buffer at maximum by one times of its size (which is 250).EXPLOITATIONDue to the nature of the
2007-12-25 0:43:00
EXPLOITATION
Due to the nature of the overflowed buffer declaration (static),
exploitation of this issue is highly dependant on the way compiler orders
the static data in the data segment. In other words, there must be some
usable static data immediately following our static buf, which when
overflowed can disrupt the execution flow of the sendmail process in such a
way thay program counter value can be fully controlled.
We have inspected this issue a bit more, and found out that on most Unix
systems the buf buffer is not followed by such data. We base this conclusion
upon the simple fact that we didn't manage to crash sendmail by feeding it
with 250 sequences of <> chars in the from address string. This means that
this issue does not seam to be exploitable on them. The following table
presents a summary of our findings:
Freebsd 4.4 - (default & self compiled Sendmail 8.11.6) does not
crash
Solaris 8.0 x86 - (default & self compiled Sendmail 8.11.6) does not
crash
Solaris 8.0 sparc - (default & self compiled Sendmail 8.11.6) does not
crash
HP-UX 10.20 - (self compiled Sendmail 8.11.6) does not
crash
IRIX 6.5.14 - (self compiled Sendmail 8.11.6) does not
crash
AIX 4.3 - (binary of Sendmail 8.11.3 from bull.de) does not
crash
RedHat 7.0 - (default Sendmail 8.11.0) does not
crash
RedHat 7.2 - (default Sendmail 8.11.6) does not
crash
RedHat 7.3 (p) - (patched Sendmail 8.11.6) does not
crash
RedHat 7.0 - (self compiled Sendmail 8.11.6) crashes
RedHat 7.2 - (self compiled Sendmail 8.11.6) crashes
RedHat 7.3 - (self compiled Sendmail 8.11.6) crashes
Slackware 8.0 (p) - (patched Sendmail 8.11.6 binary) crashes
Slackware 8.0 - (self compiled Sendmail 8.12.7) does not
crash
RedHat 7.x - (self compiled Sendmail 8.12.7) does not
crash
(p) - patched box
Comments
Got something to say?
You must be logged in to post a comment.
