Re: so...

[chasin () crimelab crimelab com (Scott Chasin)]

> So, does anyone know anything about this new Sendmail bug other than
> that it exists?
>  
> Perry

> From sendmail.8.6.7 dist:

> 8.6.7/8.6.6   94/03/14
> SECURITY: it was possible to get root access by using wierd
>           values to the -d flag.  Thanks to Alain Durand of
>           INRIA for forwarding me the notice from the bugtraq list.

Bonfield James <jkb () mrc-lmb cam ac uk> reported the bug which allows
one to enter a number greater than normal address space ranges that
are used in its array index.

% sendmail -d3294967296

"If this causes a segmentation fault then you'll likely have a bug in your
version of sendmail. The problem is that numbers in this range may skip the
range checks and result in accessing negative indexes into the debug array.
Hence it is possible to write to locations in memory before the debug array

I've tested this on the standard Solaris 2.3 distribution and have
successfully obtained root access using this method. I have also tested on
Ultrix 4.2A (apparently has no problem), DEC OSF/1 V1.2 (has a problem), and
SunOS4.1 (also has a problem)."


FIX:

For BSD based versions:
  
In trace.c a function tTflag() starts with the lines:
  
tTflag(s)
        register char *s;
{
        int first, last;
        register int i;
  
This should be changed to:
  
tTflag(s)
        register char *s;
{
        unsigned int first, last;
        register unsigned int i;



- --S

- --
Scott Chasin <chasin () crimelab com>