--------------------------------------------------------------------------- Security Alert Subject: Sendmail Debugger Arbitrary Code Execution Vulnerability BUGTRAQ ID: 3163 CVE ID: CAN-2001-0653 Published: August 17, 2001 MT Updated: August 20, 2001 MT Remote: No Local: Yes Availability: Always Authentication: Not Required Credibility: Vendor Confirmed Ease: No Exploit Available Class: Input Validation Error Impact: 10.00 Severity: 7.50 Urgency: 6.58 Last Change: Updated packages that rectify this issue are now available from Sendmail. --------------------------------------------------------------------------- Vulnerable Systems: Sendmail Consortium Sendmail 8.12beta7 Sendmail Consortium Sendmail 8.12beta5 Sendmail Consortium Sendmail 8.12beta16 Sendmail Consortium Sendmail 8.12beta12 Sendmail Consortium Sendmail 8.12beta10 Sendmail Consortium Sendmail 8.11.5 Sendmail Consortium Sendmail 8.11.4 Sendmail Consortium Sendmail 8.11.3 Sendmail Consortium Sendmail 8.11.2 Sendmail Consortium Sendmail 8.11.1 Sendmail Consortium Sendmail 8.11 Non-Vulnerable Systems: Summary: Sendmail contains an input validation error, may lead to the execution of arbitrary code with elevated privileges. Impact: Local users may be able to write arbitrary data to process memory, possibly allowing the execution of code/commands with elevated privileges. Technical Description: An input validation error exists in Sendmail's debugging functionality. The problem is the result of the use of signed integers in the program's tTflag() function, which is responsible for processing arguments supplied from the command line with the '-d' switch and writing the values to it's internal "trace vector." The vulnerability exists because it is possible to cause a signed integer overflow by supplying a large numeric value for the 'category' part of the debugger arguments. The numeric value is used as an index for the trace vector. Before the vector is written to, a check is performed to ensure that the supplied index value is not greater than the size of the vector. However, because a signed integer comparison is used, it is possible to bypass the check by supplying the signed integer equivalent of a negative value. This may allow an attacker to write data to anywhere within a certain range of locations in process memory. Because the '-d' command-line switch is processed before the program drops its elevated privileges, this could lead to a full system compromise. This vulnerability has been successfully exploited in a laboratory environment. Attack Scenarios: An attacker with local access must determine the memory offsets of the program's internal tTdvect variable and the location to which he or she wishes to have data written. The attacker must craft in architecture specific binary code the commands (or 'shellcode') to be executed with higher privilege. The attacker must then run the program, using the '-d' flag to overwrite a function return address with the location of the supplied shellcode. Exploits: Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .