Note: The red stoplight on this page indicates the highest possible severity level for Sendmail vulnerabilities. The actual severity level is indicated by the colored dot beside the link to this tutorial on the previous page.
8/23/01
CVE 2001-0653
Sendmail versions 8.11.0 through 8.11.5 have a vulnerability
in the debugging function
which could allow local users to gain elevated privileges on
the system. The problem lies in the tTflag() function,
which is responsible for processing the -d (debug) command-line
switch and writing the results to the internal trace vector.
The function checks that the index into the trace vector is
not greater than the size of the trace vector. However, when
the check is performed, the index is treated as a signed
integer, a variable type in which large values are treated
as negative numbers. A large value could thus pass the check,
allowing a user to write data beyond the range of the
trace vector. Since Sendmail is installed in set-userid mode
by default, a local attacker could exploit this condition to
execute arbitrary commands with elevated privileges, typically
root. This vulnerability could only be exploited by
a user who is already logged into the system. This vulnerability
was reported in CIAC Bulletin L-133.
CVE 1999-1309
Another vulnerability in Sendmail's debug option could allow local
users to create a denial of service in Sendmail versions
prior to 8.6.7.
CVE 1999-0393
CVE 1999-1109
CVE 2000-0319
Sendmail versions prior to 8.10 are affected by multiple
denial of service vulnerabilities. The first is due to
unsafe usage of the fgets function in
mail.local. An attacker could cause
mail.local to send unexpected LMTP messages
to Sendmail, which could result in a deadlock. The second
vulnerability results from the forking of a new child
process whenever Sendmail receives an ETRN
command. By sending many ETRN commands and
then disconnecting, an attacker could cause the server to
consume large amounts of memory. The third vulnerability
only affects Sendmail 8.9.2 and earlier. Due to ineffective
prescanning of message headers, a message with a large
number of headers could cause the system to become
non-responsive for a period of time, leading to a potential
denial-of-service attack.
CVE 1999-0047
Versions 8.8.3 and 8.8.4 of sendmail have a serious
security vulnerability that allows remote users to execute arbitrary commands
on the local system with root privileges. By sending a carefully crafted
email message to a system running a vulnerable version of
sendmail,
intruders may be able to force sendmail to execute arbitrary
commands with root privileges. Those commands are run on the same system
where the vulnerable sendmail is running. This vulnerability
may be exploited on systems despite firewalls and other network boundary
protective measures. A hacker does not have to be a local user to exploit
this vulnerability. This vulnerability is described in CERT Advisory CA-97.05.
CVE 1999-0129
Version 8 of sendmail (version 8.x.x up to and including
8.8.3) has a vulnerability that can be exploited by a local user to run
programs with group permissions of other users. For the exploitation to
be successful, group-writable files must be available on the same file
system as a file that the attacker can convince sendmail
to trust. This vulnerability can only be exploited by local users (i.e.,
users who have accounts on the target machine). This vulnerability is described
in CERT Advisory CA-96.25.
CVE 1999-0130
Versions 8.7 through 8.8.2 of sendmail have a vulnerability
that can be used to gain root access. Sendmail is often
run in daemon mode so it can "listen" for incoming mail connections on
the standard SMTP networking port (usually port 25). The root user is the
only user allowed to start sendmail in this way, and
sendmail
contains code intended to enforce this restriction. Due to a coding error,
sendmail
can be invoked in daemon mode in a way that bypasses the built-in check,
and any local user is able to start sendmail in daemon
mode. By manipulating the sendmail mail environment, the
user can then have
sendmail execute an arbitrary program
with root privileges. This vulnerability can only be exploited by local
users (i.e., users who have accounts on the target machine). This vulnerability
is described in CERT Advisory CA-96.24. CERT Advisory CA-96.24 also describes
additional vulnerabilities in versions 8.8.0 and 8.8.1 of sendmail.
CVE 1999-0206
Versions 8.8.0 and 8.8.1 of sendmail have a buffer overflow
condition in the MIME processing code. A remote attacker could exploit
the condition to gain root access on the server. This vulnerability is
described in an X-Force
Alert.
CVE 1999-0131
There are two vulnerabilities in versions of sendmail up
to and including version 8.7.5. By exploiting the first of these vulnerabilities,
users who have local accounts can gain access to the default user, which
is often daemon. By exploiting the second vulnerability, any local user
can gain root access. Both of these vulnerabilities can only be exploited
by local users (i.e., users who have accounts on the target machine). This
vulnerability is described in CERT Advisory CA-96.20.
CVE 1999-0203
Versions 5 through 8.6.9 of sendmail have a vulnerability
which could allow an intruder to execute commands on the server with
root privileges. This vulnerability is described in CERT Advisory CA-95.08.
CVE 1999-0204
There is a buffer overflow condition in version 8.6.9 of sendmail
in the processing of the response from the ident service. Sendmail
makes a connection to the ident service on the client host
in order to log information about the user who is making the connection.
A properly formatted response from the ident service is
expected. An attacker could instead send a very long response, thereby
overflowing the buffer, enabling the attacker to execute arbitrary commands
on the server. This vulnerability was described in an
X-Force alert.
CVE 1999-0095
An older vulnerability which keeps showing up from time to time is when
sendmail
runs in DEBUG mode. The DEBUG
mode can allow a malicious user to gain access through sendmail.
Very old versions of sendmail, such as version 5.x and earlier, allow a remote attacker to specify commands after a pipe (|) character in certain fields in the e-mail. This could result in arbitrary commands being executed on the server with root privileges. This vulnerability was described in an X-Force Alert.
For more information on the denial-of-service vulnerabities, see the Bugtraq Postings from Michal Zalewski, Gregory Shapiro, and 3APA3A.
Also, See the Admin Guide to Cracking for additional vulnerabilities in sendmail.