Re: Sendmail 8.6.9 security hole

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Casper Dik: "Re: snooper watchers"
• Previous message: Dave Schweisguth: "Re: CERT Advisory CA-95:05.sendmail.vulnerabilities (fwd)"
• In reply to: Igor V. Semenyuk: "Sendmail 8.6.9 security hole"
• Next in thread: der Mouse: "Re: Sendmail 8.6.9 security hole"

In message <199502230035.AA26027@charybda.sovam.com>, 
	"Igor V. Semenyuk" <iga@sovam.com> writes:

> Does anybody know details of the security hole(s) in 8.6.9 fixed
> in 8.6.10?
> 
> Is IDA sendmail vulnerable to these attacks?

I've had a quick scan of the patch to take 8.6.9 to 8.6.10 (it's all
I've got time for I'm afraid) and the changes to the IDENT service
appear to concern stopping people returning information that overflows
the buffer and/or contains new-lines.

It introduces two new functions:

1) CLEANSTRCPY -- copy string keeping out bogus characters
2) DENLSTRING -- convert newlines in a string to spaces

The interesting bit comes from the second, to quote:

+ #ifdef LOG
+       p = macvalue('_', CurEnv);
+       syslog(LOG_ALERT, "POSSIBLE ATTACK from %s: newline in string \"%s\"",
+               p == NULL ? "[UNKNOWN]" : p, bp);
+ #endif

Chris
--
 Christopher Samuel    Open Software Systems Group    chris@rivers.dra.hmg.gb
 N-115, Defence Research Agency,  St Andrews Road, Great Malvern, England, UK
 "To no man will we sell, or delay, or deny, right or justice" -- Magna Carta

• Next message: Casper Dik: "Re: snooper watchers"
• Previous message: Dave Schweisguth: "Re: CERT Advisory CA-95:05.sendmail.vulnerabilities (fwd)"
• In reply to: Igor V. Semenyuk: "Sendmail 8.6.9 security hole"
• Next in thread: der Mouse: "Re: Sendmail 8.6.9 security hole"