Sendmail address parsing buffer overflow

2003-03-29T00:00:00
ID VU:897604
Type cert
Reporter CERT
Modified 2003-09-25T00:00:00

Description

Overview

Sendmail contains a buffer overflow in code that parses email addresses. A remote attacker could execute arbitrary code or cause a denial of service on a vulnerable system.

Description

Sendmail is a widely used mail transfer agent (MTA). There is a stack overflow vulnerability in code that parses email addresses. A remote attacker could exploit this vulnerability with a message containing a specially crafted email address.

When processing email messages, sendmail creates tokens from address elements (user, host, domain). The code that performs this function (prescan() in parseaddr.c) contains logic to check that the tokens are not malformed or overly long. In certain cases, a variable in prescan() is set to the special control value -1, which may alter the program logic to skip the length checks. On little-endian platforms that treat the char type as signed int, the char value 0xFF sets the high-order bit, which in terms of a signed int indicates a negative value. When prescan() treats a char with the value 0xFF as an int, the value is interpreted as -1, which can cause the length checks to be skipped. Using an email message with a specially crafted address containing 0xFF, an attacker could cause the length checks to be skipped and overwrite the saved instruction pointer on the stack.

Further information is available in a message posted by Michal Zalewski.

In sendmail 8.9.12 and 8.11.7 (and possibly other versions), additional modifications have been made to protect other vulnerable sendmail MTAs. From the release notes for sendmail 8.9.12:

8.12.9/8.12.9   2003/03/29
        SECURITY: Fix a buffer overflow in address parsing due to
                a char to int conversion problem which is potentially
                remotely exploitable.  Problem found by Michal Zalewski.
                Note: an MTA that is not patched might be vulnerable to
                data that it receives from untrusted sources, which
                includes DNS.
        To provide partial protection to internal, unpatched sendmail MTAs,
                8.12.9 changes by default (char)0xff to (char)0x7f in
                headers etc.  To turn off this conversion compile with
                -DALLOW_255 or use the command line option -d82.101.
        To provide partial protection for internal, unpatched MTAs that may be
                performing 7->8 or 8->7 bit MIME conversions, the default
                for MaxMimeHeaderLength has been changed to 2048/1024.
                Note: this does have a performance impact, and it only
                protects against frontal attacks from the outside.
                To disable the checks and return to pre-8.12.9 defaults,
                set MaxMimeHeaderLength to 0/0.

Note that DNS could also be used as an attack vector.


Impact

A remote attacker could execute arbitrary code or cause a denial of service on a vulnerable system.


Solution

Upgrade or Patch
Upgrade or apply a patch as specified by your vendor. In addition to addressing the vulnerability, upgraded versions of sendmail (8.9.12 and 8.11.7) include modifications to help protect other vulnerable sendmail MTAs.


Enable RunAsUser

Consider setting the RunAsUser option to reduce the impact of this vulnerability. The CERT/CC recommends limiting the privileges of applications and services whenever possible.


Systems Affected

Vendor| Status| Date Notified| Date Updated
---|---|---|---
Apple Computer Inc.| | 29 Mar 2003| 25 Sep 2003
Conectiva| | 29 Mar 2003| 20 May 2003
Debian| | 29 Mar 2003| 22 Apr 2003
FreeBSD| | 29 Mar 2003| 31 Mar 2003
Fujitsu| | 29 Mar 2003| 10 Apr 2003
Gentoo Linux| | -| 01 Apr 2003
Hewlett-Packard Company| | 29 Mar 2003| 10 Apr 2003
IBM| | 29 Mar 2003| 24 Jun 2003
MandrakeSoft| | 29 Mar 2003| 01 Apr 2003
Mirapoint| | -| 22 Apr 2003
NetBSD| | 29 Mar 2003| 22 Apr 2003
Nortel Networks| | 29 Mar 2003| 08 Apr 2003
OpenBSD| | 29 Mar 2003| 01 Apr 2003
OpenPKG| | -| 01 Apr 2003
Red Hat Inc.| | 29 Mar 2003| 01 Apr 2003
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A

References

  • <http://www.securityfocus.com/archive/1/316773/2003-03-28/2003-04-03/0>
  • <http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=22127>
  • <http://www.sendmail.org/secure-install.html>
  • <http://www.sendmail.org/ftp/RELEASE_NOTES>
  • <http://www.ietf.org/rfc/rfc2047.txt>

Credit

This vulnerability was discovered by Michal Zalewski and reported by Sendmail Inc.

This document was written by Art Manion.

Other Information

  • CVE IDs: CAN-2003-0161
  • CERT Advisory: CA-2003-12
  • Date Public: 29 Mar 2003
  • Date First Published: 29 Mar 2003
  • Date Last Updated: 25 Sep 2003
  • Severity Metric: 67.20
  • Document Revision: 38