[UNIX] Sendmail 8.12.9 Prescan Bug (parseaddr(), prescan(), sendtolist())

• Previous message: SecuriTeam: "[EXPL] Exploit Code Released for Buffer Overflow in Liquidwar"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 18 Sep 2003 15:51:45 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Sendmail 8.12.9 Prescan Bug (parseaddr(), prescan(), sendtolist())
------------------------------------------------------------------------

SUMMARY

There seems to be a remotely exploitable vulnerability in Sendmail up to
and including the latest version, 8.12.9. The problem lies in prescan()
function, but is not related to previous issues with this code.

The primary attack vector is an indirect invocation via parseaddr(),
although other routes are possible. Heap or stack structures, depending on
the calling location, can be overwritten due to the ability to go past end
of the input buffer in strtok()-alike routines.

DETAILS

Vulnerable systems:
 * Sendmail version 8.12.9

Immune systems:
 * Sendmail version 8.12.10

Local exploitation on little endian Linux is confirmed to be trivial via
recipient.c and sendtolist(), with a pointer overwrite leading to a neat
case of free() on user-supplied data, i.e.:
  eip = 0x40178ae2
  edx = 0x41414141
  esi = 0x61616161

SEGV in chunk_free (ar_ptr=0x4022a160, p=0x81337e0) at malloc.c:3242

  0x40178ae2 <chunk_free+486>: mov %esi,0xc(%edx)
  0x40178ae5 <chunk_free+489>: mov %edx,0x8(%esi)

Remote attack is believed to be possible.

Workaround / Fix:
Vendor was notified, and released an early patch attached below. There are
no known workarounds.

Patch:
Index: parseaddr.c
 ===================================================================
RCS file: /cvs/src/gnu/usr.sbin/sendmail/sendmail/parseaddr.c,v
retrieving revision 1.16
diff -u -r1.16 parseaddr.c
--- parseaddr.c 29 Mar 2003 19:44:01 -0000 1.16
+++ parseaddr.c 16 Sep 2003 17:37:26 -0000
 -700,7 +700,11
                                                addr[MAXNAME] = '\0';
        returnnull:
                                        if (delimptr != NULL)
+ {
+ if (p > addr)
+ p--;
                                                *delimptr = p;
+ }
                                        CurEnv->e_to = saveto;
                                        return NULL;
                                }

ADDITIONAL INFORMATION

The information has been provided by <mailto:lcamtuf@dione.ids.pl> Michal
Zalewski.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[EXPL] Exploit Code Released for Buffer Overflow in Liquidwar"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]