8294 : Sendmail NOCHAR Control Value prescan Remote Overflow
Printer | http://osvdb.org/8294 | Email This | Edit Vulnerability

Views This Week	Views All Time	Added to OSVDB	Last Modified	Modified (since 2008)	Percent Complete
3	1101	about 9 years ago	about 1 month ago	7 times	85%

Timeline

Disclosure Date
2003-03-29

Time to Exploit
11 days

Description

A remote overflow exists in Sendmail. Due to a vulnerable char to int conversion it is possible to use the NOCHAR control value to bypass the length check done by the prescan function resulting in a buffer overflow. With a specially crafted request, an attacker can execute arbitrary code resulting in a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public

Solution

Upgrade to version 8.12.9 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Sendmail, Inc.	Sendmail	8.12.8
		8.12.9
		8.12.8
		8.12.9

References

ISS X-Force ID: 11653
Secunia Advisory ID: 12178
CVE ID: 2003-0161 (see also: NVD)
Milw0rm: 24
Exploit Database: 24
Related OSVDB ID: 2577
SCIP VulDB ID: 26
Bugtraq ID: 7230
CERT: CA-2003-12
Vendor Specific Advisory URL: ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2003-016.0.txt ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:07.sendmail.asc ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-009.txt.asc ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2003-016.0.txt ftp://patches.sgi.com/support/free/security/advisories/20030401-01-P http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01048623
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F52620&zone_32=category%3Asecurity
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F52700&zone_32=category%3Asecurity
http://www-1.ibm.com/services/continuity/recover1.nsf/MSS/MSS-OAR-E01-2003.0528.1
http://www-1.ibm.com/services/continuity/recover1.nsf/MSS/MSS-OAR-E01-2003.1238.1
http://www.debian.org/security/2003/dsa-290
http://www.linuxsecurity.com/advisories/caldera_advisory-4611.html
http://www.linuxsecurity.com/advisories/gentoo_advisory-3088.html
http://www.linuxsecurity.com/advisories/immunix_advisory-3093.html
http://www.linuxsecurity.com/advisories/turbolinux_advisory-3094.html
http://www.sendmail.org/8.12.9.html
http://www.suse.com/de/security/2003_023_sendmail.html
Other Advisory URL: ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2004.11/SCOSA-2004.11.txt http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000614
http://www.debian.org/security/2003/dsa-278
Vendor Specific Solution URL: http://lists.apple.com/mhonarc/security-announce/msg00028.html
http://www.sendmail.org/patchps.html
Mail List Post: http://seclists.org/lists/bugtraq/2003/Mar/0447.html
Vendor URL: http://www.sendmail.org/
CIAC Advisory: n-067
RedHat RHSA: RHSA-2003-120 RHSA-2003-121

Tools & Filters

	11499 12385 14026 15115 15127
	2031
Snort	2183 2259 2260 2262 2264 2266 2268 2270

Credit

Michal Zalewski - lcamtufdione.ids.pl - Personal page
Michal Zalewski - lcamtufdione.ids.pl - Personal page

CVSSv2 Score

CVSSv2 Base Score = 10.0
Source: nvd.nist.gov | Generated: 2003-12-31 | Disagree?

Comments

Add Comment Hide Add Comment

No Comments.

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.