Sendmail vulnerable to buffer overflow when DNS map is specified using TXT records

Overview

A remotely exploitable buffer overflow exists in Sendmail, versions 8.12.0 through 8.12.4. This vulnerability only exhibits itself if you have modified the configuration file to look up TXT records in DNS.

Description

The buffer overflow occurs in the portion of code that process responses from DNS servers. Please note that the Sendmail Consortium has indicated that this vulnerability is not present in the standard Sendmail distribution because the option that can trigger the exposure is not enabled. For more details, please see the Sendmail announcement.

---

Impact

A remote attacker may be able to execute arbitrary code with the privileges of the Sendmail daemon, typically root. Note that there is no known exploit for this vulnerability.

---

Solution

Upgrade to Sendmail 8.12.5 or apply the appropriate vendor-supplied patch.

---

Vendor Information

814627

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Apple Computer Inc. __ Affected

Updated: December 20, 2004

Status

Affected

Vendor Statement

`-----BEGIN PGP SIGNED MESSAGE-----

APPLE-SA-2003-02-25 Mac OS X 10.2.4 Server

Mac OS X 10.2.4 Server Software Update is now available. It contains
fixes for
the following potential security issues:

• QuickTime Streaming Server: Fixes CAN-2003-0050 QTSS Arbitrary command
  execution. The QuickTime Streaming Administration Server relies on the
  parse_xml.cgi application to authenticate and interface with the user.
  This CGI
  can pass unvalidated input which could allow a remote attacker to
  execute
  arbitrary code on the server and to gain root privileges. Credit to
  Dave G.
  from @stake, Inc. for finding this vulnerability.

• QuickTime Streaming Server: Fixes CAN-2003-0051 QTSS Physical path
  revelation.
  The QuickTime Streaming Administration Server relies on the
  parse_xml.cgi
  application to authenticate and interface with the user. This CGI
  could be used
  to reveal the physical path upon which the Darwin/Quicktime
  Administration
  Servers are installed within. Credit to @stake, Inc. for finding this
  vulnerability.

• QuickTime Streaming Server: Fixes CAN-2003-0052 QTSS Directory
  listings. The
  QuickTime Streaming Administration Server relies on the parse_xml.cgi
  application to authenticate and interface with the user. This CGI
  could be used
  to reveal arbitrary directory listings due to the lack of user input
  validation
  within the application. Credit to Ollie Whitehouse from @stake, Inc.
  for
  finding this vulnerability.

• QuickTime Streaming Server: Fixes CAN-2003-0053 QTSS Login
  credentials. The
  QuickTime Streaming Administration Server relies on the parse_xml.cgi
  application to authenticate and interface with the user. A
  vulnerability in the
  handling of error messages from this CGI could be used in a cross-site
  scripting
  attack to gain valid login credentials. Credit to Ollie Whitehouse
  from @stake,
  Inc. for finding this vulnerability.

• QuickTime Streaming Server: Fixes CAN-2003-0054 Arbitrary command
  execution
  when viewing QTSS logs. If an unauthenticated user of QuickTime
  Streaming Server
  makes a request to the streaming port, the request is then written to
  the log
  file. It is possible to craft the request such that arbitrary code can
  be
  executed when the logs are viewed by the system administrator via a
  browser.
  Credit to Ollie Whitehouse from @stake, Inc. for finding this
  vulnerability.

• QuickTime Streaming Server: Fixes CAN-2003-0055 Buffer overflow in MP3
  Broadcasting application. There is a buffer overflow in the stand-alone
  MP3Broadcaster application. An MP3 file which has a filename of over
  256 bytes
  will cause a buffer overflow to occur. This could be used by local/ftp
  users to
  obtain elevated privileges. Credit to Ollie Whitehouse from @stake,
  Inc. for
  finding this vulnerability.

• Sendmail: Fixes CAN-2002-0906 Buffer overflow in Sendmail before
  8.12.5, when
  configured to use a custom DNS map to query TXT records, could permit a
  denial
  of service attack and possibly allow execution of arbitrary code. Mac
  OS X
  10.2.4 contains Sendmail 8.12.6 with the SMRSH fix applied to also
  address
  CAN-2002-1165 .

• AFP: Fixes CAN-2003-0049 “AFP login permissions for the system
  administrator”. Provides an option whereby a system administrator may
  or may
  not be allowed to log in as a user, authenticating via their admin
  password.
  Previously, administrators could always log in as a user,
  authenticating via
  their own admin password.

• Classic: Fixes CAN-2003-0088 , where an attacker may change an
  environment
  variable to create arbitrary files or overwrite existing files, which
  could lead
  to obtaining elevated privileges. Credit to Dave G. from @stake, Inc.
  for
  discovering this issue.

• Samba: Previous releases of Mac OS X are not vulnerable to
  CAN-2002-1318 , an
  issue in Samba’s length checking for encrypted password changes. Mac
  OS X
  currently uses Directory Services for authentication, and does not call
  the
  vulnerable Samba function. However, to prevent a potential future
  exploit via
  this function, the patch from Samba 2.2.7 was applied although the
  version of
  Samba was not changed for this update release. Further information is
  available
  from: <http://samba.org/samba/whatsnew/samba-2.2.7.html>

• Integrated WebDAV Digest Authentication: The mod_digest_apple Apache
  module
  has been added to more easily enable digest authentication for an
  existing
  WebDAV realm. This eliminates the need to maintain a separate digest
  file
  containing the list of authorized users, passwords, and realms.
  mod_digest_apple works in coordination with Open Directory for user
  authentication. For further details, open the Help Viewer after
  installing Mac
  OS X Server version 10.2.4, select Mac OS X Server Help in the drawer,
  and
  search for “New: Enabling Integrated WebDAV Digest Authentication.”

Mac OS X 10.2.4 Server Software Update may be obtained from:

• Software Update pane in System Preferences

• OR -

• Apple’s Software Downloads web site:

Updating from Mac OS X Server 10.2.3:
<http://www.info.apple.com/kbnum/n70171>
The download file is named: “MacOSXServerUpdate10.2.4.dmg”
Its SHA-1 digest is: 65d6411dbe5855e894c5406ac35228f568240f26

Updating from Mac OS X Server 10.2, 10.2.1, or 10.2.2:
<http://www.info.apple.com/kbnum/n70172>
The download file is named: “MacOSXSrvrUpdCombo10.2.4.dmg”
Its SHA-1 digest is: 41e441d737165ed0ed5166691dc39caba5e1dbce

Information is also posted to the Apple Support web site:
<http://docs.info.apple.com/article.html?artnum=61798>

This message is signed with Apple’s Product Security PGP key, and
details are
available at:
<http://www.apple.com/support/security/security_pgp.html>
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.3

iQEVAwUBPlurUCFlYNdE6F9oAQGy0AgAlUiHPrjpL+GLCn7LKAYyKQLZkog6bK2O
IIvTVhx8UYycQT6a6ykglJqnNu2bDfil67IkvaaQJXlUgNP/S6KRYK3vgZWMO3f4
318RaUlfXES9eQZLS1HI5yIkJvvoeUko9or9+0rr7L8xoOfDDUTukAAKZqIPme8d
XQ/tAWzVNUd/qGxXfAzj6fExWPt/dMm98aSNf0ZeCH4cpqs6EjgR9wYONjtXBWUO
7rKY7/bhKVNIFfmtJxsfNv715yEAg0bi5Z/fIAth5Up8Z2OoQbM3fGtap05KTEEz
u3b1KLoQeLyRwTGgT4aoMAAbn/9gNw32kDA35rB/JWvDC39EezlqpQ==
=Tp5B
-----END PGP SIGNATURE-----`

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23814627 Feedback>).

Sendmail __ Affected

Updated: June 28, 2002

Status

Affected

Vendor Statement

Please see <http://www.sendmail.org/8.12.5.html&gt;.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23814627 Feedback>).

Sun Microsystems Inc. __ Affected

Updated: December 20, 2004

Status

Affected

Vendor Statement

Please see <<http://sunsolve.sun.com/search/document.do?assetkey=1-26-57696-1>> for Solaris 9 resolution, <<http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-21-113575-01-1>``> for other Sun OS versions.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.sendmail.org/8.12.5.html&gt;
• <http://www.securityfocus.com/bid/5122&gt;
• <http://secunia.com/advisories/13436/&gt;
• <http://sunsolve.sun.com/search/document.do?assetkey=1-26-57696-1&gt;

Acknowledgements

The CERT/CC thanks Eric Allman and Gregory Shapiro for helping us construct this document.

This document was written by Ian A Finlay and Jeffrey Havrilla.

Other Information

CVE IDs:	CVE-2002-0906
Severity Metric:	28.35 Date Public: