| VID |
18048 |
| Severity |
30 |
| Port |
25 |
| Protocol |
TCP |
| Class |
SMTP |
| Detailed Description |
The Sendmail is vulnerable to a Denial of Service attack via mail.local program.
The mail.local is a program in Sendmail intended as a delivery agent for local mail. It uses LMTP(Local Mail Transfer Protocol) taken in from standard input and is what puts messages into users mailboxes. While in LMTP mode, mail.local checks input for ".\n" string to find the end of the messages. Sendmial will block this string before passing to mail.local. But, if a remote attacker sends a long string (2047 characters) to the '.\n' string appended - "(2047 chars).\n", it's possible to fake the end of message. It means that the rest of the message is treated by mail.local as LMTP commands and they can be sent to any mailbox(including private and closed ones) without filtering, checking, and logging by sendmail. Another vulnerability is that mail.local and sendmail lead to deadlock and cannot delivers local mail. The mail.local will return LMTP answers to sendmail, but, sendmail dosen't expect any output from mail.local at this point. It means that the responses will not be retrieved from the I/O buffer and the I/O buffer will be filled if many of these responses are generated. Thus, mail.local and sendmail become deadlocked and cannot delivers local mail.
* Note: Due to the following reasons, this may or may not be considered a security risk in your environment (i.e. It may be a false positive):
1. This check solely relied on the version number of the remote Sendmail server to assess this vulnerability.
2. The version number of the Sendmail server is based on the standard Sendmail distribution released by the Sendmail Consortium.
* Reference Sites :
http://archives.neohapsis.com/archives/bugtraq/2000-04/0185.html
* Platforms Affected :
Sendmail prior to 8.10.0, All platforms |
| Recommendation |
Upgrade to the Sendmail version 8.10.0 or the latest version from the Sendmail web site, http://www.sendmail.org . |
| Related URL |
CVE-2000-0319 (CVE) |
| Related URL |
11746 (SecurityFocus) |
| Related URL |
4556 (ISS) |
|
