RE: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)

["Dave Korn" <dave.korn () artimi com>]

On 23 March 2006 09:43, Gadi Evron wrote:


> To begin with, anyone noticed the memory leak they (Sendmail) silently
> patched?
> I wonder how many other unreported silently-patched
> vulnerabilities are out there?

  Tons.  Absolutely millions.  Pretty much every microsoft security patch
silently fixes a few non-disclosed vulnerabilities - this is not necessarily a
deliberate policy of concealment, it could just be a consequence of the fact
that they release hotpatches built against their current top-of-tree sources
and so any minor fixes that they haven't felt were worth a release on their
own get rolled-up into the security patch when they do have an issue they feel
is worth releasing one for.

> Here's what ISS releasing the Race Condition vulnerability has to say:
> http://xforce.iss.net/xforce/alerts/id/216
> They say it's a remote code execution. They say it's a race condition. No
> real data available to speak of. I can't see how it's remotely
> exploitable, but well, no details, remember? From what we can see it seems
> like a DoS.

"By sending malicious data at certain 
time intervals, it is possible for a remote attacker to corrupt arbitrary 
stack memory and gain control of the affected host."

  Nah, I can see how that might be exploitable.  I bet it's something along
the lines of "causing a signal handler to recursively re-enter itself and
overwrite some of its static state in such a way that the outer signal handler
then processes a signal based on partially valid data from its own invocation
and partially invalid data that was overwritten in the nested recursive
invocation".  Or similar ;) use yer imagination!

> The int overflow is possibly exploitable, not very sure about the
> jumps. 

  Well, just overflow the int with a sufficiently large value such that it
indexes right off the end of an array and overwrites the stored eip in the
jmp_buf struct!

> No idea why ISS says the Race Condition is, would love insight.

  Insight?  Hell, I'd settle for gdb in TUI mode if it was attached to a
crashed sendmail instance!

> One could say ISS and Sendmail did good, obscuring the information so that
> the vulnerability-to-exploit time will be longer. That proved wrong,
> useless and pointless. They failed.
>
> After looking at the available data for 30 minutes (more or less), we know
> exactly what the vulnerabilities are. Exploiting them may not be that
> trivial if indeed possible,  but there are most likely already exploits
> out there if it is. When will the first public POC be released? Your guess
> is as good as mine.

  As I've been known to claim before, "You can't hide anything from an
inquiring mind with a good debugger"![*]

    cheers,
      DaveK

[*] - actually it was "packet sniffer" last time, but the sentiment is the
same :)
-- 
Can't think of a witty .sigline today....