COMMAND

    sendmail

SYSTEMS AFFECTED

    Systems running sendmail 8.8.0

PROBLEM

    There is  a serious  bug in  the mime7to8()  function of  sendmail
    8.8.0  which  allows  anyone  who  can  send  you  mail to execute
    arbitrary code as root on  your machine.  I think  mime7to8() only
    gets  invoked  if  you  set  the  undocumented  "9"  mailer  flag.
    However, this  flag is  set by  default in  the cf/mailer/local.m4
    file that ships with  sendmail 8.8.0.  Thus,  if you are using  an
    old  V6  format  configuration  file  from  sendmail  8.7, you are
    probably safe, but if you  generated a new V7 configuration  file,
    you are probably vulnerable to this bug.

    The inner loop of mime7to8() looks like this:

        u_char *obp;
        char buf[MAXLINE];
        u_char obuf[MAXLINE];

        ....

                /* quoted-printable */
                obp = obuf;
                while (fgets(buf, sizeof buf, e->e_dfp) != NULL)
                {
                        if (mime_fromqp((u_char *) buf, &obp, 0, MAXLINE) == 0)
                                continue;

                        putline((char *) obuf, mci);
                        obp = obuf;
                }

    When mime_fromqp()  encounters a  line that  ends "=\n",  it chops
    those two characters off and returns 0 to indicate a  continuation
    line.   This causes  the while  loop to  continue, reading another
    input line and appending its contents to obuf.  However, when  the
    loop  continues  without  resetting  obp  to obuf, there are fewer
    than MAXLINE characters left in the output buffer.  This means  an
    attacker can  simply create  a very  large message  in which  each
    line ends with "=".   Eventually obp will move  beyond the end  of
    obuf  and  start  writing  almost  arbitrary  data to the sendmail
    process's stack (as long as no bytes are 0).

SOLUTION

    If  you  don't  want  technical  details,  then  here's  the short
    version:

    Remove the  '9' flag  from all  mailers in  your sendmail.cf file.
    Thus,  for  instance,   if  you  have   the  following  lines   in
    sendmail.cf:

Mlocal,         P=/bin/mail, F=lsDFMAw5:/|@qSnE9, S=10/30, R=20/40,
                T=DNS/RFC822/X-Unix,
                A=mail -f $g -d $u
Mprog,          P=/bin/sh, F=lsDFMoqeu9, S=10/30, R=20/40, D=$z:/,
                T=X-Unix,
                A=sh -c $u

    Change them to this:

Mlocal,         P=/bin/mail, F=lsDFMAw5:/|@qSnE, S=10/30, R=20/40,
                T=DNS/RFC822/X-Unix,
                A=mail -f $g -d $u
Mprog,          P=/bin/sh, F=lsDFMoqeu, S=10/30, R=20/40, D=$z:/,
                T=X-Unix,
                A=sh -c $u

    If you are  using m4 to  generate your sendmail.cf  file, then you
    should add lines like this to your '.mc' file:

define(`LOCAL_MAILER_FLAGS', `rmn')dnl     (default is `rmn9')
define(`LOCAL_SHELL_FLAGS', `eu')dnl       (default is `eu9')