SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#993452

Sendmail fails to appropriately initialize data structures for DNS maps

Overview

There is an uninitialized data structure in sendmail 8.12.(x < 9) servers configured to use DNS maps. An attacker able to send crafted DNS responses to affected sendmail servers may be able crash the sendmail daemon, or potentially execute arbitrary code.

I. Description

DNS maps are used in sendmail to provide a capability to dynamically look up information about a host before accepting mail from it. For example, a DNS request can be made to some site-specific authoritative source to determine whether the source of some message has previously been identified as a spam relay.

A failure to initialize RESOURCE_RECORD_T data structures in sendmail's implementation of DNS maps may lead to portions of memory in the sendmail process being freed in error. The error is in the dns_parse_reply() function in sm_resolve.c (patched):

--- sm_resolve.c.orig   Fri Jun 28 00:43:24 2002
+++ sm_resolve.c        Thu Jul 10 01:21:17 2003
@@ -233,6 +233,7 @@
dns_free_data(r);
return NULL;
}
+ memset(*rr, 0, sizeof(**rr));
(*rr)->rr_domain = sm_strdup(host);
if ((*rr)->rr_domain == NULL)
{

A fix for this condition was made in sendmail 8.12.9 in March 2003, but it was not known to be a security issue at that time.

II. Impact

A remote attacker may be able to cause sendmail to free() arbitrary chunks of memory. This could crash affected sendmail daemons, causing a denial of service. If an area of memory being freed is under the control of the intruder, remote execution of code with the privileges of the running daemon may be possible.

III. Solution

Apply patches as recommended by an appropriate vendor or upgrade to sendmail 8.12.9.

In addition, disabling features in sendmail that use DNS maps will also remove one necessary precondition needed to exploit this vulnerability (e.g., disable FEATURE(`enhdnsbl') == "enhanced DNS-based blacklist lookups") .

Systems Affected

VendorStatusDate NotifiedDate Updated
Cray Inc.Unknown26-Aug-2003
FreeBSDVulnerable26-Aug-2003
MandrakeSoftVulnerable26-Aug-2003
NetBSDUnknown25-Aug-2003
OpenBSDVulnerable28-Aug-2003
OpenPKGVulnerable28-Aug-2003
SendmailVulnerable25-Aug-2003
SGIVulnerable25-Aug-2003
SuSE Inc.Vulnerable26-Aug-2003

References

This issue is distinct from the one disccused in VU#814627.
http://www.sendmail.org/8.12.9.html
http://www.sendmail.org/dnsmap1.html
http://www.sendmail.org/~ca/email/doc8.12/cf/m4/features.html#enhdnsbl
http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/54367

Credit

Oleg Bulyzhin has been credited to reporting this vulnerability to FreeBSD. The issue was also reported to Sendmail by Maurice Makaay.

This document was written by Jeffrey S. Havrilla.

Other Information

Date Public:2003-07-11
Date First Published:2003-08-25
Date Last Updated:2003-12-30
CERT Advisory: 
CVE-ID(s):CAN-2003-0688
NVD-ID(s):CAN-2003-0688
US-CERT Technical Alerts: 
Metric:15.75
Document Revision:20

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader