Just got this from ISS. There's a new sendmail vulnerability out there. Internet Security Systems Security Advisory March 3, 2003 Remote Sendmail Header Processing Vulnerability Synopsis: ISS X-Force has discovered a buffer overflow vulnerability in the Sendmail Mail Transfer Agent (MTA). Sendmail is the most common MTA and has been documented to handle between 50% and 75% of all Internet email traffic. Impact: Attackers may remotely exploit this vulnerability to gain "root" or superuser control of any vulnerable Sendmail server. Sendmail and all other email servers are typically exposed to the Internet in order to send and receive Internet email. Vulnerable Sendmail servers will not be protected by legacy security devices such as firewalls and/or packet filters. This vulnerability is especially dangerous because the exploit can be delivered within an email message and the attacker doesn't need any specific knowledge of the target to launch a successful attack. Affected Versions: Sendmail versions from 5.79 to 8.12.7 are vulnerable Note: The affected versions of Sendmail commercial, Sendmail open source running on all platforms are known to be vulnerable. Description: The Sendmail remote vulnerability occurs when processing and evaluating header fields in email collected during an SMTP transaction. Specifically, when fields are encountered that contain addresses or lists of addresses (such as the "From" field, "To" field and "CC" field), Sendmail attempts to semantically evaluate whether the supplied address (or list of addresses) are valid. This is accomplished using the crackaddr() function, which is located in the headers.c file in the Sendmail source tree. A static buffer is used to store data that has been processed. Sendmail detects when this buffer becomes full and stops adding characters, although it continues processing. Sendmail implements several security checks to ensure that characters are parsed correctly. One such security check is flawed, making it possible for a remote attacker to send an email with a specially crafted address field that triggers a buffer overflow. X-Force has demonstrated that this vulnerability is exploitable in real- world conditions on production Sendmail installations. This vulnerability is readily exploitable on x86 architecture systems, and may be exploitable on others as well. Protection mechanisms such as implementation of a non-executable stack do not offer any protection from exploitation of this vulnerability. Successful exploitation of this vulnerability does not generate any log entries. Full text at: https://gtoc.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950 ISS has a signature to detect it in RealSecure network sensors. I haven't seen a Snort sig yet. ___________________________________ Andrew Plato, CISSP President / Principal Consultant Anitian Corporation Enterprise Security & Infrastructure Solutions 503-644-5656 Office 503-644-8574 Fax 503-201-0821 Mobile www.anitian.com ___________________________________
This archive was generated by hypermail 2b30 : Mon Mar 03 2003 - 14:42:47 PST