Bugtraq mailing list archives
Re: so...
From: chasin () crimelab crimelab com (Scott Chasin)
Date: Tue, 15 Mar 94 20:47:38 CST
So, does anyone know anything about this new Sendmail bug other than that it exists? Perry
From sendmail.8.6.7 dist:
8.6.7/8.6.6 94/03/14 SECURITY: it was possible to get root access by using wierd values to the -d flag. Thanks to Alain Durand of INRIA for forwarding me the notice from the bugtraq list.
Bonfield James <jkb () mrc-lmb cam ac uk> reported the bug which allows one to enter a number greater than normal address space ranges that are used in its array index. % sendmail -d3294967296 "If this causes a segmentation fault then you'll likely have a bug in your version of sendmail. The problem is that numbers in this range may skip the range checks and result in accessing negative indexes into the debug array. Hence it is possible to write to locations in memory before the debug array I've tested this on the standard Solaris 2.3 distribution and have successfully obtained root access using this method. I have also tested on Ultrix 4.2A (apparently has no problem), DEC OSF/1 V1.2 (has a problem), and SunOS4.1 (also has a problem)." FIX: For BSD based versions: In trace.c a function tTflag() starts with the lines: tTflag(s) register char *s; { int first, last; register int i; This should be changed to: tTflag(s) register char *s; { unsigned int first, last; register unsigned int i; - --S - -- Scott Chasin <chasin () crimelab com>
Current thread:
- so... Perry E. Metzger (Mar 15)
- Re: so... Scott Chasin (Mar 15)
- Re: so... Harry Mantakos (Mar 15)
- the new sendmail BUG history Alain Durand (Mar 16)
- Re: so... steve (Mar 16)