Re: remote mailer daemon

From: Tom Beer <mailings(at)analogon.com>
Date: Sun, 11 Nov 2001 22:37:31 +0100



> Was bitte ist an Sendmail unsicher?



Sendmail Security problems



8.8.5 (fixed 19970614): ``... having the HostStatusDirectory store status


under the wrong name.'' Impact: Any user on the Internet can force bounces


for messages sent from the sendmail host to any selected target.



Dan Stromberg, 19970611: ``The 5.x sendmail's are riddled with holes. You


want 8.8.5... I wouldn't be terribly surprised if new security holes in


sendmail are found less frequently now. It's undergone some stringent code


reviews. IE, calling sendmail insecure now... It -may- have changed.''


8.8.3 (fixed 19961202): ``... under some circumstances, an attacker could


get additional permissions by hard linking to files that were group writable


by the attacker.'' Impact: Any local user can take over certain groups,


depending on how the system is configured.



8.8.3 (fixed 19961202): [Only on systems configured to use the w option.]


``... it is possible to do a denial-of-service attack on MX hosts that rely


on the use of the null MX list.'' Impact: Any local user can force bounces


for messages sent to certain hosts.



8.8.2 (fixed 19961117): ``... possible to get a root shell by lying to


sendmail about argv[0] and then sending it a signal.'' Impact: Any local


user can take over the machine.



8.8.1 (fixed 19961018): [Only on systems using the (default) 9 flag.] ``...


the previous patch changed the code but didn't fix the problem.'' Impact:


Any user on the Internet can take over the machine.



8.8.0 (allegedly fixed 19961017): [Only on systems using the (default) 9


flag.] ``... an illegal 7-bit MIME-encoded text/plain message could overflow


a buffer if it was converted back to 8 bits.'' Impact: Any user on the


Internet can take over the machine.



8.8.0 (fixed 19961017): ``... environment variables that the resolver will


examine during queue runs ...'' Impact: Any local user can steal mail


addressed to unqualified domain names.



8.7.6 (fixed 19960926): ``The Timeout.* options are not safe ...'' Impact:


Any local user can force a queued message to bounce.



8.7.5 (fixed 19960917): ``It is possible to force getpwuid to fail when


writing the queue file, causing sendmail to fall back to running programs as


the default user.'' Impact: Any local user can take over the daemon account.



8.7.5 (fixed 19960917): ``some buffer overruns; in at least one case this


allows a local user to get root.'' Impact: Any local user can take over the


machine.



Brad Knowles, 19960208: ``sendmail is actually one of the more secure


processes on the machine. In fact, I understand that Eric has gotten a lot


of complaints about his tightening security up too far, and breaking certain


bits of functionality that used to work and that people liked.''


8.7.3: ``In some cases it was still possible for an attacker to insert


newlines into a queue file, thus allowing access to any user (except


root).'' Impact: Any user on the Internet can take over any non-root user.



8.6.12: ``... denial-of-service attacks possible by destroying the alias


database file by setting resource limits low.'' Impact: Any local user can


destroy sendmail's alias list.



8.6.12: ``... a bad guy can read your private files.'' Impact: Any local


user can read almost any file on the machine.



8.6.12: `` In some cases it was still possible for an attacker to insert


newlines into a queue file, thus allowing access to any user (except


root).'' Impact: Any user on the Internet can take over any non-root user.



8.6.7: ``... it was possible to read any file as root using the E (error


message) option.'' Impact: Any local user can read any file on the machine.



8.6.6: ``... it was possible to get root access by using weird values to


the -d flag.'' Impact: Any local user can take over the machine.



8.6.5: [Only on some UNIX variants.] ``... the ability to give files away on


System V-based systems proved dangerous -- don't run as the owner of a


:include: file on a system that allows giveaways.'' Impact: Any local user


can take over any non-root user.



8.6.5: ``... a glitch that snuck in that caused programs to be run as the


sender instead of the recipient if the mail was from a local user to another


local user.'' Impact: Any local user can take over any uid that sends him


email.



8.6.4: ``... group ids were not completely set when programs were invoked.''


Impact: Any local user can take over the daemon group.



8.6.4: ``... root was not treated suspiciously enough when looking into


subdirectories.'' Impact: Any local user can read world-readable files


hidden in inaccessible directories.



Reliability problems


8.8.7: [Only on some UNIX variants.] ``Mail could be delivered without a


body if the machine does not support flock locking and runs out of processes


during delivery.'' Impact: Random message destruction on heavily loaded


systems.


8.8.6: [Only on some UNIX variants.] ``... race condition that could cause


the body of a message to be lost (so only the header was delivered). This


only occurs on systems that do not use flock(2), and only when a queue


runner runs during a critical section in another message delivery.'' Impact:


Random message destruction on heavily loaded systems.



8.8.6: [Only on systems using the (default) 9 flag.] ``In certain cases,


7->8 bit MIME decoding of Base64 text could leave an extra space at the


beginning of some lines.'' Impact: Corruption of some messages.



8.8.5: ``... possible extra null byte generated during collection if errors


occur at the beginning of the stream.'' Impact: Corruption of some messages.



8.8.5: ``... possible line truncation if a quoted-printable had an =00


escape in the body.'' Impact: Corruption of some messages.



8.8.3: ``If the fork() failed in a queue run, the queue runners would not be


rescheduled (so queue runs would stop).'' Impact: Random termination of


queue runs on heavily loaded systems, leaving messages stuck in the queue


until the condition is manually corrected.



8.8.2: [Only on systems using the (default) 9 flag.] ``7 to 8 bit BASE64


MIME conversions could duplicate bits of text.'' Impact: Corruption of some


messages.



8.8.0: ``If a Base64 encoded text/plain message has no trailing newline in


the encoded text, conversion back to 8 bits will drop the final line.''


Impact: Destruction of some messages.



8.7.6: ``The IngoreDot (i) option didn't work for lines that were terminated


with CRLF.'' Impact: Destruction of some messages.



8.7.2: ``... botch in name server timeout in RCPT code; this problem caused


two responses in SMTP, which breaks things horribly.'' Impact: Random


message loss.



8.7.1: ``... a locking race condition in ndbm, hash, and btree format


database files on some (most non-4.4-BSD based) OS architectures.'' Impact:


Random message bounces during alias-file rebuilds.



8.6.12: ``Fix possible core dump if malloc fails -- if the malloc in xalloc


failed, it called syserr which called newstr which called xalloc....''


Impact: Random termination of the sendmail process on heavily loaded


systems, leaving messages stuck in the queue until the condition is manually


corrected.



8.6.12: [Only on systems configured to use $#error.] ``... problem when a


mail address is resolved to a $#error mailer with a temporary failure


indication; it works in SMTP, but when delivering locally the mail is


silently discarded.'' Impact: Random message loss.



8.6.12: ``Fix problem that could cause multiple responses to DATA command on


header syntax errors (e.g., lines beginning with colons).'' Impact: Random


loss of valid messages sent in a multiple-message SMTP connection.



8.6.12: ``... null bytes in headers cause truncation of the rest of the


header.'' Impact: Destruction of some messages.



8.6.12: ``... leading ``phrase:'' and trailing ``;'' as ...'' Impact:


Corruption of the To lines in some messages.



8.6.9: ``... problem that would silently drop "too many hops" error messages


if and only if you were sending to an alias.'' Impact: Loss of certain types


of bounce messages.



8.6.8: ``... df* temporary file ... existing data in the file'' Impact:


Random message corruption.



8.6.4: ``... bug that caused the last header line of messages that had no


body and which were terminated with EOF instead of "." to be discarded.''


Impact: Destruction of some messages.



8.6.4: ``If the mailer returned EX_IOERR or EX_OSERR, sendmail did not


return an error message and did not requeue the message.'' Impact: Random


message loss.



To Unsubscribe: send mail to majordomo(at)de.FreeBSD.org


with "unsubscribe de-bsd-questions" in the body of the message


Received on Sun 11 Nov 2001 - 22:37:44 CET













search this site