lug-bg: Sendmail: -1 gone wild
From: Michal Zalewski [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Sendmail: -1 gone wild CVE: CAN-2003-0161 CERT: VU#897604 There is a vulnerability in Sendmail versions 8.12.8 and prior. The address parser performs insufficient bounds checking in certain conditions due to a char to int conversion, making it possible for an attacker to take control of the application. This problem is not related to the recent ISS vulnerability announcement. It is possible for the attacker to repeatedly skip the length check location in this function because of an unfortunate construction of a special control value check. A special value, NOCHAR, is defined as -1. There is a variable 'c', also used to store last read character, declared as int, and the variable will be sometimes assigned the value of NOCHAR to indicate a special condition. Since precise control of the overwrite process is possible (length, offset and layout are up to the attacker), even though the values are mostly fixed, it is reasonable to expect that this vulnerability will be easy to exploit on little endian systems. Even on big endian systems, it might be still possible to alter important control variables on the stack, and you are generally advised to upgrade. -- _ , pgp0.pgp Description: PGP signature
Re: lug-bg: Sendmail: -1 gone wild
Nickola Kolev wrote: From: Michal Zalewski [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Sendmail: -1 gone wild CVE: CAN-2003-0161 CERT: VU#897604 There is a vulnerability in Sendmail versions 8.12.8 and prior. The address parser performs insufficient bounds checking in certain conditions due to a char to int conversion, making it possible for an attacker to take control of the application. This problem is not related to the recent ISS vulnerability announcement. It is possible for the attacker to repeatedly skip the length check location in this function because of an unfortunate construction of a special control value check. A special value, NOCHAR, is defined as -1. There is a variable 'c', also used to store last read character, declared as int, and the variable will be sometimes assigned the value of NOCHAR to indicate a special condition. Since precise control of the overwrite process is possible (length, offset and layout are up to the attacker), even though the values are mostly fixed, it is reasonable to expect that this vulnerability will be easy to exploit on little endian systems. Even on big endian systems, it might be still possible to alter important control variables on the stack, and you are generally advised to upgrade. full-disclosure . , bugtraq . -- Georgi Chorbadzhiyski http://georgi.unixsol.org/ A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html