(Sun Issues Fix) Re: Sendmail Buffer Overflow in Parsing Certain Header Comments May Let Remote Users Execute Arbitrary Code with Root Privileges
|
|
SecurityTracker Alert ID: 1006206 |
|
SecurityTracker URL: http://securitytracker.com/id/1006206
|
|
CVE Reference:
CAN-2002-1337
(Links to External Site)
|
Date: Mar 4 2003
|
Impact:
Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, Root access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 5.79 - 8.12.7
|
Description:
A buffer overflow vulnerability was reported in the Sendmail mail transfer agent (MTA). A remote user could execute arbitrary code with the privileges of the mail server (typically root privileges)
It is reported that the software contains an exploitable buffer overflow in the parsing of certain SMTP header elements. The report indicates that long sender or recipient header comments may trigger the flaw. A remote user could create a specially crafted message to cause arbitrary code to be executed on the target server. The target server could be the sending MTA, an intermediate MTA, or the destination MTA.
The vendor has labeled this bug as a "critical security problem."
The vendor credits Mark Dowd of ISS X-Force with reporting the flaw.
Another buffer overflow was reported in the processing of RFC 1413 ident protocol messages (this was discovered by a different user). According to the vendor, this is "non-exploitable."
|
Impact:
A remote user could execute arbitrary code with the privileges of the target server, which is typically root privileges. Any MTA processing the message may be affected.
|
Solution:
Sun has released the following patches:
SPARC Platform
Solaris 2.6: patch 105395-08
Solaris 7: patch 107684-08
Solaris 8: patch 110615-08
Solaris 9: patch 113575-03
x86 Platform
Solaris 2.6: patch 105396-08
Solaris 7: patch 107685-08
Solaris 8: patch 110616-08
Solaris 9: patch 114137-02
The vendor notes that you must restart sendmail after the patch has been installed. To do this, execute the following commands as root:
# /etc/init.d/sendmail stop
# /etc/init.d/sendmail start
|
Vendor URL: sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F51181 (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
UNIX (Solaris - SunOS)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Tue, 04 Mar 2003 01:10:38 -0500
Subject: Sun Alert 51181 (sendmail)
|
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F51181
Sun issued Alert 51181, reporting a fix in sendmail.
The following systems are affected: Solaris 2.6, 7, 8, and 9
Sun reports that, by default, all systems are vulnerable to this issue if they are running sendmail.
Sun has released the following patches:
SPARC Platform
Solaris 2.6 with patch 105395-08 or later
Solaris 7 with patch 107684-08 or later
Solaris 8 with patch 110615-08 or later
Solaris 9 with patch 113575-03 or later
x86 Platform
Solaris 2.6 with patch 105396-08 or later
Solaris 7 with patch 107685-08 or later
Solaris 8 with patch 110616-08 or later
Solaris 9 with patch 114137-02 or later
The vendor notes that you must restart sendmail after the patch has been installed. To do this,
execute the following commands as root:
# /etc/init.d/sendmail stop
# /etc/init.d/sendmail start
-----
Sun Alert ID: 51181
Synopsis: sendmail(1M) Parses Headers Incorrectly in Certain Corner Cases
Category: Security
Product: Solaris
BugIDs: 4809539
Avoidance: Patch
State: Resolved
Date Released: 03-Mar-2003
Date Closed: 03-Mar-2003
Date Modified:
|
|
