Users login

Create an account »

JOIN XATRIX

Users login

Home » Security Advisories» NetBSD » Sendmail arbitrary code execution

Sendmail arbitrary code execution

Sendmail is vulnerable to a race condition in the handling of asynchronous signals. This may allow a remote attacker to execute arbitrary code with the privileges of the sendmail user.

  • Vendor: NetBSD
  • Vendor ID: 2006-010
  • Date: March 28, 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


NetBSD Security Advisory 2006-010
=================================

Topic: Sendmail race condition

Version: NetBSD-current: source prior to March 24, 2006
NetBSD 3.0: affected
NetBSD 2.1: affected
NetBSD 2.0.*: affected
NetBSD 2.0: affected
NetBSD 1.6.*: affected
NetBSD 1.6: affected
pkgsrc: sendmail packages prior to sendmail-8.13.5nb2
sendmail packages prior to sendmail-8.12.11nb2

Severity: Remote code execution with sendmail privileges

Fixed: NetBSD-current: March 24, 2006
NetBSD-3-0 branch: March 24, 2006
(3.0.1 will include the fix)
NetBSD-3 branch: March 24, 2006
NetBSD-2-1 branch: March 24, 2006
(2.1.1 will include the fix)
NetBSD-2-0 branch: March 24, 2006
(2.0.4 will include the fix)
NetBSD-2 branch: March 24, 2006
pkgsrc: sendmail-8.13.5nb2 corrects this issue
sendmail-8.12.11nb2 corrects this issue


Abstract
========

Sendmail is vulnerable to a race condition in the handling of asynchronous
signals. This may allow a remote attacker to execute arbitrary code with
the privileges of the sendmail user.

This vulnerability has been assigned CVE reference CVE-2006-0058.


Technical Details
=================

Sendmail contains a race condition caused by the improper handling of
asynchronous signals. In particular, by forcing the SMTP server to have
an I/O timeout at exactly the correct instant, an attacker may be able
to execute arbitrary code with the privileges of the Sendmail process.

Solutions and Workarounds
=========================

Sendmail by default on NetBSD is bound to localhost (127.0.0.0, ::1) and
as such is not externally reachable.

However, it is recommended that all users of affected versions update their
sendmail to include the fix.

The following instructions describe how to upgrade your sendmail
binaries by updating your source tree and rebuilding and
installing a new version of sendmail.

* NetBSD-current:

Systems running NetBSD-current dated from before 2006-03-23
should be upgraded to NetBSD-current dated 2006-03-24 or later.

The following files need to be updated from the
netbsd-current CVS branch (aka HEAD):
gnu/dist/sendmail/sendmail/collect.c
gnu/dist/sendmail/sendmail/conf.c
gnu/dist/sendmail/sendmail/deliver.c
gnu/dist/sendmail/sendmail/headers.c
gnu/dist/sendmail/sendmail/mime.c
gnu/dist/sendmail/sendmail/parseaddr.c
gnu/dist/sendmail/sendmail/savemail.c
gnu/dist/sendmail/sendmail/sendmail.h
gnu/dist/sendmail/sendmail/sfsasl.c
gnu/dist/sendmail/sendmail/sfsasl.h
gnu/dist/sendmail/sendmail/srvrsmtp.c
gnu/dist/sendmail/sendmail/tls.c
gnu/dist/sendmail/sendmail/usersmtp.c
gnu/dist/sendmail/sendmail/util.c
gnu/dist/sendmail/sendmail/version.c
gnu/dist/sendmail/libsm/fflush.c
gnu/dist/sendmail/libsm/local.h
gnu/dist/sendmail/libsm/refill.c

To update from CVS, re-build, and re-install sendmail:

# cd src
# cvs update -d -P gnu/dist/sendmail
# cd gnu/usr.sbin/sendmail
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install


* NetBSD 3.*:

Systems running NetBSD 3.* sources dated from before
2006-03-23 should be upgraded from NetBSD 3.* sources dated
2006-03-24 or later.

The following files need to be updated from the
netbsd-3 or netbsd-3-0 CVS branch:
gnu/dist/sendmail/sendmail/collect.c
gnu/dist/sendmail/sendmail/conf.c
gnu/dist/sendmail/sendmail/deliver.c
gnu/dist/sendmail/sendmail/headers.c
gnu/dist/sendmail/sendmail/mime.c
gnu/dist/sendmail/sendmail/parseaddr.c
gnu/dist/sendmail/sendmail/savemail.c
gnu/dist/sendmail/sendmail/sendmail.h
gnu/dist/sendmail/sendmail/sfsasl.c
gnu/dist/sendmail/sendmail/sfsasl.h
gnu/dist/sendmail/sendmail/srvrsmtp.c
gnu/dist/sendmail/sendmail/tls.c
gnu/dist/sendmail/sendmail/usersmtp.c
gnu/dist/sendmail/sendmail/util.c
gnu/dist/sendmail/sendmail/version.c
gnu/dist/sendmail/libsm/fflush.c
gnu/dist/sendmail/libsm/local.h
gnu/dist/sendmail/libsm/refill.c

To update from CVS, re-build, and re-install sendmail:

# cd src
# cvs update -d -P -r gnu/dist/sendmail
# cd gnu/usr.sbin/sendmail
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install

* NetBSD 2.*:

Systems running NetBSD 2.* sources dated from before
2006-03-23 should be upgraded from NetBSD 2.* sources dated
2006-03-24 or later.

The following files need to be updated from the
netbsd-2, netbsd-2-0 or netbsd-2-1 CVS branch:
gnu/dist/sendmail/sendmail/collect.c
gnu/dist/sendmail/sendmail/conf.c
gnu/dist/sendmail/sendmail/deliver.c
gnu/dist/sendmail/sendmail/headers.c
gnu/dist/sendmail/sendmail/mime.c
gnu/dist/sendmail/sendmail/parseaddr.c
gnu/dist/sendmail/sendmail/savemail.c
gnu/dist/sendmail/sendmail/sendmail.h
gnu/dist/sendmail/sendmail/sfsasl.c
gnu/dist/sendmail/sendmail/sfsasl.h
gnu/dist/sendmail/sendmail/srvrsmtp.c
gnu/dist/sendmail/sendmail/tls.c
gnu/dist/sendmail/sendmail/usersmtp.c
gnu/dist/sendmail/sendmail/util.c
gnu/dist/sendmail/sendmail/version.c
gnu/dist/sendmail/libsm/fflush.c
gnu/dist/sendmail/libsm/local.h
gnu/dist/sendmail/libsm/refill.c

To update from CVS, re-build, and re-install sendmail:

# cd src
# cvs update -d -P -r gnu/dist/sendmail
# cd gnu/usr.sbin/sendmail
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install



Thanks To
=========

CERT for notification and co-ordination of the issue.
Sendmail Consortium for supplying the patches to address the issue.
Christos Zoulas for implementing the fixes.

Revision History
================

2006-03-29 Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2006-010.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2006, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2006-010.txt,v 1.5 2006/03/29 19:52:50 adrianp Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (NetBSD)

iQCVAwUBRCsC3D5Ru2/4N2IFAQLgswQAyWsnHHM017c4NP0vvPh6hKn/MYjpZGB7
1meGsumrd3JsPUj4j30GR3RXeqw2Kf0RGOrnwz7aIVibXdX05jxjl+8GpBSU2xkI
eZ//s8n7gIe3gvaOTpqLRdBo6mi9aGY0BZhHA7ZoHsW2cQ7JZXnhdl3QzJ3qUQaA
D8pG/zZ/cMc=
=1u2y
-----END PGP SIGNATURE-----

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »