From: Michal Zalewski <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: Sendmail: -1 gone wild
CVE: CAN-2003-0161 CERT: VU#897604 There is a vulnerability in Sendmail versions 8.12.8 and prior. The address parser performs insufficient bounds checking in certain conditions due to a char to int conversion, making it possible for an attacker to take control of the application. This problem is not related to the recent ISS vulnerability announcement. It is possible for the attacker to repeatedly skip the length check location in this function because of an unfortunate construction of a "special" control value check. A special value, NOCHAR, is defined as -1. There is a variable 'c', also used to store last read character, declared as int, and the variable will be sometimes assigned the value of NOCHAR to indicate a special condition. Since precise control of the overwrite process is possible (length, offset and layout are up to the attacker), even though the values are mostly fixed, it is reasonable to expect that this vulnerability will be easy to exploit on little endian systems. Even on big endian systems, it might be still possible to alter important control variables on the stack, and you are generally advised to upgrade. -- _____________________________________________________________ Поздрави, Никола
pgp00000.pgp
Description: PGP signature
