Bugtraq mailing list archives
procmail / Sendmail - five bugs
From: lcamtuf () IDS PL (Michal Zalewski)
Date: Thu, 23 Dec 1999 11:55:52 +0100
Hope you won't be angry for cross-post?:) This mail discusses five interesting vulnerabilities in Berkeley Sendmail and 'procmail' utility, I think it's good to let you know - but don't panic - at least for now, we are too lazy and we have no idea if any of these holes can be exploited - that's why I'm sending it to VULN-DEV as well, to give some ideas to young, brilliant hackers around :) 1. procmail Months ago, we found a problem with LINEBUF variable defined in .procmailrc files. By setting arbitrary values of it - eg. negative or extremely large ones - we're able to at least overwrite memory locations with zero value (used to properly terminate string buffer, unfortunately there's no range checking on signed int arithmetic in C ;). Actually, it splits in two vulnerabilities: a) On some glibc 2.0 machines (eg. RedHat), malloc(negative_integer) won't result in EINVAL, but with valid pointer, for which malloc_usable_size() returns size of 12 bytes. Heap overflows possible? Hmm, at least SEGVs in procmail:) b) With glibc 2.0/2.1, there's also some way to overwrite mem with '\0' due to lack of range checking and signed<->unsigned integer conversion. Nasty memory hacking required to exploit it. 2. Sendmail Another time, quite old vulnerabilities, but, as we haven't reported it till now, hopefully present in newest releases as well: a) Sendmail (tested with 8.9.3 and previous) allows you to put mail addressed to eg. '|/bin/sh' (or any file) into mail queue. Fortunately, this queue file should contain also line like 'Croot' to be processed properly, while we have no idea how to put it there. But, anyway, seems to be dangerous - Sendmail should reject such crap immediately: /usr/sbin/sendmail -O 'DeliveryMode=d' '""|/bin/sh' (without these double-quotes, it _will_ immediately drop your message) b) Into queue files (qf*), Sendmail stores internal delivery information, user-supplied headers (Hxxx) and server-added headers (H?x?xxx). These headers are handled in several different ways, depending on letter between '?' - but, in general, are used to store default values for other headers (like 'Date:' and 'Return-Path:'). But, headers like: ?D?My-Own-Header: junk are allowed in messages, and are put in unchanged form into queue files, allowing possible conflicts or MTA confusion :P For example, header '???This-Causes-Error: test' causes odd error messages during message processing. What does it mean? Probably nothing dangerous, but I haven't spend enough time investigating this issue to be sure, maybe it's some way to cause undesirable MTA behaviour. c) Sendmail won't put X-Authentication-Warning header (eg. about protocol violations, suspected options etc) into message if there's one already present - no matter how stupid it is. Minor bug. _______________________________________________________________________ Michal Zalewski [lcamtuf () ids pl] [link / marchew] [dione.ids.pl SYSADM] [Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};: [voice phone: +48 22 813 25 86] <=-=> [cellular phone: +48 501 4000 69] Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
Current thread:
- Re: Groupewise Web Interface, (continued)
- Re: Groupewise Web Interface Raymond Dijkxhoorn (Dec 20)
- Re: Groupewise Web Interface Bayard G. Bell (Dec 21)
- Announcement: Solaris loadable kernel module backdoor plasmoid (Dec 20)
- Re: Announcement: Solaris loadable kernel module backdoor pedward () WEBCOM COM (Dec 21)
- Re: Announcement: Solaris loadable kernel module backdoor Marc Esipovich (Dec 22)
- Re: Announcement: Solaris loadable kernel module backdoor Steven Alexander (Dec 23)
- Re: Announcement: Solaris loadable kernel module backdoor Rainer Link (Dec 22)
- Re: Announcement: Solaris loadable kernel module backdoor Keith Owens (Dec 22)
- Re: Groupewise Web Interface satherrl () MAILPOINT DSSRG CURTIN EDU AU (Dec 21)
- Norton Email Protection Remote Overflow (Addendum) Matt Conover (Dec 20)
- procmail / Sendmail - five bugs Michal Zalewski (Dec 23)
- Re: procmail / Sendmail - five bugs Rob Jones (Dec 20)
- Re: procmail / Sendmail - five bugs Michal Zalewski (Dec 22)
- FTPPro insecuities The Wall (Dec 27)
- serious Lotus Domino HTTP denial of service Alain Thivillon (Dec 21)
- More details on the WU-FTPD configuration vulnerability. suid (Dec 21)
- Microsoft Security Bulletin (MS99-058) Aleph One (Dec 21)
- Microsoft Security Bulletin (MS99-061) Aleph One (Dec 21)
- More Netscape Passwords Available. Rob Jones (Dec 21)
- UnixWare i2odialogd remote root exploit Brock Tellier (Dec 21)
- IE 5.01 vulnerabilities in external.NavigateAndFind() Georgi Guninski (Dec 22)