[UNIX] Sendmail 8.12.9 Prescan Bug (parseaddr(), prescan(), sendtolist())

From: SecuriTeam (support_at_securiteam.com)
Date: 09/18/03

  • Next message: SecuriTeam: "[NEWS] Multiple IBM DB2 Stack Overflow Vulnerabilities" 
    To: list@securiteam.com
Date: 18 Sep 2003 15:51:45 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Sendmail 8.12.9 Prescan Bug (parseaddr(), prescan(), sendtolist())
    ------------------------------------------------------------------------

    SUMMARY

    There seems to be a remotely exploitable vulnerability in Sendmail up to
    and including the latest version, 8.12.9. The problem lies in prescan()
    function, but is not related to previous issues with this code.

    The primary attack vector is an indirect invocation via parseaddr(),
    although other routes are possible. Heap or stack structures, depending on
    the calling location, can be overwritten due to the ability to go past end
    of the input buffer in strtok()-alike routines.

    DETAILS

    Vulnerable systems:
     * Sendmail version 8.12.9

    Immune systems:
     * Sendmail version 8.12.10

    Local exploitation on little endian Linux is confirmed to be trivial via
    recipient.c and sendtolist(), with a pointer overwrite leading to a neat
    case of free() on user-supplied data, i.e.:
      eip = 0x40178ae2
      edx = 0x41414141
      esi = 0x61616161

    SEGV in chunk_free (ar_ptr=0x4022a160, p=0x81337e0) at malloc.c:3242

      0x40178ae2 <chunk_free+486>: mov %esi,0xc(%edx)
      0x40178ae5 <chunk_free+489>: mov %edx,0x8(%esi)

    Remote attack is believed to be possible.

    Workaround / Fix:
    Vendor was notified, and released an early patch attached below. There are
    no known workarounds.

    Patch:
    Index: parseaddr.c
     ===================================================================
    RCS file: /cvs/src/gnu/usr.sbin/sendmail/sendmail/parseaddr.c,v
    retrieving revision 1.16
    diff -u -r1.16 parseaddr.c
    --- parseaddr.c 29 Mar 2003 19:44:01 -0000 1.16
    +++ parseaddr.c 16 Sep 2003 17:37:26 -0000
     -700,7 +700,11
                                                    addr[MAXNAME] = '\0';
            returnnull:
                                            if (delimptr != NULL)
    + {
    + if (p > addr)
    + p--;
                                                    *delimptr = p;
    + }
                                            CurEnv->e_to = saveto;
                                            return NULL;
                                    }

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:lcamtuf@dione.ids.pl> Michal
    Zalewski.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] Multiple IBM DB2 Stack Overflow Vulnerabilities"

    Relevant Pages