SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Sendmail Vendors:   Sendmail Consortium
Sendmail Prescan Flaw May Let Remote Users Execute Arbitrary Code With Root Privileges
SecurityTracker Alert ID:  1007734
SecurityTracker URL:  http://securitytracker.com/id/1007734
CVE Reference:   CVE-2003-0694   (Links to External Site)
Updated:  Sep 17 2003
Original Entry Date:  Sep 17 2003
Impact:   Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 8.12.9 and prior versions
Description:   A vulnerability was reported in Sendmail. A local or remote user may be able to execute arbitrary code on the target system.

It is reported that the prescan() function in 'parseaddr.c' contains a flaw [that is different than previously reported prescan flaw]. The report states that various exploit methods are possible, but these exploit methods were not disclosed.

The report indicates that it is confirmed that a local user can exploit this flaw and it is believed that a remote user may also exploit this flaw.

Impact:   A local or remote user may be able to execute arbitrary code with the privileges of the sendmail process.
Solution:   The vendor has issued a fixed version (8.2.10), available at:

ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.10.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.10.tar.gz.sig
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.10.tar.Z
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.10.tar.Z.sig

The following patch is also available:

http://sendmail.org/parse8.359.2.8.html

Vendor URL:  www.sendmail.org/8.12.10.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Sep 17 2003 (Red Hat Issues Fix for RH Enterprise Linux) Sendmail Prescan Flaw May Let Remote Users Execute Arbitrary Code With Root Privileges
Red Hat has released a fix for Red Hat Enterprise Linux.
Sep 18 2003 (Debian Issues Fix) Sendmail Prescan Flaw May Let Remote Users Execute Arbitrary Code With Root Privileges
Debian has released a fix.
Sep 18 2003 (Red Hat Issues Fix) Sendmail Prescan Flaw May Let Remote Users Execute Arbitrary Code With Root Privileges
Red Hat has released a fix for Red Hat Linux.
Sep 18 2003 (Slackware Issues Fix) Sendmail Prescan Flaw May Let Remote Users Execute Arbitrary Code With Root Privileges
Slackware has released a fix.
Sep 18 2003 (Immunix Issues Fix) Sendmail Prescan Flaw May Let Remote Users Execute Arbitrary Code With Root Privileges
Immunix has released a fix.
Sep 18 2003 (Conectiva Issues Fix) Sendmail Prescan Flaw May Let Remote Users Execute Arbitrary Code With Root Privileges
Conectiva has released a fix.
Sep 19 2003 (Gentoo Issues Fix) Re: Sendmail Prescan Flaw May Let Remote Users Execute Arbitrary Code With Root Privileges
Gentoo has issued a fix.
Sep 21 2003 (SuSE Issues Fix) Sendmail Prescan Flaw May Let Remote Users Execute Arbitrary Code With Root Privileges
SuSE has released a fix.
Sep 21 2003 (IBM Issues E-Fix) Re: Sendmail Prescan Flaw May Let Remote Users Execute Arbitrary Code With Root Privileges
IBM has issued an e-fix and plans to released APARs in October 2003.
Sep 23 2003 (Apple Issues Fix) Sendmail Prescan Flaw May Let Remote Users Execute Arbitrary Code With Root Privileges
Apple has released a fix.
Sep 23 2003 (HP Issues Fix for HP/UX) Sendmail Prescan Flaw May Let Remote Users Execute Arbitrary Code With Root Privileges
HP has released a fix.
Oct 9 2003 (NetBSD Issues Fix) Re: Sendmail Prescan Flaw May Let Remote Users Execute Arbitrary Code With Root Privileges
NetBSD has issued a fix.
Nov 3 2003 (HP Issues Fix for Tru64) Sendmail Prescan Flaw May Let Remote Users Execute Arbitrary Code With Root Privileges
HP has released Early Release Patches for Tru64 UNIX.
Nov 18 2003 (SCO Issues Fix for OpenLinux) Sendmail Prescan Flaw May Let Remote Users Execute Arbitrary Code With Root Privileges
SCO has released a fix for OpenLinux.
Nov 21 2003 (IBM Issues Fix) Re: Sendmail Prescan Flaw May Let Remote Users Execute Arbitrary Code With Root Privileges
IBM has issued a fix.
Jul 29 2004 (SCO Issues Fix for OpenServer) Sendmail Prescan Flaw May Let Remote Users Execute Arbitrary Code With Root Privileges
SCO has issued a fix for OpenServer 5.0.6 and 5.0.7.



 Source Message Contents

Subject:  [Full-Disclosure] Sendmail 8.12.9 prescan bug (a new one) [CVE-2003-0694]


Hello lists,

--------
Overview
--------

  There seems to be a remotely exploitable vulnerability in Sendmail up to
  and including the latest version, 8.12.9. The problem lies in prescan()
  function, but is not related to previous issues with this code.

  The primary attack vector is an indirect invocation via parseaddr(),
  although other routes are possible. Heap or stack structures, depending
  on the calling location, can be overwritten due to the ability to go
  past end of the input buffer in strtok()-alike routines.

  This is an early release, thanks to my sheer stupidity.

--------------
Attack details
--------------

  Local exploitation on little endian Linux is confirmed to be trivial
  via recipient.c and sendtolist(), with a pointer overwrite leading to a
  neat case of free() on user-supplied data, i.e.:

  eip = 0x40178ae2
  edx = 0x41414141
  esi = 0x61616161

  SEGV in chunk_free (ar_ptr=0x4022a160, p=0x81337e0) at malloc.c:3242

  0x40178ae2 <chunk_free+486>:    mov    %esi,0xc(%edx)
  0x40178ae5 <chunk_free+489>:    mov    %edx,0x8(%esi)

  Remote attack is believed to be possible.

----------------
Workaround / fix
----------------

  Vendor was notified, and released an early patch attached below.
  There are no known workarounds.

Index: parseaddr.c
===================================================================
RCS file: /cvs/src/gnu/usr.sbin/sendmail/sendmail/parseaddr.c,v
retrieving revision 1.16
diff -u -r1.16 parseaddr.c
--- parseaddr.c 29 Mar 2003 19:44:01 -0000      1.16
+++ parseaddr.c 16 Sep 2003 17:37:26 -0000
@@ -700,7 +700,11 @@
                                                addr[MAXNAME] = '\0';
        returnnull:
                                        if (delimptr != NULL)
+                                       {
+                                               if (p > addr)
+                                                       p--;
                                                *delimptr = p;
+                                       }
                                        CurEnv->e_to = saveto;
                                        return NULL;
                                }

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2003-09-16 21:18 --









_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC