Re: lug-bg: Sendmail: -1 gone wild
- Subject: Re: lug-bg: Sendmail: -1 gone wild
- From: gf@email.domain.hidden (Georgi Chorbadzhiyski)
- Date: Sun, 30 Mar 2003 16:05:38 +0300
Nickola Kolev wrote:
<em class="quotelev1">> From: Michal Zalewski <lcamtuf_at_ghettot.org>
<em class="quotelev1">> To: <bugtraq_at_securityfocus.com>
<em class="quotelev1">> Subject: Sendmail: -1 gone wild
<em class="quotelev1">>
<em class="quotelev1">> CVE: CAN-2003-0161
<em class="quotelev1">> CERT: VU#897604
<em class="quotelev1">>
<em class="quotelev1">>
<em class="quotelev1">> There is a vulnerability in Sendmail versions 8.12.8 and prior. The
<em class="quotelev1">> address parser performs insufficient bounds checking in certain conditions
<em class="quotelev1">> due to a char to int conversion, making it possible for an attacker to
<em class="quotelev1">> take control of the application. This problem is not related to the recent
<em class="quotelev1">> ISS vulnerability announcement.
<em class="quotelev1">>
<em class="quotelev1">> It is possible for the attacker to repeatedly skip the length check
<em class="quotelev1">> location in this function because of an unfortunate construction of a
<em class="quotelev1">> "special" control value check. A special value, NOCHAR, is defined as -1.
<em class="quotelev1">> There is a variable 'c', also used to store last read character, declared
<em class="quotelev1">> as int, and the variable will be sometimes assigned the value of NOCHAR to
<em class="quotelev1">> indicate a special condition.
<em class="quotelev1">>
<em class="quotelev1">> Since precise control of the overwrite process is possible (length, offset
<em class="quotelev1">> and layout are up to the attacker), even though the values are mostly
<em class="quotelev1">> fixed, it is reasonable to expect that this vulnerability will be easy to
<em class="quotelev1">> exploit on little endian systems. Even on big endian systems, it might be
<em class="quotelev1">> still possible to alter important control variables on the stack, and you
<em class="quotelev1">> are generally advised to upgrade.
Îò îêîëî ñåäìèöà ñå îáñúæäà â full-disclosure ìåéëèíã ëèñòà. Ïðåïîðú÷âàì íà
âñè÷êè äà ñå çàïèøàò çà íåãî, â bugtraq íàïîñëåäúê íåùàòàòà ñå áàààààààâÿò
äîñòà.
<p>
--
Georgi Chorbadzhiyski
http://georgi.unixsol.org/
============================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers).
http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora
To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
============================================================================
|