SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Sendmail Vendors:   Sendmail Consortium
(OpenBSD Issues Fix) Sendmail Buffer Overflow in Parsing Certain Header Comments May Let Remote Users Execute Arbitrary Code with Root Privileges
SecurityTracker Alert ID:  1006201
SecurityTracker URL:  http://securitytracker.com/id/1006201
CVE Reference:   CVE-2002-1337   (Links to External Site)
Date:  Mar 3 2003
Impact:   Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.79 - 8.12.7
Description:   A buffer overflow vulnerability was reported in the Sendmail mail transfer agent (MTA). A remote user could execute arbitrary code with the privileges of the mail server (typically root privileges)

It is reported that the software contains an exploitable buffer overflow in the parsing of certain SMTP header elements. The report indicates that long sender or recipient header comments may trigger the flaw. A remote user could create a specially crafted message to cause arbitrary code to be executed on the target server. The target server could be the sending MTA, an intermediate MTA, or the destination MTA.

The vendor has labeled this bug as a "critical security problem."

The vendor credits Mark Dowd of ISS X-Force with reporting the flaw.

Another buffer overflow was reported in the processing of RFC 1413 ident protocol messages (this was discovered by a different user). According to the vendor, this is "non-exploitable."

Impact:   A remote user could execute arbitrary code with the privileges of the target server, which is typically root privileges. Any MTA processing the message may be affected.
Solution:   OpenBSD has released a fix. The version of sendmail in OpenBSD-current has been updated to version 8.12.8.

The 3.1 and 3.2 -stable branches include a patch. However, the vendor reports that because the -stable branches have the specific vulnerability patched (as opposed to the full 8.12.8 distribution), sendmail on -stable will report the old sendmail version.

Patch for OpenBSD 3.1:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/022_sendmail.patch

Patch for OpenBSD 3.2:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/009_sendmail.patch

Patches for prior versions of sendmail are available at:

ftp://ftp.sendmail.org/pub/sendmail/

Vendor URL:  www.sendmail.org/8.12.8.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (OpenBSD)
Underlying OS Comments:  3.1, 3.2

Message History:   This archive entry is a follow-up to the message listed below.
Mar 3 2003 Sendmail Buffer Overflow in Parsing Certain Header Comments May Let Remote Users Execute Arbitrary Code with Root Privileges



 Source Message Contents

Subject:  remote buffer overflow in sendmail


A buffer overflow has been found in sendmail's envelope comment
processing code which may allow an attacker to gain root privileges.
The bug was discovered by Mark Dowd of ISS X-Force.

For more information, see:
    http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950
    http://www.sendmail.org/8.12.8.html

As shipped, OpenBSD runs a sendmail that binds only to localhost,
making this a localhost-only hole in the default configuration.
However, any sendmail configuration that accepts incoming mail may
potentially be exploited.

The sendmail in OpenBSD-current has been updated to version 8.12.8.
The 3.1 and 3.2 -stable branches have had a patch applied that fixes
the buffer overflow.  However, because the -stable branches have
the specific vulnerability patched (as opposed to the full 8.12.8
distribution), sendmail on -stable will report the old sendmail version.

Patch for OpenBSD 3.1:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/022_sendmail.patch

Patch for OpenBSD 3.2:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/009_sendmail.patch

Patches for older versions of sendmail may be found at
ftp://ftp.sendmail.org/pub/sendmail/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC