Sendmail mail.local Vulnerabilities
BID:1146
Info
Sendmail mail.local Vulnerabilities
| Bugtraq ID: | 1146 |
| Class: | Failure to Handle Exceptional Conditions |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Apr 23 2000 12:00AM |
| Updated: | Apr 23 2000 12:00AM |
| Credit: | First posted to Bugtraq by 3APA3A <[email protected]> on April 23, 2000. |
| Vulnerable: |
Eric Allman Sendmail 8.9.3 |
| Not Vulnerable: |
Eric Allman Sendmail 8.10.1 Eric Allman Sendmail 8.10 |
Discussion
Sendmail mail.local Vulnerabilities
mail.local is a program included with Sendmail intended as a delivery agent for local mail. mail.local uses LMTP (local mail transfer protocol) taken in from standard input and is what puts messages into users mailboxes. When in LMTP mode, mail.local checks user input for the end of message indicator, ".\n", which sendmail will block before passing to mail.local. It is possible to fake the end of message if a long string (2047 characters) followed by a ".\n" is sent. Any text after the faked end-of-message indicator will be treated by mail.local as LMTP commands, meaning that fake messages and such can be sent to any mailbox without filtering or logging by sendmail.
Another problem is that since LMTP commands are being executed, responses will be generated from mail.local which are not expected by sendmail (it does not retrieve them from the I/O buffer). If many of these responses (ie, error responses) are generated, mail.local and sendmail become deadlocked and the I/O buffer will be filled. This will prevent local mail delivery.
On Solaris machines running Sendmail 8.10.0 or 8.10.1compiled with the -DCONTENTLENGTH flag, it is possible to modify the Content-Length field in the message header the same way the fake end-of-message indicator is added, corrupting the user's mailbox.
mail.local is a program included with Sendmail intended as a delivery agent for local mail. mail.local uses LMTP (local mail transfer protocol) taken in from standard input and is what puts messages into users mailboxes. When in LMTP mode, mail.local checks user input for the end of message indicator, ".\n", which sendmail will block before passing to mail.local. It is possible to fake the end of message if a long string (2047 characters) followed by a ".\n" is sent. Any text after the faked end-of-message indicator will be treated by mail.local as LMTP commands, meaning that fake messages and such can be sent to any mailbox without filtering or logging by sendmail.
Another problem is that since LMTP commands are being executed, responses will be generated from mail.local which are not expected by sendmail (it does not retrieve them from the I/O buffer). If many of these responses (ie, error responses) are generated, mail.local and sendmail become deadlocked and the I/O buffer will be filled. This will prevent local mail delivery.
On Solaris machines running Sendmail 8.10.0 or 8.10.1compiled with the -DCONTENTLENGTH flag, it is possible to modify the Content-Length field in the message header the same way the fake end-of-message indicator is added, corrupting the user's mailbox.
Exploit / POC
Sendmail mail.local Vulnerabilities
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution / Fix
Sendmail mail.local Vulnerabilities
Solution:
The vendor has been notified and the deadlock/LMTP problems were fixed in Sendmail versions 8.10.0 and higher. On Solaris machines, Sendmail 8.10.0 and 8.10.1 are known to be vulnerable to another related attack involving the Content-Length field in the message header.
The Content-Length field header was fixed by Sendmail upgrades:
Eric Allman Sendmail 8.9.3
Solution:
The vendor has been notified and the deadlock/LMTP problems were fixed in Sendmail versions 8.10.0 and higher. On Solaris machines, Sendmail 8.10.0 and 8.10.1 are known to be vulnerable to another related attack involving the Content-Length field in the message header.
The Content-Length field header was fixed by Sendmail upgrades:
Eric Allman Sendmail 8.9.3
-
Sendmail, Inc sendmail 8.11.0
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.0.tar.gz