Internet Security Systems Security Advisory
March 3, 2003
Remote Sendmail Header Processing Vulnerability
Synopsis:
ISS X-Force has discovered a buffer overflow vulnerability in the Sendmail
Mail Transfer Agent (MTA). Sendmail is the most common MTA and has been
documented to handle between 50% and 75% of all Internet email traffic.
Impact:
Attackers may remotely exploit this vulnerability to gain "root" or superuser
control of any vulnerable Sendmail server. Sendmail and all other email
servers are typically exposed to the Internet in order to send and receive
Internet email. Vulnerable Sendmail servers will not be protected by legacy
security devices such as firewalls and/or packet filters. This vulnerability
is especially dangerous because the exploit can be delivered within an email
message and the attacker doesn't need any specific knowledge of the target to
launch a successful attack.
Affected Versions:
Sendmail versions from 5.79 to 8.12.7 are vulnerable
Note: The affected versions of Sendmail commercial, Sendmail open source
running on all platforms are known to be vulnerable.
Description:
The Sendmail remote vulnerability occurs when processing and evaluating
header fields in email collected during an SMTP transaction. Specifically,
when fields are encountered that contain addresses or lists of addresses
(such as the "From" field, "To" field and "CC" field), Sendmail attempts
to semantically evaluate whether the supplied address (or list of addresses)
are valid. This is accomplished using the crackaddr() function, which is
located in the headers.c file in the Sendmail source tree.
A static buffer is used to store data that has been processed. Sendmail
detects when this buffer becomes full and stops adding characters, although
it continues processing. Sendmail implements several security checks to
ensure that characters are parsed correctly. One such security check is
flawed, making it possible for a remote attacker to send an email with a
specially crafted address field that triggers a buffer overflow.
X-Force has demonstrated that this vulnerability is exploitable in real-
world conditions on production Sendmail installations. This vulnerability is
readily exploitable on x86 architecture systems, and may be exploitable on
others as well.
Protection mechanisms such as implementation of a non-executable stack do not
offer any protection from exploitation of this vulnerability. Successful
exploitation of this vulnerability does not generate any log entries.
Recommendations:
For identification of potentially vulnerable systems, Internet Security
Systems has provided the following assessment checks:
Internet Scanner XPU 6.24
MtaDiscovery - (<
http://www.iss.net/security_center/static/10961.php>)
Internet Scanner XPU 6.26
SendmailRunning - (<
http://www.iss.net/security_center/static/2938.php>)
System Scanner SR 3.13
sendmail-header-processing-bo -
(<
http://www.iss.net/security_center/static/10748.php>)
For Dynamic Threat Protection, Internet Security Systems recommends applying a
Virtual Patch for the Sendmail vulnerability. Employ the following protection
techniques through ISS' Dynamic Threat Protection platform.
RealSecure Network Sensor XPU 20.9 and 5.8:
SMTP_Sendmail_Header_Parse_Overflow -
(
http://www.iss.net/security_center/static/10748.php)
All updates listed above are available from the ISS Download center
(
http://www.iss.net/download)
For Manual Protection, the affected vendor has offered the following
recommendations:
Sendmail urges all users to either upgrade to Sendmail 8.12.8 or apply a patch
for 8.12.x (or for older versions). Updates can be downloaded from
ftp.sendmail.org or any of its mirrors (try a mirror near to you first), see
http://www.sendmail.org/ for details. Remember to check the PGP signatures of
patches or releases obtained. For those not running the open source version,
check with your vendor for a patch. Sendmail, Inc., the commercial provider of
the sendmail MTA, is providing a binary patch for their commercial customers.
The patch can be downloaded from Sendmail's Web site at:
http://www.sendmail.com/
Sendmail versions that are patched will record the following log entry when
exploitation is attempted: "Dropped invalid comments from header address".
Vendor Notification Schedule:
Initial vendor notification: 1/13/2003
Initial vendor confirmation: 1/13/2003
Final release schedule confirmation: 1/31/2003
ISS X-Force worked with Sendmail throughout the notification and release
process. X-Force would like to thank Sendmail for their cooperation as well as
the National Infrastructure Protection Center (NIPC) for coordinating this
issue with elements of National critical infrastructure.
Additional Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CAN-2002-1337 to this issue. This is a candidate for inclusion in the CVE
list
http://cve.mitre.org), which standardizes names for security problems.
If you are a RealSecure Server Sensor customer, please email
Support@iss.net
for additional protection information. Please enter the words "Server
Sensor - Sendmail" in the subject line of your email.
X-Force Database
http://www.iss.net/security_center/static/10748.php
For more information on ISS methodology and procedures involved in Security
Advisory publication, please review the X-Force Vulnerability Disclosure
Guidelines document:
http://documents.iss.net/literature/...guidelines.pdf
Credit:
This vulnerability was discovered and researched by Mark Dowd of the ISS
X-Force.
