COMMAND
MMDF SMTP Daemon
SYSTEMS AFFECTED
MMDF SMTP Daemon before 2.44a-B4 (Unixware 7.1)
PROBLEM
NAI Labs found following. An implementation fault in MMDF allows
arbitrary individuals to obtain mail management privileges via
the SMTP daemon. An attacker can subsequently gain root access
via a few trivial steps. This vulnerability has been confirmed
and is known to be exploitable on all versions of MMDF prior to
the beta release 2.44a-B4. The version of MMDF included in the
default SCO OpenServer installation (2.43.3b) is also vulnerable.
The "MAIL FROM:" and "RCPT TO:" SMTP commands exist to allow a
client to relay to the server the source and destination
addresses of a mail message. The MMDF server performs some basic
sanity checks on the addresses given as arguments to these
commands. If the supplied data is for some reason invalid, an
error message to that effect is printed. During this process,
the entire input string is copied to a fixed-size local buffer
without any bounds checking, using the function sprintf().
Should the size of the input exceed the size of this buffer, the
call stack of the MMDF server can be overwritten. While MMDF's
"RCPT TO:" handling code performs checks on the address which
make exploitation impossible, the "MAIL FROM:" command has no
such checking and is easily exploitable.
Although the MMDF server is run as the unprivileged user mmdf by
inetd, the 'smptd' binary is setuid root and is stored in a
directory owned by user mmdf. This allows an attacker to execute
commands as root by replacing the 'smtpsrvr' binary with an
arbitrary program or script.
SOLUTION
SCO has developed a patch to address this issue. More information
is available at:
http://www.sco.com/security
Because of the remotely exploitable nature of this vulnerability,
this is considered to be a high risk to users of MMDF and should
be resolved immediately.
The current public release of MMDF is the 2.44 release available
from:
ftp://www.mathematik.uni-kl.de/pub/Sources/mail+news/mmdf/
and it's bug free.