| VID |
18021 |
| Severity |
40 |
| Port |
25 |
| Protocol |
TCP |
| Class |
SMTP |
| Detailed Description |
The Sendmail server is vulnerable to a pipe("|") attack.
Some Sendmail server may accept the "RCPT TO" command inserted a pipe character. This probably means that it is possible to send mail that will be bounced to a program, which is a serious threat. A remote attacker is able to execute commands and gain root access via SMTP by specifying an malformed "RCPT TO" address that would cause the mail to bounce to a program.
You can test this vulnerability by the follow :
>> telnet [target_address] 25
HELO domain.com
MAIL FROM: |testing
Note: This check might be a false positive, since some MTAs such as Smail and the IRIX 6.x sendmail will not complain to this test, but instead just drop the message silently. This scanner attempts to create a file called 'by_scanner.pipetoprogram.vulnerability' in /tmp directory. If this file exists on the specified host after the scan is complete, then the host is vulnerable.
* References:
http://www.iss.net/security_center/static/616.php |
| Recommendation |
Upgrade to the latest version of Sendmail or Apply the appropriate patch for your system, available from the Sendmail Consortium site
ftp://ftp.cs.berkeley.edu/ucb/sendmail/ |
| Related URL |
CVE-1999-0203,CVE-1999-0565 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
