sendmail -d problem (OLD yet still here)

Bonfield James (
Mon, 14 Mar 94 14:54:33 EST


I mailed to both CERT and the Sun security email addresses over a month back.
Neither replied until I mailed again explicitely asking whether or not they'd
even received my mail. Having heard nothing for a month now I've decided to
mail here.

There is a bug in many versions of sendmail to do with the -d command line
option. This allows setting of arbitrary elements of the debug array. I first
heard of the bug whilst examining the IDA sendmail source code 2-3 years back.

I am astounded that such a bug spotted such a long while ago has not yet made
it's way into vendors distributions.

To test if your sendmail has it, try using -d with a mumber greater than max
signed int, and less than max unsigned int, that preferably is substantially
far enough from either to be well outside normal address space ranges when
used as an array index.


$ sendmail -d3294967296

If this causes a segmentation fault then you'll likely have a bug in your
version of sendmail. The problem is that numbers in this range may skip the
range checks and result in accessing negative indexes into the debug array.
Hence it is possible to write to locations in memory before the debug array.

I've tested this on the standard Solaris 2.3 distribution and have
successfully obtained root access using this method. I have also tested on
Ultrix 4.2A (apparently has no problem), DEC OSF/1 V1.2 (has a problem), and
SunOS4.1 (also has a problem).

Note that the above -d argument is by no means a valid check of whether your
system is affected, it is just very likely to point out the problem.

As I mentioned above, the IDA sendmail has this fixed. Do an archie -s for
+IDA and you'll find various IDA distributions around. Alternatively if you
have the source for another version of sendmail then check this.

For BSD based versions:

In trace.c a function tTflag() starts with the lines:

        register char *s;
        int first, last;
        register int i;

This should be changed to:

        register char *s;
        unsigned int first, last;
        register unsigned int i;

Many thanks to Francis Dupont who according to the IDA source originally
reported the problem.


James Bonfield (   Tel: 0223 402499   Fax: 0223 412282
Medical Research Council - Laboratory of Molecular Biology,
Hills Road, Cambridge, CB2 2QH, England.