[NEWS] Remote Sendmail Header Processing Vulnerability

From: support@securiteam.com
Date: 03/04/03

  • Next message: support@securiteam.com: "[EXPL] DoS Vulnerability in Eudora" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 4 Mar 2003 18:00:59 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    In the US?

    Contact Beyond Security at our new California office
    housewarming rates on automated network vulnerability
    scanning. We also welcome ISPs and other resellers!

    Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
    - - - - - - - - -

      Remote Sendmail Header Processing Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.sendmail.org> Sendmail is a heavily used Mail Transfer Agent
    (MTA) and is assumed to be handling about 50% to 75% of all Internet mail
    traffic.
    A vulnerability found in this product allows a remote user to gain
    complete control of the attacked system, without requiring prior knowledge
    of attacked system's configuration or being actively connected to it.
    Even systems protected by firewall/packet filtering are not immune, as the
    attack is performed by sending a mail message.

    DETAILS

    Vulnerable versions:
     *Sendmail Versions 5.1 to 8.12.7
     *Sendmail Switch Versions 2.2.x prior to 2.2.5 and 3.0.x prior to 3.0.3
     *Sendmail Advanced Message Server(which includes the Sendmail Switch MTA)
     *Sendmail for NT 2.6.x prior to 2.6.2 or 3.x prior to 3.0.3
     *Sendmail Switch for HP-UX Versions 2.1.x prior to 2.1.5
     *Sendmail Pro
     *Any program using the open source code of Sendmail.

    For a complete list of vulnerable systems, see:
     <http://www.kb.cert.org/vuls/id/398025#systems>
    http://www.kb.cert.org/vuls/id/398025#systems

    Immune Versions:
     *Sendmail Versions 8.12.8 and above.
     *Sendmail Switch Versions 2.2.5 or 3.0.3 and above
     *Sendmail for NT Versions 2.6.2 or 3.0.3 and above
     *Sendmail for HP-UX Vesions 2.1.5 and above

    Almost every organization uses some Mail Transfer Agents to send and
    receive mail across the net, with Sendmail being the most prominent of
    these MTAs, and also a feature usually installed and enabled by default in
    almost every Unix and Linux system, this proves to be a very serious
    threat.

    The attack is performed by an email message and occurs when the Sendmail
    server tries to parse the SMTP header of an incoming mail message.
    The server will try to parse addresses and see if these are valid
    addresses using the crackaddr() function, which is located in the
    headers.c file (a part of Sendmail's source code).

    The server uses a buffer to record all values and uses various security
    checks to ensure that all characters are legal.
    If the buffer is filled to a certain level the program stops sending it
    more characters.
    One of the security checks, however, is vulnerable and allows a buffer
    overflow.

    Disabling stack execution will not prevent this attack

    Notes:
    In case of an unsuccessful attack on an immune system the following
    message will be seen:
    Dropped invalid comments from header address

    Solution:
    Download latest version of sendmail:
    <http://www.sendmail.org/8.12.8.html> http://www.sendmail.org/8.12.8.html

    Download a patch: <http://www.sendmail.org/patchcr.html> For 8.* Versions

    For commercial versions see:
    <http://www.sendmail.com/support/download/patch_page.shtml> Patch Page

    ADDITIONAL INFORMATION

    For more information, see:
     <http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950> ISS
    Advisory
     <http://www.sendmail.com/security/index.shtml> Sendmail Security Alert
    see also:
     <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1337> CVE List
    Candidate
    and:
     
    <http://store.sendmail.com/cgi-bin/smistore/news/pressrelease.jsp?eventOID=71800&localId=USA> Sendmail Press Release
     <http://www.cert.org/advisories/CA-2003-07.html> CERT Advisory

    Information was provided by <mailto: xforce@iss.net> ISS X-force.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: support@securiteam.com: "[EXPL] DoS Vulnerability in Eudora"

    Relevant Pages