Remote Vulnerability in the MMDF SMTP Daemon

[seclabs () NAI COM (NAI Labs)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

======================================================================

                     Network Associates, Inc.
                        SECURITY ADVISORY
                        February 15, 2000

           Remote Vulnerability in the MMDF SMTP Daemon

======================================================================

SYNOPSIS

An implementation fault in MMDF allows arbitrary individuals to
obtain mail management privileges via the SMTP daemon.  An attacker
can subsequently gain root access via a few trivial steps.

======================================================================

VULNERABLE HOSTS

This vulnerability has been confirmed and is known to be exploitable
on all versions of MMDF prior to the beta release 2.44a-B4 (The
current public release is 2.43).  The version of MMDF included in the
default SCO OpenServer installation (2.43.3b) is also vulnerable.

======================================================================

TECHNICAL DETAILS

The "MAIL FROM:" and "RCPT TO:" SMTP commands exist to allow a client
to relay to the server the source and destination addresses of a mail
message.  The MMDF server performs some basic sanity checks on the
addresses given as arguments to these commands.  If the supplied data
is for some reason invalid, an error message to that effect is
printed.  During this process, the entire input string is copied to a
fixed-size local buffer without any bounds checking, using the
function sprintf().  Should the size of the input exceed the size of
this buffer, the call stack of the MMDF server can be overwritten.
While MMDF's "RCPT TO:" handling code performs checks on the address
which make exploitation impossible, the "MAIL FROM:" command has no
such checking and is easily exploitable.

Although the MMDF server is run as the unprivileged user mmdf by
inetd, the 'smptd' binary is setuid root and is stored in a directory
owned by user mmdf.  This allows an attacker to execute commands as
root by replacing the 'smtpsrvr' binary with an arbitrary program or
script.

======================================================================

RESOLUTION

SCO has developed a patch to address this issue.  More information is
available at:  http://www.sco.com/security.

Because of the remotely exploitable nature of this vulnerability,
this is considered to be a high risk to users of MMDF and should be
resolved immediately.

======================================================================

CREDITS

Discovery and documentation of this vulnerability was conducted by
Shawn Bracken at the Security Research Labs of Network Associates.

======================================================================

ABOUT THE NETWORK ASSOCIATES SECURITY LABS

The Security Labs at Network Associates hosts some of the most
important research in computer security today. With over 30 security
advisories published in the last 2 years, the Network Associates
security research teams have been responsible for the discovery of
many of the Internet's most serious security flaws.  This advisory
represents our ongoing commitment to provide critical information to
the security community.

For more information about the Security Labs at Network
Associates, see our website at http://www.nai.com or contact us
at <seclabs () nai com>.

======================================================================

NETWORK ASSOCIATES SECURITY LABS PGP KEY

- - -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 5.5.5

mQGiBDXGgDsRBADVOnID6BtEhKlm2cNalho28YP0JAh+J4iRUIaiWshzI0tc0KPc
fvs+0xYwiqjxmeHi2sdIEPQ7S+ltA3Dlp6/DFojWBr2XB9hfWy4uiKBUHqnsKYnB
Gpkh6nIx7DIwn+u0PXMXbJCG3LYf8daiPVdzC2VFtbRvJL4wZc6NLQViFQCg/9uS
DuH/0NE6mO8Cu4iVrUT5Wk8D/ArOpV5T5yIuXHZO1/ZBVeHccVVvHe8wHK4D9WUs
FsB8fgYLNgdFMMjtam7QQSBY/P1KKBzaFqZhkfS4WVMAFEy94NHXG+KTCPhXkZzp
OPPqwWqZgfvOg0Bm20O/GhzQkB6JfFJqcfR87Ej0+fcDKrTTxAELWHGS7c9Qdn6P
bfwHA/4oLNwYrtgWNkjGcG018Pu2jKT7YuP9zBTMu28IBiWdPLGL9Wle4d5cdDVx
Es4iVl8FMtxlgTWCgMnBLS4nyM3pCn1HF+8Gi+IVKUXWCkqt/rtBMsrOMfrOgEIu
BWnTZcTR7kcWtH7xDFNyZ47U4pElLXwATVDty/FczAJnpeht2LQyTmV0d29yayBB
c3NvY2lhdGVzIFNlY3VyaXR5IExhYnMgPHNlY2xhYnNAbmFpLmNvbT6JAEsEEBEC
AAsFAjXGgDsECwMCAQAKCRCheCy6j9WBEtgDAKDpYMwQZP0Ipx7X0ivnTxxJkA/W
vACg4LZv0lmWqmnd7XCe4OIJ05aT6hK5Ag0ENcaAOxAIAPZCV7cIfwgXcqK61qlC
8wXo+VMROU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh
01D49Vlf3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5u/2RXscB
qtNbno2gpXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98iLMcfFst
jvbzySPAQ/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlAGBGNfISn
CnLWhsQDGcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqrol7DVeky
CzsAAgIH/RZcJoRkhCf9O4Er+rciBNG3QqM3tek23oxGuVwqRxtGlGKuf+YaUDIA
vZhARftupZYJf/+AM9pyjjsF7ON/Df5oIXXhqzrDySw47dNB3I1FG7vwAUBRfYgG
NRP+zvf1nld+FgAXag1DIQteXYPtoMUJP8ZgvbELYVdZS2TapOHUv7r4rOY+UUjl
U+FkQPp9KCNreaNux4NxwT3tzXl1KqqkliC8sYxvMCkJ+JO71TKGplO9dXsf3O8p
2r33+LngmLs4O7inrUlmAUKq3jmCK50J7RsZjd6PlK/0JwcjFkOZeYrxTguZzCR4
QYmo8nEHqEMSKQci0VUf9KH4lHf6xmGJAEYEGBECAAYFAjXGgDsACgkQoXgsuo/V
gRK5LACgoAqLFk10kAMu6xb3ftO4+INJs14Ani+1hujlYRxYphN97c5ci8WtILNZ
=L3C6
- - ----

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1
Comment: Crypto Provided by Network Associates <http://www.nai.com>

iQA/AwUBOKryrqF4LLqP1YESEQLtlQCeIHRGxr5MxhJItvC7SUma4FeJux4AoMP0
P64+u7xPKBcLtNmiXy7QcCh1
=dVD0
-----END PGP SIGNATURE-----