"Mordechai T. Abzug" <mortyat_private> wrote: >Question: are the header and ident issues *only* remote overflow >problems, or is this also a local vulnerability? Ie. if one has a >system that doesn't run sendmail in daemon mode (-bd), but does make >sendmail available as an SUID root binary for submission to the local >smarthost and does run sendmail is queue-process mode (ie. -q15m), is >the system still vulnerable? Given that the problem is in the header >parsing, I would expect this to be both a remote and a local problem, >but I'd like to make sure before doing lots of upgrades. I don't think there has been a comment on this yet. Sendmail will only use "ident" when receiving mail on a network connection. There is no local exploit available there if sendmail is not listening on the net. Possibly a local user could invoke "sendmail -bs" with stdin/stdout assigned to a connected socket. In that case there might be an ident call. For the header problem, any buffer overflow would occur while sending the message, not while receiving it. Whether the message originated locally or over the network will matter. Thus there is a potential problem for local exploits with an SUID sendmail binary. In particular, if you have old sendmail binaries left around that you haven't deleted, you should at least turn off any SUID and SGID privileges. Incidently that's a good practice for old disused versions of any program. -NWR
This archive was generated by hypermail 2b30 : Thu Mar 06 2003 - 11:01:01 PST