Dailydave mailing list archives
RE: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
From: "Dave Korn" <dave.korn () artimi com>
Date: Thu, 23 Mar 2006 18:21:43 -0000
On 23 March 2006 09:43, Gadi Evron wrote:
To begin with, anyone noticed the memory leak they (Sendmail) silently patched? I wonder how many other unreported silently-patched vulnerabilities are out there?
Tons. Absolutely millions. Pretty much every microsoft security patch silently fixes a few non-disclosed vulnerabilities - this is not necessarily a deliberate policy of concealment, it could just be a consequence of the fact that they release hotpatches built against their current top-of-tree sources and so any minor fixes that they haven't felt were worth a release on their own get rolled-up into the security patch when they do have an issue they feel is worth releasing one for.
Here's what ISS releasing the Race Condition vulnerability has to say: http://xforce.iss.net/xforce/alerts/id/216 They say it's a remote code execution. They say it's a race condition. No real data available to speak of. I can't see how it's remotely exploitable, but well, no details, remember? From what we can see it seems like a DoS.
"By sending malicious data at certain time intervals, it is possible for a remote attacker to corrupt arbitrary stack memory and gain control of the affected host." Nah, I can see how that might be exploitable. I bet it's something along the lines of "causing a signal handler to recursively re-enter itself and overwrite some of its static state in such a way that the outer signal handler then processes a signal based on partially valid data from its own invocation and partially invalid data that was overwritten in the nested recursive invocation". Or similar ;) use yer imagination!
The int overflow is possibly exploitable, not very sure about the jumps.
Well, just overflow the int with a sufficiently large value such that it indexes right off the end of an array and overwrites the stored eip in the jmp_buf struct!
No idea why ISS says the Race Condition is, would love insight.
Insight? Hell, I'd settle for gdb in TUI mode if it was attached to a crashed sendmail instance!
One could say ISS and Sendmail did good, obscuring the information so that the vulnerability-to-exploit time will be longer. That proved wrong, useless and pointless. They failed. After looking at the available data for 30 minutes (more or less), we know exactly what the vulnerabilities are. Exploiting them may not be that trivial if indeed possible, but there are most likely already exploits out there if it is. When will the first public POC be released? Your guess is as good as mine.
As I've been known to claim before, "You can't hide anything from an inquiring mind with a good debugger"![*] cheers, DaveK [*] - actually it was "packet sniffer" last time, but the sentiment is the same :) -- Can't think of a witty .sigline today....
Current thread:
- SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Gadi Evron (Mar 23)
- RE: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Dave Korn (Mar 23)