There is an uninitialized data structure in sendmail 8.12.(x < 9) servers configured to use DNS maps. An attacker able to send crafted DNS responses to affected sendmail servers may be able crash the sendmail daemon, or potentially execute arbitrary code.
DNS maps are used in sendmail to provide a capability to dynamically look up information about a host before accepting mail from it. For example, a DNS request can be made to some site-specific authoritative source to determine whether the source of some message has previously been identified as a spam relay.
A failure to initialize RESOURCE_RECORD_T data structures in sendmail's implementation of DNS maps may lead to portions of memory in the sendmail process being freed in error. The error is in the dns_parse_reply() function in sm_resolve.c (patched):
A remote attacker may be able to cause sendmail to free() arbitrary chunks of memory. This could crash affected sendmail daemons, causing a denial of service. If an area of memory being freed is under the control of the intruder, remote execution of code with the privileges of the running daemon may be possible.
Apply patches as recommended by an appropriate vendor or upgrade to sendmail 8.12.9.
In addition, disabling features in sendmail that use DNS maps will also remove one necessary precondition needed to exploit this vulnerability (e.g., disable FEATURE(`enhdnsbl') == "enhanced DNS-based blacklist lookups") .
Oleg Bulyzhin has been credited to reporting this vulnerability to FreeBSD. The issue was also reported to Sendmail by Maurice Makaay.
This document was written by Jeffrey S. Havrilla.
|Date First Published:||2003-08-25|
|Date Last Updated:||2003-12-30 22:33 UTC|