lug-bg: Sendmail: -1 gone wild

[nikky@email.domain.hidden (Nickola Kolev)]

From: Michal Zalewski <lcamtuf_at_ghettot.org>
To: <bugtraq_at_securityfocus.com>
Subject: Sendmail: -1 gone wild

CVE:  CAN-2003-0161
CERT: VU#897604


There is a vulnerability in Sendmail versions 8.12.8 and prior. The
address parser performs insufficient bounds checking in certain conditions
due to a char to int conversion, making it possible for an attacker to
take control of the application. This problem is not related to the recent
ISS vulnerability announcement.

It is possible for the attacker to repeatedly skip the length check
location in this function because of an unfortunate construction of a
"special" control value check. A special value, NOCHAR, is defined as -1.
There is a variable 'c', also used to store last read character, declared
as int, and the variable will be sometimes assigned the value of NOCHAR to
indicate a special condition.

Since precise control of the overwrite process is possible (length, offset
and layout are up to the attacker), even though the values are mostly
fixed, it is reasonable to expect that this vulnerability will be easy to
exploit on little endian systems. Even on big endian systems, it might be
still possible to alter important control variables on the stack, and you
are generally advised to upgrade.


-- 
_____________________________________________________________

Ïîçäðàâè,
Íèêîëà


============================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers).
http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora
To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
============================================================================

<hr>

Attachment: part
Description: PGP signature