Mike Tancsa
2003-Sep-17 06:26 UTC
Fwd: [Full-Disclosure] Sendmail 8.12.9 prescan bug (a new one) [CAN-2003-0694]
More patch-o-rama :-(
---Mike
>From: Michal Zalewski <lcamtuf@dione.ids.pl>
>To: bugtraq@securityfocus.com, <vulnwatch@securityfocus.com>,
> <full-disclosure@netsys.com>
>X-Nmymbofr: Nir Orb Buk
>Subject: [Full-Disclosure] Sendmail 8.12.9 prescan bug (a new one)
>[CAN-2003-0694]
>Sender: full-disclosure-admin@lists.netsys.com
>X-BeenThere: full-disclosure@lists.netsys.com
>X-Mailman-Version: 2.0.12
>List-Unsubscribe:
<http://lists.netsys.com/mailman/listinfo/full-disclosure>,
>
<mailto:full-disclosure-request@lists.netsys.com?subject=unsubscribe>
>List-Id: Discussion of security issues
<full-disclosure.lists.netsys.com>
>List-Post: <mailto:full-disclosure@lists.netsys.com>
>List-Help:
<mailto:full-disclosure-request@lists.netsys.com?subject=help>
>List-Subscribe:
<http://lists.netsys.com/mailman/listinfo/full-disclosure>,
>
<mailto:full-disclosure-request@lists.netsys.com?subject=subscribe>
>List-Archive: <http://lists.netsys.com/pipermail/full-disclosure/>
>Date: Wed, 17 Sep 2003 11:19:46 +0200 (CEST)
>X-Virus-Scanned: by Sentex Communications (avscan1/20021227)
>X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
>
>Hello lists,
>
>--------
>Overview
>--------
>
> There seems to be a remotely exploitable vulnerability in Sendmail up to
> and including the latest version, 8.12.9. The problem lies in prescan()
> function, but is not related to previous issues with this code.
>
> The primary attack vector is an indirect invocation via parseaddr(),
> although other routes are possible. Heap or stack structures, depending
> on the calling location, can be overwritten due to the ability to go
> past end of the input buffer in strtok()-alike routines.
>
> This is an early release, thanks to my sheer stupidity.
>
>--------------
>Attack details
>--------------
>
> Local exploitation on little endian Linux is confirmed to be trivial
> via recipient.c and sendtolist(), with a pointer overwrite leading to a
> neat case of free() on user-supplied data, i.e.:
>
> eip = 0x40178ae2
> edx = 0x41414141
> esi = 0x61616161
>
> SEGV in chunk_free (ar_ptr=0x4022a160, p=0x81337e0) at malloc.c:3242
>
> 0x40178ae2 <chunk_free+486>: mov %esi,0xc(%edx)
> 0x40178ae5 <chunk_free+489>: mov %edx,0x8(%esi)
>
> Remote attack is believed to be possible.
>
>----------------
>Workaround / fix
>----------------
>
> Vendor was notified, and released an early patch attached below.
> There are no known workarounds.
>
>Index: parseaddr.c
>==================================================================>RCS
file: /cvs/src/gnu/usr.sbin/sendmail/sendmail/parseaddr.c,v
>retrieving revision 1.16
>diff -u -r1.16 parseaddr.c
>--- parseaddr.c 29 Mar 2003 19:44:01 -0000 1.16
>+++ parseaddr.c 16 Sep 2003 17:37:26 -0000
>@@ -700,7 +700,11 @@
> addr[MAXNAME] =
'\0';
> returnnull:
> if (delimptr != NULL)
>+ {
>+ if (p > addr)
>+ p--;
> *delimptr = p;
>+ }
> CurEnv->e_to = saveto;
> return NULL;
> }
>
>--
>------------------------- bash$ :(){ :|:&};: --
> Michal Zalewski * [http://lcamtuf.coredump.cx]
> Did you know that clones never use mirrors?
>--------------------------- 2003-09-16 21:18 --
>
>
>
>
>
>
>
>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
Possibly Parallel Threads
Wisdom of the Ancients
