SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Sendmail Vendors:   Sendmail Consortium
(Immunix Issues Fix) Sendmail Prescan Flaw May Let Remote Users Execute Arbitrary Code With Root Privileges
SecurityTracker Alert ID:  1007747
SecurityTracker URL:  http://securitytracker.com/id/1007747
CVE Reference:   CVE-2003-0694   (Links to External Site)
Date:  Sep 18 2003
Impact:   Execution of arbitrary code via local system, Execution of arbitrary code via network, Root access via local system, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 8.12.9 and prior versions
Description:   A vulnerability was reported in Sendmail. A local or remote user may be able to execute arbitrary code on the target system.

It is reported that the prescan() function in 'parseaddr.c' contains a flaw [that is different than previously reported prescan flaw]. The report states that various exploit methods are possible, but these exploit methods were not disclosed.

The report indicates that it is confirmed that a local user can exploit this flaw and it is believed that a remote user may also exploit this flaw.

Impact:   A local or remote user may be able to execute arbitrary code with the privileges of the sendmail process.
Solution:   Immunix has released a fix. Binaries are available at:

http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/sendmail-8.11.6-3_imnx_6.i386.rpm
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/sendmail-cf-8.11.6-3_imnx_6.i386.rpm
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/sendmail-doc-8.11.6-3_imnx_6.i386.rpm

A source package for Immunix 7+ is located here:

http://download.immunix.org/ImmunixOS/7+/Updates/SRPMS/sendmail-8.11.6-3_imnx_6.src.rpm

The Immunix OS 7+ md5sums are:

cf0da9af59b3ce5ef3415ef165ed5acf RPMS/sendmail-8.11.6-3_imnx_6.i386.rpm
d7e44a404f9208d5d5e831146ebee81f RPMS/sendmail-cf-8.11.6-3_imnx_6.i386.rpm
580f5f35079dff0d523c79b8f903add0 RPMS/sendmail-doc-8.11.6-3_imnx_6.i386.rpm
3811d5cb46c9309ec7ebf894b4fb709e SRPMS/sendmail-8.11.6-3_imnx_6.src.rpm

Vendor URL:  www.sendmail.org/8.12.10.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Immunix)
Underlying OS Comments:  7+

Message History:   This archive entry is a follow-up to the message listed below.
Sep 17 2003 Sendmail Prescan Flaw May Let Remote Users Execute Arbitrary Code With Root Privileges



 Source Message Contents

Subject:  [Immunix-announce] Immunix Secured OS 7+ sendmail update



--===============10940100632853356==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="NQTVMVnDVuULnIzU"
Content-Disposition: inline


--NQTVMVnDVuULnIzU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

[From the Redundancy Department of Redundancy: When setting up an
out-of-office-autoreply, please configure it to NOT respond to
Precedence: bulk mail or other public mail lists. Thanks.]

-----------------------------------------------------------------------
	Immunix Secured OS Security Advisory

Packages updated:	sendmail
Affected products:	Immunix OS 7+
Bugs fixed:		CAN-2003-0681, CAN-2003-0694
Date:			Wed Sep 17 2003
Advisory ID:		IMNX-2003-7+-021-01
Author:			Seth Arnold <sarnold@immunix.com>
-----------------------------------------------------------------------

Description:
  Michal Zalewski discovered flaws in sendmail's prescan() function.
  prescan() is used sufficiently frequently in the sendmail sources that
  it is not clear where the overflowed buffers are located in memory,
  thus administrators should assume that StackGuard provides limited
  coverage at best. This flaw is CAN-2003-0694.

  Timo Sirainen has discovered CAN-2003-0681, "a potential buffer
  overflow in ruleset parsing which is not exploitable in the default
  sendmail configuration; only if non-standard rulesets recipient (2),
  final (4), or mailer-specific envelope recipients rulesets are used
  then a problem may occur."

  Immunix would like to thank Claus Assmann, Ademar de Souza Reis Jr,
  and Todd C. Miller.

Package names and locations:
  Precompiled binary packages for Immunix 7+ are available at:
  http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/sendmail-8.11.6-3_i=
mnx_6.i386.rpm
  http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/sendmail-cf-8.11.6-=
3_imnx_6.i386.rpm
  http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/sendmail-doc-8.11.6=
-3_imnx_6.i386.rpm

  A source package for Immunix 7+ is located here:
  http://download.immunix.org/ImmunixOS/7+/Updates/SRPMS/sendmail-8.11.6-3_=
imnx_6.src.rpm

Immunix OS 7+ md5sums:
  cf0da9af59b3ce5ef3415ef165ed5acf RPMS/sendmail-8.11.6-3_imnx_6.i386.rpm
  d7e44a404f9208d5d5e831146ebee81f RPMS/sendmail-cf-8.11.6-3_imnx_6.i386.rpm
  580f5f35079dff0d523c79b8f903add0 RPMS/sendmail-doc-8.11.6-3_imnx_6.i386.r=
pm
  3811d5cb46c9309ec7ebf894b4fb709e SRPMS/sendmail-8.11.6-3_imnx_6.src.rpm

GPG verification:                                                          =
    =20
  Our public keys are available at http://download.immunix.org/GPG_KEY
  Immunix, Inc., has changed policy with GPG keys. We maintain several
  keys now: C53B2B53 for Immunix 7+ package signing, D3BA6C17 for
  Immunix 7.3 package signing, and 1B7456DA for general security issues.


NOTE:
  Ibiblio is graciously mirroring our updates, so if the links above are
  slow, please try:
    ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
  or one of the many mirrors available at:
    http://www.ibiblio.org/pub/Linux/MIRRORS.html

  ImmunixOS 6.2 is no longer officially supported.
  ImmunixOS 7.0 is no longer officially supported.

Contact information:
  To report vulnerabilities, please contact security@immunix.com.
  Immunix attempts to conform to the RFP vulnerability disclosure protocol
  http://www.wiretrip.net/rfp/policy.html.

--NQTVMVnDVuULnIzU
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj9pLFYACgkQn5I6Lxt0VtqY4QCg28TM4+JaHYH70OfL+aEf8Ebt
4jQAn0R8L295iMDQ/eY2m5haCdUg7a71
=IcTK
-----END PGP SIGNATURE-----

--NQTVMVnDVuULnIzU--

--===============10940100632853356==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Immunix-announce mailing list
Immunix-announce@wirex.com
http://mail.wirex.com/mailman/listinfo/immunix-announce

--===============10940100632853356==--


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC