mailing list archives
Re: sendmail 8.12.8 available
From: Neil W Rickert <rickert+bt () cs niu edu>
Date: Tue, 04 Mar 2003 17:14:27 -0600
"Mordechai T. Abzug" <morty () frakir org> wrote:
Question: are the header and ident issues *only* remote overflow
problems, or is this also a local vulnerability? Ie. if one has a
system that doesn't run sendmail in daemon mode (-bd), but does make
sendmail available as an SUID root binary for submission to the local
smarthost and does run sendmail is queue-process mode (ie. -q15m), is
the system still vulnerable? Given that the problem is in the header
parsing, I would expect this to be both a remote and a local problem,
but I'd like to make sure before doing lots of upgrades.
I don't think there has been a comment on this yet.
Sendmail will only use "ident" when receiving mail on a network
connection. There is no local exploit available there if sendmail is
not listening on the net. Possibly a local user could invoke
"sendmail -bs" with stdin/stdout assigned to a connected socket. In
that case there might be an ident call.
For the header problem, any buffer overflow would occur while sending
the message, not while receiving it. Whether the message originated
locally or over the network will matter. Thus there is a potential
problem for local exploits with an SUID sendmail binary.
In particular, if you have old sendmail binaries left around that you
haven't deleted, you should at least turn off any SUID and SGID
privileges. Incidently that's a good practice for old disused
versions of any program.