MMDF Vulnerability
CAN 2000-0158
Impact
Versions of MMDF prior to version 2.44a-B4 have a buffer
overflow condition which could allow a remote attacker to gain root
access.
Background
The Multi-channel Memorandum Distribution Facility
(MMDF),
an alternative to Sendmail, is a Mail Transfer
Agent which is most commonly found on SCO operating systems. MMDF
uses the Simple
Mail Transfer Protocol (SMTP) to send and receive e-mail
across a network. MAIL FROM and RCPT TO
are the SMTP commands used to specify the sender's and
recipient's e-mail addresses, respectively.
The Problem
When an invalid address is specified in the MAIL FROM
command, the string is copied into a fixed-length buffer without checking
the length of the input. A sufficiently long input string could be
used to overwrite the call stack, thus allowing an attacker to execute
arbitrary commands with the privileges of the mail server, which is
typically the mail management account.
Once mail management privileges are gained, the attacker can gain
root privileges by replacing the smtpsrvr executable
file with an arbitrary script. The script is then executed by
smtpd which runs with root privileges.
MMDF versions prior to 2.44a-B4 have this vulnerability.
Later versions are not affected.
Resolution
Upgrade to MMDF 2.44a-B4 or
higher, or apply the patch
for this vulnerability.
Where can I read more about this?
Information on this vulnerability can be found in
NAI Security Advisory #38.