SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Sendmail Vendors:   Sendmail Consortium
(NetBSD Issues Fix) Sendmail Race Condition in Signal Handler May Let Remote Users Trigger a Buffer Overflow to Execute Arbitrary Code
SecurityTracker Alert ID:  1015844
SecurityTracker URL:  http://securitytracker.com/id/1015844
CVE Reference:   CVE-2006-0058   (Links to External Site)
Date:  Mar 30 2006
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 8.13.6
Description:   A vulnerability was reported in Sendmail. A remote user may be able to execute arbitrary code on the target system.

Under certain specific timing conditions, a remote user can send specially crafted e-mail data to the target system to exploit a race condition in a signal handler and trigger a buffer overflow. This may allow the remote user to execute arbitrary code on the target system with the privileges of the sendmail process.

ISS discovered this vulnerability.

The original advisory is available at:

http://xforce.iss.net/xforce/xfdb/24584

Impact:   A remote user can execute arbitrary code on the target system with the privileges of the sendmail process (typically root privileges).
Solution:   NetBSD has released a fix, described in the NetBSD advisory at:

ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2006-010.txt.asc

Vendor URL:  www.sendmail.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (NetBSD)
Underlying OS Comments:  1.6, 2.0, 2.1, 3.0

Message History:   This archive entry is a follow-up to the message listed below.
Mar 22 2006 Sendmail Race Condition in Signal Handler May Let Remote Users Trigger a Buffer Overflow to Execute Arbitrary Code



 Source Message Contents

Subject:  NetBSD Security Advisory 2006-010: Sendmail race condition



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


		 NetBSD Security Advisory 2006-010
		 =================================

Topic:		Sendmail race condition

Version:	NetBSD-current:	source prior to March 24, 2006
		NetBSD 3.0:	affected
		NetBSD 2.1:	affected
		NetBSD 2.0.*:	affected
		NetBSD 2.0:	affected
		NetBSD 1.6.*:	affected
		NetBSD 1.6:	affected
		pkgsrc:		sendmail packages prior to sendmail-8.13.5nb2
				sendmail packages prior to sendmail-8.12.11nb2

Severity:	Remote code execution with sendmail privileges

Fixed:		NetBSD-current:		March 24, 2006
		NetBSD-3-0 branch:	March 24, 2006
					   (3.0.1 will include the fix)
		NetBSD-3   branch:	March 24, 2006
		NetBSD-2-1 branch:	March 24, 2006
					   (2.1.1 will include the fix)
		NetBSD-2-0 branch:	March 24, 2006
					   (2.0.4 will include the fix)
		NetBSD-2   branch:	March 24, 2006
		pkgsrc:			sendmail-8.13.5nb2 corrects this issue
					sendmail-8.12.11nb2 corrects this issue


Abstract
========

Sendmail is vulnerable to a race condition in the handling of asynchronous 
signals. This may allow a remote attacker to execute arbitrary code with 
the privileges of the sendmail user.

This vulnerability has been assigned CVE reference CVE-2006-0058.


Technical Details
=================

Sendmail contains a race condition caused by the improper handling of
asynchronous signals. In particular, by forcing the SMTP server to have
an I/O timeout at exactly the correct instant, an attacker may be able
to execute arbitrary code with the privileges of the Sendmail process.

Solutions and Workarounds
=========================

Sendmail by default on NetBSD is bound to localhost (127.0.0.0, ::1) and
as such is not externally reachable.

However, it is recommended that all users of affected versions update their
sendmail to include the fix.

The following instructions describe how to upgrade your sendmail
binaries by updating your source tree and rebuilding and
installing a new version of sendmail.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2006-03-23
	should be upgraded to NetBSD-current dated 2006-03-24 or later.

	The following files need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		gnu/dist/sendmail/sendmail/collect.c
		gnu/dist/sendmail/sendmail/conf.c
		gnu/dist/sendmail/sendmail/deliver.c
		gnu/dist/sendmail/sendmail/headers.c
		gnu/dist/sendmail/sendmail/mime.c
		gnu/dist/sendmail/sendmail/parseaddr.c
		gnu/dist/sendmail/sendmail/savemail.c
		gnu/dist/sendmail/sendmail/sendmail.h
		gnu/dist/sendmail/sendmail/sfsasl.c
		gnu/dist/sendmail/sendmail/sfsasl.h
		gnu/dist/sendmail/sendmail/srvrsmtp.c
		gnu/dist/sendmail/sendmail/tls.c
		gnu/dist/sendmail/sendmail/usersmtp.c
		gnu/dist/sendmail/sendmail/util.c
		gnu/dist/sendmail/sendmail/version.c
		gnu/dist/sendmail/libsm/fflush.c
		gnu/dist/sendmail/libsm/local.h
		gnu/dist/sendmail/libsm/refill.c

	To update from CVS, re-build, and re-install sendmail:

		# cd src
		# cvs update -d -P gnu/dist/sendmail
		# cd gnu/usr.sbin/sendmail
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


* NetBSD 3.*:

	Systems running NetBSD 3.* sources dated from before
	2006-03-23 should be upgraded from NetBSD 3.* sources dated
	2006-03-24 or later.

	The following files need to be updated from the
	netbsd-3 or netbsd-3-0 CVS branch:
		gnu/dist/sendmail/sendmail/collect.c
		gnu/dist/sendmail/sendmail/conf.c
		gnu/dist/sendmail/sendmail/deliver.c
		gnu/dist/sendmail/sendmail/headers.c
		gnu/dist/sendmail/sendmail/mime.c
		gnu/dist/sendmail/sendmail/parseaddr.c
		gnu/dist/sendmail/sendmail/savemail.c
		gnu/dist/sendmail/sendmail/sendmail.h
		gnu/dist/sendmail/sendmail/sfsasl.c
		gnu/dist/sendmail/sendmail/sfsasl.h
		gnu/dist/sendmail/sendmail/srvrsmtp.c
		gnu/dist/sendmail/sendmail/tls.c
		gnu/dist/sendmail/sendmail/usersmtp.c
		gnu/dist/sendmail/sendmail/util.c
		gnu/dist/sendmail/sendmail/version.c
		gnu/dist/sendmail/libsm/fflush.c
		gnu/dist/sendmail/libsm/local.h
		gnu/dist/sendmail/libsm/refill.c

	To update from CVS, re-build, and re-install sendmail:

		# cd src
		# cvs update -d -P -r <branch_name> gnu/dist/sendmail
		# cd gnu/usr.sbin/sendmail
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install

* NetBSD 2.*:

	Systems running NetBSD 2.* sources dated from before
	2006-03-23 should be upgraded from NetBSD 2.* sources dated
	2006-03-24 or later.

	The following files need to be updated from the
	netbsd-2, netbsd-2-0 or netbsd-2-1 CVS branch:
		gnu/dist/sendmail/sendmail/collect.c
		gnu/dist/sendmail/sendmail/conf.c
		gnu/dist/sendmail/sendmail/deliver.c
		gnu/dist/sendmail/sendmail/headers.c
		gnu/dist/sendmail/sendmail/mime.c
		gnu/dist/sendmail/sendmail/parseaddr.c
		gnu/dist/sendmail/sendmail/savemail.c
		gnu/dist/sendmail/sendmail/sendmail.h
		gnu/dist/sendmail/sendmail/sfsasl.c
		gnu/dist/sendmail/sendmail/sfsasl.h
		gnu/dist/sendmail/sendmail/srvrsmtp.c
		gnu/dist/sendmail/sendmail/tls.c 
		gnu/dist/sendmail/sendmail/usersmtp.c
		gnu/dist/sendmail/sendmail/util.c
		gnu/dist/sendmail/sendmail/version.c
		gnu/dist/sendmail/libsm/fflush.c
		gnu/dist/sendmail/libsm/local.h
		gnu/dist/sendmail/libsm/refill.c

	To update from CVS, re-build, and re-install sendmail:

		# cd src
		# cvs update -d -P -r <branch_name> gnu/dist/sendmail
		# cd gnu/usr.sbin/sendmail
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install



Thanks To
=========

CERT for notification and co-ordination of the issue.
Sendmail Consortium for supplying the patches to address the issue.
Christos Zoulas for implementing the fixes.

Revision History
================

	2006-03-29	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2006-010.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2006, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2006-010.txt,v 1.5 2006/03/29 19:52:50 adrianp Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (NetBSD)

iQCVAwUBRCsC3D5Ru2/4N2IFAQLgswQAyWsnHHM017c4NP0vvPh6hKn/MYjpZGB7
1meGsumrd3JsPUj4j30GR3RXeqw2Kf0RGOrnwz7aIVibXdX05jxjl+8GpBSU2xkI
eZ//s8n7gIe3gvaOTpqLRdBo6mi9aGY0BZhHA7ZoHsW2cQ7JZXnhdl3QzJ3qUQaA
D8pG/zZ/cMc=
=1u2y
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC