From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 23 Mar 2006 11:21:41 +0200
Subject: [UNIX] Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20060323115516.28CA957D3@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps,
Integer Overflow)
------------------------------------------------------------------------
SUMMARY
<http://www.sendmail.com/>; sendmail is "a powerful, efficient, and
scalable Mail Transport Agent"
Improper timeout calculation, usage of memory jumps and integer overflows
allow attackers to perfom a race condition DoS on sendmail, and may also
execute arbitrary code.
DETAILS
Vulnerable Systems:
* Sendmail version 8.13.5 and prior
* Sendmail version 8.12.10 and prior
Immune Systems:
* Sendmail version 8.13.6
Race condition DoS
Sendmail contains a signal race vulnerability when receiving and
processing mail data from remote clients. Sendmail utilizes a signal
handler for dealing with timeouts that is not async-safe and interruption
of certain functions by this signal handler will cause static data
elements to be left in an inconsistent state. These data elements can be
used to write data to invalid parts of the stack (or heap in some
scenarios), thus taking control of the vulnerable process.
In order to exploit this vulnerability, an attacker simply needs to be
able to connect to sendmail SMTP server. This is a multi-shot exploit,
meaning the attacker can attempt to exploit it an indefinite amount of
times, since sendmail spawns a new process for each connected client.
Memory Jumps:
Unsafe usage of setjmp and longjmp functions allow attackers to redirect
memory jumps and execute arbitrary code.
Integer Overflow:
When calculating the header size, an integer overflow may occur when too
big header size is needed to allocate on unsigned integer causing an
overflow and allow to execute arbitrary code.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0058>;
CVE-2006-0058
Vendor Status:
The vendor has issued a fix: <http://www.sendmail.org/8.13.6.html>;
http://www.sendmail.org/8.13.6.html
Patch for Sendmail version 8.13.5 available at:
<ftp://ftp.sendmail.org/pub/sendmail/8.13.5.p0>;
ftp://ftp.sendmail.org/pub/sendmail/8.13.5.p0
Patch for Sendmail version 8.12.11 available at:
<ftp://ftp.sendmail.org/pub/sendmail/8.12.11.p0>;
ftp://ftp.sendmail.org/pub/sendmail/8.12.11.p0
Disclosure Timeline:
Feb 14, 2006 Initial verndor notification
Mar 22, 2006 Initial alert release
ADDITIONAL INFORMATION
The information has been provided by ISS and SecuriTeam
The original article can be found at:
<http://xforce.iss.net/xforce/alerts/id/216>;
http://xforce.iss.net/xforce/alerts/id/216
The vendor advisory can be found at:
<http://www.sendmail.org/8.13.6.html>; http://www.sendmail.org/8.13.6.html
More information can be found in Gadi Evron's blog at SecuriTeam:
<http://blogs.securiteam.com/index.php/archives/363>;
http://blogs.securiteam.com/index.php/archives/363
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
