The sendmail overflow bug -- full analysis
John McCormick
Published: 17 Mar 2003 11:11 GMT
CERT Advisory CA-2003-07 has disclosed that a serious, remotely exploitable buffer overflow vulnerability has lurked undiscovered for years in the popular Sendmail SMTP server. Sendmail is responsible for handling more than 50 percent of the e-mail on the Internet.
Details
Although there were earlier alerts concerning this vulnerability, it was the group of Polish "ethical hackers" known as the Last Stage of Delirium that first published a proof of concept for this vulnerability and demonstrated how it could be used for an attack. According to this group, the problem lies in the crackaddr(char* addr) function of the headers.c file, which is a security mechanism.
The original report of this vulnerability came from Internet Security Systems (ISS), which indicated that an attacker could penetrate a Sendmail server simply by sending a specially crafted e-mail message to the server, resulting in remote access to root or superuser control of any vulnerable server, even without the attacker having any specific knowledge of the software running on the server.
ZDNet UK reported the Sendmail bug story here. Sendmail's creatorm, Eric Allman, criticised the LSD group's tactic of releasing a working exploit.
An earlier Sendmail problem was reported in Octobre.
The ISS advisory describes the threat as involving the way Sendmail checks the "To", "From," and "CC" fields. A static buffer is used to store these fields. The problem occurs in one of the several security-checking features used to ensure that the data in these fields are correctly parsed once the buffer is filled up.
ISS reports having "demonstrated that this vulnerability is exploitable in real-world conditions." The company specifies testing and finding the vulnerability to be readily exploitable on x86 systems but says that it may be exploitable on other types of systems as well.
In its proof of concept, the Last Stage of Delirium explicitly stated that there may be other, unexplored vulnerabilities it's not aware of but added that many systems are probably not vulnerable to this exploit.
Risk level--critical
Although there is some debate over just how many systems can actually be exploited by this flaw (see "Mitigating factors" below), the Sendmail vulnerability does exist on a large number of installations, and it is not a good idea to leave the vulnerable version on your servers while the debate rages on. There is no debate about whether the vulnerability can potentially lead to serious damage -- only whether it can be easily exploited on all platforms or only on a few.
Applicability
The CERT Advisory specifically lists the following versions as vulnerable:
- Sendmail Pro (all versions)
- Sendmail Switch 2.1 prior to 2.1.5
- Sendmail Switch 2.2 prior to 2.2.5
- Sendmail Switch 3.0 prior to 3.0.3
- Sendmail for NT 2.X prior to 2.6.2
- Sendmail for NT 3.0 prior to 3.0.3
- Open source Sendmail versions prior to 8.12.8 (including Unix and Linux versions)
To help identify potentially vulnerable systems, ISS has released these assessment checks:
- Internet Scanner XPU 6.24 (MtaDiscovery)
- Internet Scanner XPU 6.26 (SendmailRunning)
- System Scanner SR 3.13 (sendmail-header-processing-bo)
Previous
Did you find this article useful?
69 out of 124 people found this useful
- Share this article:
