Vulnerability Note VU#993452

Sendmail fails to appropriately initialize data structures for DNS maps

Original Release date: 25 Aug 2003 | Last revised: 30 Dec 2003

Overview

There is an uninitialized data structure in sendmail 8.12.(x < 9) servers configured to use DNS maps. An attacker able to send crafted DNS responses to affected sendmail servers may be able crash the sendmail daemon, or potentially execute arbitrary code.

Description

DNS maps are used in sendmail to provide a capability to dynamically look up information about a host before accepting mail from it. For example, a DNS request can be made to some site-specific authoritative source to determine whether the source of some message has previously been identified as a spam relay.

A failure to initialize RESOURCE_RECORD_T data structures in sendmail's implementation of DNS maps may lead to portions of memory in the sendmail process being freed in error. The error is in the dns_parse_reply() function in sm_resolve.c (patched):

--- sm_resolve.c.orig   Fri Jun 28 00:43:24 2002
+++ sm_resolve.c        Thu Jul 10 01:21:17 2003
@@ -233,6 +233,7 @@
dns_free_data(r);
return NULL;
}
+ memset(*rr, 0, sizeof(**rr));
(*rr)->rr_domain = sm_strdup(host);
if ((*rr)->rr_domain == NULL)
{

A fix for this condition was made in sendmail 8.12.9 in March 2003, but it was not known to be a security issue at that time.

Impact

A remote attacker may be able to cause sendmail to free() arbitrary chunks of memory. This could crash affected sendmail daemons, causing a denial of service. If an area of memory being freed is under the control of the intruder, remote execution of code with the privileges of the running daemon may be possible.

Solution

Apply patches as recommended by an appropriate vendor or upgrade to sendmail 8.12.9.

In addition, disabling features in sendmail that use DNS maps will also remove one necessary precondition needed to exploit this vulnerability (e.g., disable FEATURE(`enhdnsbl') == "enhanced DNS-based blacklist lookups") .

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
FreeBSDAffected-26 Aug 2003
MandrakeSoftAffected-26 Aug 2003
OpenBSDAffected-28 Aug 2003
OpenPKGAffected-28 Aug 2003
SendmailAffected-25 Aug 2003
SGIAffected-25 Aug 2003
SuSE Inc.Affected-26 Aug 2003
Cray Inc.Unknown26 Aug 200326 Aug 2003
NetBSDUnknown-25 Aug 2003
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Oleg Bulyzhin has been credited to reporting this vulnerability to FreeBSD. The issue was also reported to Sendmail by Maurice Makaay.

This document was written by Jeffrey S. Havrilla.

Other Information

  • CVE IDs: CAN-2003-0688
  • Date Public: 11 Jul 2003
  • Date First Published: 25 Aug 2003
  • Date Last Updated: 30 Dec 2003
  • Severity Metric: 15.75
  • Document Revision: 20

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.