SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Sendmail Vendors:   Sendmail Consortium
(OpenBSD Issues Fix) Sendmail Buffer Overflow in Parsing Addresses May Let Remote or Local Users Execute Arbitrary Code With Root Privileges
SecurityTracker Alert ID:  1006421
SecurityTracker URL:  http://securitytracker.com/id/1006421
CVE Reference:   CVE-2003-0161   (Links to External Site)
Date:  Mar 31 2003
Impact:   Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 8.12.8 and prior versions
Description:   A buffer overflow vulnerability was reported in Sendmail in the address parsing code. A remote or local user could cause arbitrary code to be executed with root privileges.

The flaw reportedly resides in 'parseaddr.c' in a char to int variable conversion. Data received from untrusted sources, potentially including e-mail addresses or DNS domain names, that contain extended ASCII characters and that are longer than a certain size may be able to trigger the flaw and cause code to be executed.

The vendor is reporting this as a "critical security problem."

The vendor credits Michal Zalewski for reporting the flaw.

Impact:   A remote or local user could cause arbitrary code to be executed with root privileges.
Solution:   The vendor has issued a fix in OpenBSD-current (and OpenBSD 3.3), which includes the fixed version 8.12.9.

Patches have been applied to the -stable branches. The vendor notes that because the -stable branches have the vulnerability fix but do not have the full 8.12.9 distribution, sendmail running on a -stable implementation will report the old sendmail version.

Patch for OpenBSD 3.1:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/027_sendmail.patch

Patch for OpenBSD 3.2:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/014_sendmail.patch

Vendor URL:  www.sendmail.org/8.12.9.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (OpenBSD)
Underlying OS Comments:  OpenBSD 3.1, 3.2, 3.3

Message History:   This archive entry is a follow-up to the message listed below.
Mar 29 2003 Sendmail Buffer Overflow in Parsing Addresses May Let Remote or Local Users Execute Arbitrary Code With Root Privileges



 Source Message Contents

Subject:  new sendmail buffer overflow


A buffer overflow in address parsing due to char to int conversion
has been discovered in sendmail by Michal Zalewski.

For more information on the bug, please see:
    http://www.cert.org/advisories/CA-2003-12.html
    http://www.securityfocus.com/archive/1/316773/2003-03-28/2003-04-03/0

As shipped, OpenBSD runs a sendmail that binds only to localhost,
making this a localhost-only hole in the default configuration.
However, any sendmail configuration that accepts incoming mail may
potentially be exploited.  It is worth noting that the ProPolice
stack protector (http://www.trl.ibm.com/projects/security/ssp/)
that will ship with OpenBSD 3.3 would have protected a system from
an attacker trying to exploit this bug.

The sendmail in OpenBSD-current (and OpenBSD 3.3) has been updated
to version 8.12.9 which includes a fix for this problem.
The 3.1 and 3.2 -stable branches have had a patch applied that fixes
the buffer overflow.  However, because the -stable branches have
the specific vulnerability patched (as opposed to the full 8.12.9
distribution), sendmail on -stable will report the old sendmail version.

Patch for OpenBSD 3.1:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/027_sendmail.patch

Patch for OpenBSD 3.2:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/014_sendmail.patch

Patches for older versions of sendmail may be found at
ftp://ftp.sendmail.org/pub/sendmail/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC