[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [linux-security] another sendmail root exploit (SuSE, Mandrake)
On Mon, Mar 31, 2003 at 08:14:13PM -0800, Martin Siegert wrote:
> Topic
> =====
> remote root exploit possible in sendmail
>
> Problem Description
> ===================
> There is a vulnerability in Sendmail versions 8.12.8 and prior. The
> address parser performs insufficient bounds checking in certain conditions
> due to a char to int conversion, making it possible for an attacker to
> take control of the application. This problem is not related to the recent
> message-oriented vulnerability that was fixed in 8.12.8.
>
> The bug is in parseaddr.c in prescan() function, which, in certain
> conditions, will run past the buffer size limit and overwrite stack
> variables, reaching to and past the stored instruction pointer itself.
> This function is called quite generously accross the code for processing
> e-mail addresses.
>
> The impact is believed to be a root compromise. This has been confirmed as a
> local root compromise, and it is not unlikely that a remote attack is
> possible as well. Only platforms with 'char' type signed by default are
> vulnerable as-is, and little endian systems would be easier to exploit.
> Systems that use Sendmail privilege separation are safer against the local
> attack, but even then it is still possible to compromise the smmsp account
> and control the submission queue.
>
> Affected Versions
> =================
> versions 8.12.8 and earlier
>
> Solution
> ========
> upgrade to version 8.12.9 or a patched version fro your distribution
SuSE-7.1
--------
rpm -Fvh sendmail-8.11.2-45.i386.rpm sendmail-tls-8.11.2-47.i386.rpm
SuSE-7.2
--------
rpm -Fvh sendmail-8.11.3-108.i386.rpm sendmail-tls-8.11.3-112.i386.rpm
SuSE-7.3
--------
rpm -Fvh sendmail-8.11.6-164.i386.rpm sendmail-tls-8.11.6-166.i386.rpm
SuSE-8.0
--------
rpm -Fvh sendmail-8.12.3-75.i386.rpm
SuSE-8.1
--------
rpm -Fvh sendmail-8.12.6-109.i386.rpm
Mandrake 8.2
------------
rpm -Fvh sendmail-8.12.1-4.3mdk.i586.rpm \
sendmail-cf-8.12.1-4.3mdk.i586.rpm \
sendmail-devel-8.12.1-4.3mdk.i586.rpm \
sendmail-doc-8.12.1-4.3mdk.i586.rpm
Mandrake 9.0
------------
rpm -Fvh sendmail-8.12.6-3.3mdk.i586.rpm \
sendmail-cf-8.12.6-3.3mdk.i586.rpm \
sendmail-devel-8.12.6-3.3mdk.i586.rpm \
sendmail-doc-8.12.6-3.3mdk.i586.rpm
Mandrake 9.1
------------
rpm -Fvh sendmail-8.12.9-1.1mdk.i586.rpm \
sendmail-cf-8.12.9-1.1mdk.i586.rpm \
sendmail-devel-8.12.9-1.1mdk.i586.rpm \
sendmail-doc-8.12.9-1.1mdk.i586.rpm