[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: sendmail header buffer overflow vulnerability, and what ZMailer can do..

On Wed, Mar 05, 2003 at 08:42:14AM -0700, Daryle A. Tilroe wrote:
> Clarification here please:
> Adding the -W flag simply prevents zmailer from forwarding
> harmful headers (it rewrites them) to vulnerable sendmail
> MTAs.  Correct?


> More importantly; no such bug exists in zmailer.  Correct?

  Something alike it has existed, not as stack overflows, but
  as buffer overflows in the heap.  (in malloc()ed data)
  "Multiline compound tokens" - real fix was implemented in
  July 1999.  That is included in  version  2.99.51.

> In other words is adding -W to prevent attacks on sendmail
> MTAs from coming from or through a zmailer MTA?


  Further experimentation did show, that even without it,
  current ZMailers (since around 1995 onwards) have rewritten
  8-bit bytes in headers into  MIME quoted-printable header

  That happens completely unconditionally, and will always render
  any white-space separated 8-bit byte containing strings
  into those tokens.

  Resulting tokens are not always with completely legal syntax,
  but at least it will very unlikely be executable code.

> -- 
> Daryle A. Tilroe

/Matti Aarnio	<mea@nic.funet.fi>
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi