From owner-freebsd-security@FreeBSD.ORG  Wed Sep 17 06:26:24 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2368F16A4B3
	for <security@freebsd.org>; Wed, 17 Sep 2003 06:26:24 -0700 (PDT)
Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 59BC043FBD
	for <security@freebsd.org>; Wed, 17 Sep 2003 06:26:23 -0700 (PDT)
	(envelope-from mike@sentex.net)
Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27])
	by lava.sentex.ca (8.12.9/8.12.8) with ESMTP id h8HDQMCl081987
	for <security@freebsd.org>; Wed, 17 Sep 2003 09:26:22 -0400 (EDT)
	(envelope-from mike@sentex.net)
Message-Id: <6.0.0.22.0.20030917092828.079a30f8@209.112.4.2>
X-Sender: mdtpop@209.112.4.2 (Unverified)
X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22
Date: Wed, 17 Sep 2003 09:29:00 -0400
To: security@freebsd.org
From: Mike Tancsa <mike@sentex.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-Virus-Scanned: By Sentex Communications (lava/20020517)
Subject: Fwd: [Full-Disclosure] Sendmail 8.12.9 prescan bug (a new one)
 [CAN-2003-0694]
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Sep 2003 13:26:24 -0000


More patch-o-rama :-(

         ---Mike

>From: Michal Zalewski <lcamtuf@dione.ids.pl>
>To: bugtraq@securityfocus.com, <vulnwatch@securityfocus.com>,
>    <full-disclosure@netsys.com>
>X-Nmymbofr: Nir Orb Buk
>Subject: [Full-Disclosure] Sendmail 8.12.9 prescan bug (a new one) 
>[CAN-2003-0694]
>Sender: full-disclosure-admin@lists.netsys.com
>X-BeenThere: full-disclosure@lists.netsys.com
>X-Mailman-Version: 2.0.12
>List-Unsubscribe: <http://lists.netsys.com/mailman/listinfo/full-disclosure>,
>         <mailto:full-disclosure-request@lists.netsys.com?subject=unsubscribe>
>List-Id: Discussion of security issues <full-disclosure.lists.netsys.com>
>List-Post: <mailto:full-disclosure@lists.netsys.com>
>List-Help: <mailto:full-disclosure-request@lists.netsys.com?subject=help>
>List-Subscribe: <http://lists.netsys.com/mailman/listinfo/full-disclosure>,
>         <mailto:full-disclosure-request@lists.netsys.com?subject=subscribe>
>List-Archive: <http://lists.netsys.com/pipermail/full-disclosure/>
>Date: Wed, 17 Sep 2003 11:19:46 +0200 (CEST)
>X-Virus-Scanned: by Sentex Communications (avscan1/20021227)
>X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
>
>Hello lists,
>
>--------
>Overview
>--------
>
>   There seems to be a remotely exploitable vulnerability in Sendmail up to
>   and including the latest version, 8.12.9. The problem lies in prescan()
>   function, but is not related to previous issues with this code.
>
>   The primary attack vector is an indirect invocation via parseaddr(),
>   although other routes are possible. Heap or stack structures, depending
>   on the calling location, can be overwritten due to the ability to go
>   past end of the input buffer in strtok()-alike routines.
>
>   This is an early release, thanks to my sheer stupidity.
>
>--------------
>Attack details
>--------------
>
>   Local exploitation on little endian Linux is confirmed to be trivial
>   via recipient.c and sendtolist(), with a pointer overwrite leading to a
>   neat case of free() on user-supplied data, i.e.:
>
>   eip = 0x40178ae2
>   edx = 0x41414141
>   esi = 0x61616161
>
>   SEGV in chunk_free (ar_ptr=0x4022a160, p=0x81337e0) at malloc.c:3242
>
>   0x40178ae2 <chunk_free+486>:    mov    %esi,0xc(%edx)
>   0x40178ae5 <chunk_free+489>:    mov    %edx,0x8(%esi)
>
>   Remote attack is believed to be possible.
>
>----------------
>Workaround / fix
>----------------
>
>   Vendor was notified, and released an early patch attached below.
>   There are no known workarounds.
>
>Index: parseaddr.c
>===================================================================
>RCS file: /cvs/src/gnu/usr.sbin/sendmail/sendmail/parseaddr.c,v
>retrieving revision 1.16
>diff -u -r1.16 parseaddr.c
>--- parseaddr.c 29 Mar 2003 19:44:01 -0000      1.16
>+++ parseaddr.c 16 Sep 2003 17:37:26 -0000
>@@ -700,7 +700,11 @@
>                                                 addr[MAXNAME] = '\0';
>         returnnull:
>                                         if (delimptr != NULL)
>+                                       {
>+                                               if (p > addr)
>+                                                       p--;
>                                                 *delimptr = p;
>+                                       }
>                                         CurEnv->e_to = saveto;
>                                         return NULL;
>                                 }
>
>--
>------------------------- bash$ :(){ :|:&};: --
>  Michal Zalewski * [http://lcamtuf.coredump.cx]
>     Did you know that clones never use mirrors?
>--------------------------- 2003-09-16 21:18 --
>
>
>
>
>
>
>
>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html

--------------------------------------------------------------------
Mike Tancsa,                          	          tel +1 519 651 3400
Sentex Communications,     			  mike@sentex.net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada			  www.sentex.net/mike