(OpenBSD Issues Fix) Sendmail Buffer Overflow in Parsing Certain Header Comments May Let Remote Users Execute Arbitrary Code with Root Privileges
|
|
SecurityTracker Alert ID: 1006201 |
|
SecurityTracker URL: http://securitytracker.com/id/1006201
|
|
CVE Reference:
CAN-2002-1337
(Links to External Site)
|
Date: Mar 3 2003
|
Impact:
Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, Root access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 5.79 - 8.12.7
|
Description:
A buffer overflow vulnerability was reported in the Sendmail mail transfer agent (MTA). A remote user could execute arbitrary code with the privileges of the mail server (typically root privileges)
It is reported that the software contains an exploitable buffer overflow in the parsing of certain SMTP header elements. The report indicates that long sender or recipient header comments may trigger the flaw. A remote user could create a specially crafted message to cause arbitrary code to be executed on the target server. The target server could be the sending MTA, an intermediate MTA, or the destination MTA.
The vendor has labeled this bug as a "critical security problem."
The vendor credits Mark Dowd of ISS X-Force with reporting the flaw.
Another buffer overflow was reported in the processing of RFC 1413 ident protocol messages (this was discovered by a different user). According to the vendor, this is "non-exploitable."
|
Impact:
A remote user could execute arbitrary code with the privileges of the target server, which is typically root privileges. Any MTA processing the message may be affected.
|
Solution:
OpenBSD has released a fix. The version of sendmail in OpenBSD-current has been updated to version 8.12.8.
The 3.1 and 3.2 -stable branches include a patch. However, the vendor reports that because the -stable branches have the specific vulnerability patched (as opposed to the full 8.12.8 distribution), sendmail on -stable will report the old sendmail version.
Patch for OpenBSD 3.1:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/022_sendmail.patch
Patch for OpenBSD 3.2:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/009_sendmail.patch
Patches for prior versions of sendmail are available at:
ftp://ftp.sendmail.org/pub/sendmail/
|
Vendor URL: www.sendmail.org/8.12.8.html (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
UNIX (OpenBSD)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Mon, 03 Mar 2003 10:49:33 -0700
Subject: remote buffer overflow in sendmail
|
A buffer overflow has been found in sendmail's envelope comment
processing code which may allow an attacker to gain root privileges.
The bug was discovered by Mark Dowd of ISS X-Force.
For more information, see:
http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950
http://www.sendmail.org/8.12.8.html
As shipped, OpenBSD runs a sendmail that binds only to localhost,
making this a localhost-only hole in the default configuration.
However, any sendmail configuration that accepts incoming mail may
potentially be exploited.
The sendmail in OpenBSD-current has been updated to version 8.12.8.
The 3.1 and 3.2 -stable branches have had a patch applied that fixes
the buffer overflow. However, because the -stable branches have
the specific vulnerability patched (as opposed to the full 8.12.8
distribution), sendmail on -stable will report the old sendmail version.
Patch for OpenBSD 3.1:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/022_sendmail.patch
Patch for OpenBSD 3.2:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/009_sendmail.patch
Patches for older versions of sendmail may be found at
ftp://ftp.sendmail.org/pub/sendmail/
|
|
