Sendmail mail.local Vulnerabilities

BID:1146

Info

Sendmail mail.local Vulnerabilities

Bugtraq ID: 1146
Class: Failure to Handle Exceptional Conditions
CVE:
Remote: Yes
Local: Yes
Published: Apr 23 2000 12:00AM
Updated: Apr 23 2000 12:00AM
Credit: First posted to Bugtraq by 3APA3A <[email protected]> on April 23, 2000.
Vulnerable: Eric Allman Sendmail 8.9.3
Not Vulnerable: Eric Allman Sendmail 8.10.1
Eric Allman Sendmail 8.10

Discussion

Sendmail mail.local Vulnerabilities

mail.local is a program included with Sendmail intended as a delivery agent for local mail. mail.local uses LMTP (local mail transfer protocol) taken in from standard input and is what puts messages into users mailboxes. When in LMTP mode, mail.local checks user input for the end of message indicator, ".\n", which sendmail will block before passing to mail.local. It is possible to fake the end of message if a long string (2047 characters) followed by a ".\n" is sent. Any text after the faked end-of-message indicator will be treated by mail.local as LMTP commands, meaning that fake messages and such can be sent to any mailbox without filtering or logging by sendmail.

Another problem is that since LMTP commands are being executed, responses will be generated from mail.local which are not expected by sendmail (it does not retrieve them from the I/O buffer). If many of these responses (ie, error responses) are generated, mail.local and sendmail become deadlocked and the I/O buffer will be filled. This will prevent local mail delivery.

On Solaris machines running Sendmail 8.10.0 or 8.10.1compiled with the -DCONTENTLENGTH flag, it is possible to modify the Content-Length field in the message header the same way the fake end-of-message indicator is added, corrupting the user's mailbox.

Exploit / POC

Sendmail mail.local Vulnerabilities

Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].

Solution / Fix

Sendmail mail.local Vulnerabilities

Solution:
The vendor has been notified and the deadlock/LMTP problems were fixed in Sendmail versions 8.10.0 and higher. On Solaris machines, Sendmail 8.10.0 and 8.10.1 are known to be vulnerable to another related attack involving the Content-Length field in the message header.

The Content-Length field header was fixed by Sendmail upgrades:


Eric Allman Sendmail 8.9.3

References

Sendmail mail.local Vulnerabilities

References:
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report