> Was bitte ist an Sendmail unsicher?
Sendmail Security problems
8.8.5 (fixed 19970614): ``... having the HostStatusDirectory store status
under the wrong name.'' Impact: Any user on the Internet can force bounces
for messages sent from the sendmail host to any selected target.
Dan Stromberg, 19970611: ``The 5.x sendmail's are riddled with holes. You
want 8.8.5... I wouldn't be terribly surprised if new security holes in
sendmail are found less frequently now. It's undergone some stringent code
reviews. IE, calling sendmail insecure now... It -may- have changed.''
8.8.3 (fixed 19961202): ``... under some circumstances, an attacker could
get additional permissions by hard linking to files that were group writable
by the attacker.'' Impact: Any local user can take over certain groups,
depending on how the system is configured.
8.8.3 (fixed 19961202): [Only on systems configured to use the w option.]
``... it is possible to do a denial-of-service attack on MX hosts that rely
on the use of the null MX list.'' Impact: Any local user can force bounces
for messages sent to certain hosts.
8.8.2 (fixed 19961117): ``... possible to get a root shell by lying to
sendmail about argv[0] and then sending it a signal.'' Impact: Any local
user can take over the machine.
8.8.1 (fixed 19961018): [Only on systems using the (default) 9 flag.] ``...
the previous patch changed the code but didn't fix the problem.'' Impact:
Any user on the Internet can take over the machine.
8.8.0 (allegedly fixed 19961017): [Only on systems using the (default) 9
flag.] ``... an illegal 7-bit MIME-encoded text/plain message could overflow
a buffer if it was converted back to 8 bits.'' Impact: Any user on the
Internet can take over the machine.
8.8.0 (fixed 19961017): ``... environment variables that the resolver will
examine during queue runs ...'' Impact: Any local user can steal mail
addressed to unqualified domain names.
8.7.6 (fixed 19960926): ``The Timeout.* options are not safe ...'' Impact:
Any local user can force a queued message to bounce.
8.7.5 (fixed 19960917): ``It is possible to force getpwuid to fail when
writing the queue file, causing sendmail to fall back to running programs as
the default user.'' Impact: Any local user can take over the daemon account.
8.7.5 (fixed 19960917): ``some buffer overruns; in at least one case this
allows a local user to get root.'' Impact: Any local user can take over the
machine.
Brad Knowles, 19960208: ``sendmail is actually one of the more secure
processes on the machine. In fact, I understand that Eric has gotten a lot
of complaints about his tightening security up too far, and breaking certain
bits of functionality that used to work and that people liked.''
8.7.3: ``In some cases it was still possible for an attacker to insert
newlines into a queue file, thus allowing access to any user (except
root).'' Impact: Any user on the Internet can take over any non-root user.
8.6.12: ``... denial-of-service attacks possible by destroying the alias
database file by setting resource limits low.'' Impact: Any local user can
destroy sendmail's alias list.
8.6.12: ``... a bad guy can read your private files.'' Impact: Any local
user can read almost any file on the machine.
8.6.12: `` In some cases it was still possible for an attacker to insert
newlines into a queue file, thus allowing access to any user (except
root).'' Impact: Any user on the Internet can take over any non-root user.
8.6.7: ``... it was possible to read any file as root using the E (error
message) option.'' Impact: Any local user can read any file on the machine.
8.6.6: ``... it was possible to get root access by using weird values to
the -d flag.'' Impact: Any local user can take over the machine.
8.6.5: [Only on some UNIX variants.] ``... the ability to give files away on
System V-based systems proved dangerous -- don't run as the owner of a
:include: file on a system that allows giveaways.'' Impact: Any local user
can take over any non-root user.
8.6.5: ``... a glitch that snuck in that caused programs to be run as the
sender instead of the recipient if the mail was from a local user to another
local user.'' Impact: Any local user can take over any uid that sends him
email.
8.6.4: ``... group ids were not completely set when programs were invoked.''
Impact: Any local user can take over the daemon group.
8.6.4: ``... root was not treated suspiciously enough when looking into
subdirectories.'' Impact: Any local user can read world-readable files
hidden in inaccessible directories.
Reliability problems
8.8.7: [Only on some UNIX variants.] ``Mail could be delivered without a
body if the machine does not support flock locking and runs out of processes
during delivery.'' Impact: Random message destruction on heavily loaded
systems.
8.8.6: [Only on some UNIX variants.] ``... race condition that could cause
the body of a message to be lost (so only the header was delivered). This
only occurs on systems that do not use flock(2), and only when a queue
runner runs during a critical section in another message delivery.'' Impact:
Random message destruction on heavily loaded systems.
8.8.6: [Only on systems using the (default) 9 flag.] ``In certain cases,
7->8 bit MIME decoding of Base64 text could leave an extra space at the
beginning of some lines.'' Impact: Corruption of some messages.
8.8.5: ``... possible extra null byte generated during collection if errors
occur at the beginning of the stream.'' Impact: Corruption of some messages.
8.8.5: ``... possible line truncation if a quoted-printable had an =00
escape in the body.'' Impact: Corruption of some messages.
8.8.3: ``If the fork() failed in a queue run, the queue runners would not be
rescheduled (so queue runs would stop).'' Impact: Random termination of
queue runs on heavily loaded systems, leaving messages stuck in the queue
until the condition is manually corrected.
8.8.2: [Only on systems using the (default) 9 flag.] ``7 to 8 bit BASE64
MIME conversions could duplicate bits of text.'' Impact: Corruption of some
messages.
8.8.0: ``If a Base64 encoded text/plain message has no trailing newline in
the encoded text, conversion back to 8 bits will drop the final line.''
Impact: Destruction of some messages.
8.7.6: ``The IngoreDot (i) option didn't work for lines that were terminated
with CRLF.'' Impact: Destruction of some messages.
8.7.2: ``... botch in name server timeout in RCPT code; this problem caused
two responses in SMTP, which breaks things horribly.'' Impact: Random
message loss.
8.7.1: ``... a locking race condition in ndbm, hash, and btree format
database files on some (most non-4.4-BSD based) OS architectures.'' Impact:
Random message bounces during alias-file rebuilds.
8.6.12: ``Fix possible core dump if malloc fails -- if the malloc in xalloc
failed, it called syserr which called newstr which called xalloc....''
Impact: Random termination of the sendmail process on heavily loaded
systems, leaving messages stuck in the queue until the condition is manually
corrected.
8.6.12: [Only on systems configured to use $#error.] ``... problem when a
mail address is resolved to a $#error mailer with a temporary failure
indication; it works in SMTP, but when delivering locally the mail is
silently discarded.'' Impact: Random message loss.
8.6.12: ``Fix problem that could cause multiple responses to DATA command on
header syntax errors (e.g., lines beginning with colons).'' Impact: Random
loss of valid messages sent in a multiple-message SMTP connection.
8.6.12: ``... null bytes in headers cause truncation of the rest of the
header.'' Impact: Destruction of some messages.
8.6.12: ``... leading ``phrase:'' and trailing ``;'' as ...'' Impact:
Corruption of the To lines in some messages.
8.6.9: ``... problem that would silently drop "too many hops" error messages
if and only if you were sending to an alias.'' Impact: Loss of certain types
of bounce messages.
8.6.8: ``... df* temporary file ... existing data in the file'' Impact:
Random message corruption.
8.6.4: ``... bug that caused the last header line of messages that had no
body and which were terminated with EOF instead of "." to be discarded.''
Impact: Destruction of some messages.
8.6.4: ``If the mailer returned EX_IOERR or EX_OSERR, sendmail did not
return an error message and did not requeue the message.'' Impact: Random
message loss.
To Unsubscribe: send mail to majordomo(at)de.FreeBSD.org
with "unsubscribe de-bsd-questions" in the body of the message
Received on Sun 11 Nov 2001 - 22:37:44 CET