Nickola Kolev wrote: > From: Michal Zalewski <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Subject: Sendmail: -1 gone wild > > CVE: CAN-2003-0161 > CERT: VU#897604 > > > There is a vulnerability in Sendmail versions 8.12.8 and prior. The > address parser performs insufficient bounds checking in certain conditions > due to a char to int conversion, making it possible for an attacker to > take control of the application. This problem is not related to the recent > ISS vulnerability announcement. > > It is possible for the attacker to repeatedly skip the length check > location in this function because of an unfortunate construction of a > "special" control value check. A special value, NOCHAR, is defined as -1. > There is a variable 'c', also used to store last read character, declared > as int, and the variable will be sometimes assigned the value of NOCHAR to > indicate a special condition. > > Since precise control of the overwrite process is possible (length, offset > and layout are up to the attacker), even though the values are mostly > fixed, it is reasonable to expect that this vulnerability will be easy to > exploit on little endian systems. Even on big endian systems, it might be > still possible to alter important control variables on the stack, and you > are generally advised to upgrade.
От около седмица се обсъжда в full-disclosure мейлинг листа. Препоръчвам на всички да се запишат за него, в bugtraq напоследък нещатата се бааааааавят доста. -- Georgi Chorbadzhiyski http://georgi.unixsol.org/ ============================================================================ A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers). http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html ============================================================================
