[1050] in bugtraq
Re: Sendmail 8.6.9 security hole
daemon@ATHENA.MIT.EDU (Christopher Samuel)
Thu Feb 23 10:09:16 1995
To: "Igor V. Semenyuk" <iga@sovam.com>
Cc: bugtraq@fc.net
In-Reply-To: <199502230035.AA26027@charybda.sovam.com>
Date: Thu, 23 Feb 1995 11:43:13 +0000
From: Christopher Samuel <chris@rivers.dra.hmg.gb>
In message <199502230035.AA26027@charybda.sovam.com>,
"Igor V. Semenyuk" <iga@sovam.com> writes:
> Does anybody know details of the security hole(s) in 8.6.9 fixed
> in 8.6.10?
>
> Is IDA sendmail vulnerable to these attacks?
I've had a quick scan of the patch to take 8.6.9 to 8.6.10 (it's all
I've got time for I'm afraid) and the changes to the IDENT service
appear to concern stopping people returning information that overflows
the buffer and/or contains new-lines.
It introduces two new functions:
1) CLEANSTRCPY -- copy string keeping out bogus characters
2) DENLSTRING -- convert newlines in a string to spaces
The interesting bit comes from the second, to quote:
+ #ifdef LOG
+ p = macvalue('_', CurEnv);
+ syslog(LOG_ALERT, "POSSIBLE ATTACK from %s: newline in string \"%s\"",
+ p == NULL ? "[UNKNOWN]" : p, bp);
+ #endif
Chris
--
Christopher Samuel Open Software Systems Group chris@rivers.dra.hmg.gb
N-115, Defence Research Agency, St Andrews Road, Great Malvern, England, UK
"To no man will we sell, or delay, or deny, right or justice" -- Magna Carta
