Sendmail 8.9.x vulnerable to SIGKILL alias file killing
----------------------------------------------------------------------------
----
SUMMARY
It's been a while since the Sendmail daemon was vulnerable to attack, but
just before we thought it was okay to use Sendmail again, another security
hole was discovered.
The recent Sendmail versions (8.9.x) contain a vulnerability that allows
any local user that is able to get Sendmail killed while it processes the
'alias.db' file, to cause the 'alias.db' to become corrupt, causing a
Denial of Service attack against Sendmail.
DETAILS
Sendmail up to the recent 8.9.x versions - allows any user to pass the
'-bi' parameter to /usr/sbin/sendmail. This will result in aliases
database rebuild. The alias database is opened in the following way:
5366 open("/etc/aliases.db", O_RDWR|O_TRUNC) = 6
There's approx 0.1 sec delay due to /etc/aliases.db processing (on many
common systems). Meantime, luser might deliver any signals to the Sendmail
process, like SIGKILL. After that, /etc/aliases.db will be left in an
unusable state (no EOF marker), causing DoS:
220 Marchew ESMTP Mail Service at nimue.ids.pl ready. mail from: myself
451 Cannot open hash database /etc/aliases: Invalid argument rcpt to:
lcamtuf
503 Need MAIL before RCPT
ADDITIONAL INFORMATION
This vulnerability has been discovered by: <mailto:[EMAIL PROTECTED]> Michal
Zalewski.
========================================
-------
AFLHI 058009990407128029/089802---(102598//991024)
milis ini didukung oleh :
>> http://www.indolinux.com - dunia linux indonesia
-------------------------------------------------------------------
untuk berhenti kirim email ke [EMAIL PROTECTED]
untuk melihat peraturan kirim email ke [EMAIL PROTECTED]
arsip berada di http://www.mail-archive.com/[email protected]
