[62344] in North American Network Operators' Group
FW: Sendmail 8.12.9 prescan bug (a new one) [CAN-2003-0694]
daemon@ATHENA.MIT.EDU (Avery Buffington)
Wed Sep 17 17:06:59 2003
Date: Wed, 17 Sep 2003 16:06:46 -0500
From: "Avery Buffington" <avery.buffington@fxfn.com>
To: <nanog@merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
-----Original Message-----
From: Michal Zalewski [mailto:lcamtuf@dione.ids.pl]
Sent: Wednesday, September 17, 2003 4:20 AM
To: bugtraq@securityfocus.com; vulnwatch@securityfocus.com;
full-disclosure@netsys.com
Subject: Sendmail 8.12.9 prescan bug (a new one) [CAN-2003-0694]
Hello lists,
--------
Overview
--------
There seems to be a remotely exploitable vulnerability in Sendmail up =
to
and including the latest version, 8.12.9. The problem lies in =
prescan()
function, but is not related to previous issues with this code.
The primary attack vector is an indirect invocation via parseaddr(),
although other routes are possible. Heap or stack structures, =
depending
on the calling location, can be overwritten due to the ability to go
past end of the input buffer in strtok()-alike routines.
This is an early release, thanks to my sheer stupidity.
--------------
Attack details
--------------
Local exploitation on little endian Linux is confirmed to be trivial
via recipient.c and sendtolist(), with a pointer overwrite leading to =
a
neat case of free() on user-supplied data, i.e.:
eip =3D 0x40178ae2
edx =3D 0x41414141
esi =3D 0x61616161
SEGV in chunk_free (ar_ptr=3D0x4022a160, p=3D0x81337e0) at =
malloc.c:3242
0x40178ae2 <chunk_free+486>: mov %esi,0xc(%edx)
0x40178ae5 <chunk_free+489>: mov %edx,0x8(%esi)
Remote attack is believed to be possible.
----------------
Workaround / fix
----------------
Vendor was notified, and released an early patch attached below.
There are no known workarounds.
Index: parseaddr.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /cvs/src/gnu/usr.sbin/sendmail/sendmail/parseaddr.c,v
retrieving revision 1.16
diff -u -r1.16 parseaddr.c
--- parseaddr.c 29 Mar 2003 19:44:01 -0000 1.16
+++ parseaddr.c 16 Sep 2003 17:37:26 -0000
@@ -700,7 +700,11 @@
addr[MAXNAME] =3D '\0';
returnnull:
if (delimptr !=3D NULL)
+ {
+ if (p > addr)
+ p--;
*delimptr =3D p;
+ }
CurEnv->e_to =3D saveto;
return NULL;
}
--=20
------------------------- bash$ :(){ :|:&};: --
Michal Zalewski * [http://lcamtuf.coredump.cx]
Did you know that clones never use mirrors?
--------------------------- 2003-09-16 21:18 --
