicitly confirmed in the report). This would allow the remote user to gain root access on the system.
Solution:   The vendor has released a fixed version (8.12.5), available at:

ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.5.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.5.tar.Z
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.5.tar.sig

MD5 signatures:

f2543e253e1c035f99369ba4067bf87c sendmail.8.12.5.tar.gz
a27e1cd63bcaf4b9cc9351140d68587c sendmail.8.12.5.tar.Z
be3d9a832efc4308bc3d4262f7d464c1 sendmail.8.12.5.tar.sig

According to the report, you only need one of the first two files (either the gzip'ed version or the compressed version). The .sig file contains the PGP signature of the tar file (after uncompressing it). The PGP signature was created using the Sendmail Signing Key/2002, available on the web site (http://www.sendmail.org/) or on the public key servers.

In this fixed version, unprintable characters in responses received from DNS servers for the DNS map type are changed to 'X' to elminate the vulnerability.
Vendor URL:  www.sendmail.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Dec 14 2004 (Sun Issues Fix for Solaris) Sendmail Mail Server 'Theoretical' Buffer Overflow May Allow Remote Users to Execute Arbitrary Code
Sun has issued a fix for Solaris.


 Source Message Contents
Date:  Wed, 26 Jun 2002 00:05:23 -0400
Subject:  Sendmail theoretical buffer overflow


Sendmail 8.12.5

Sendmail, Inc., and the Sendmail Consortium announce the availability of
sendmail 8.12.5. This version fixes a theoretical buffer overflow in a
part of the code that is not used by any configuration shipped with
sendmail. It affects the dns map if used with the type TXT and a
compromised or rogue DNS server is queried. If you use a custom dns map
definition to query DNS TXT records, e.g.,

	Kdnstxt dns -R TXT

then you should upgrade to 8.12.5. Other changes are listed in the
release notes below.

The version can be found at

ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.5.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.5.tar.Z
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.5.tar.sig

MD5 signatures:

f2543e253e1c035f99369ba4067bf87c sendmail.8.12.5.tar.gz
a27e1cd63bcaf4b9cc9351140d68587c sendmail.8.12.5.tar.Z
be3d9a832efc4308bc3d4262f7d464c1 sendmail.8.12.5.tar.sig

You only need one of the first two files (either the gzip'ed version or
the compressed version). The .sig file contains the PGP signature of the
tar file (after uncompressing it). The PGP signature was created using
the Sendmail Signing Key/2002, available on the web site
(http://www.sendmail.org/) or on the public key servers.

Since sendmail 8.11 and later includes hooks to cryptography, the
following information from OpenSSL applies to sendmail as well.
PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY
SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING
TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME PARTS
OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR COUNTRY,
RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL SUGGESTIONS OR
EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE YOU ARE STRONGLY
ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT AND/OR USE LAWS
WHICH APPLY TO YOU. THE AUTHORS ARE NOT LIABLE FOR ANY VIOLATIONS YOU
MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY.

8.12.5/8.12.5	2002/06/25
	SECURITY: The DNS map can cause a buffer overflow if the user
		specifies a dns map using TXT records in the configuration
		file and a rogue DNS server is queried.  None of the
		sendmail supplied configuration files use this option hence
		they are not vulnerable.  Problem noted independently by
		Joost Pol of PINE Internet and Anton Rang of Sun Microsystems.
	Unprintable characters in responses from DNS servers for the DNS
		map type are changed to 'X' to avoid potential problems
		with rogue DNS servers.
	Require a suboption when setting the Milter option.  Problem noted
		by Bryan Costales.
	Do not silently overwrite command line settings for
		DirectSubmissionModifiers.  Problem noted by Bryan
		Costales.
	Prevent a segmentation fault when clearing the event list by
		turning off alarms before checking if event list is
		empty.  Problem noted by Allan E Johannesen of Worcester
		Polytechnic Institute.
	Close a potential race condition in transitioning a memory buffered
		file onto disk.  From Janani Devarajan of Sun Microsystems.
	Portability:
		Include paths.h on Linux systems running glibc 2.0 or later
			to get the definition for _PATH_SENDMAIL, used by
			rmail and vacation.  Problem noted by Kevin
			A. McGrail of Peregrine Hardware.
		NOTE: Linux appears to have broken flock() again.  Unless
			the bug is fixed before sendmail 8.13 is shipped,
			8.13 will change the default locking method to
			fcntl() for Linux kernel 2.4 and later.  You may
			want to do this in 8.12 by compiling with
			-DHASFLOCK=0.  Be sure to update other sendmail
			related programs to match locking techniques.


home


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC