[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: sendmail header buffer overflow vulnerability, and what ZMailer can do..
On Wed, Mar 05, 2003 at 08:42:14AM -0700, Daryle A. Tilroe wrote:
> Clarification here please:
>
> Adding the -W flag simply prevents zmailer from forwarding
> harmful headers (it rewrites them) to vulnerable sendmail
> MTAs. Correct?
Right.
> More importantly; no such bug exists in zmailer. Correct?
Something alike it has existed, not as stack overflows, but
as buffer overflows in the heap. (in malloc()ed data)
"Multiline compound tokens" - real fix was implemented in
July 1999. That is included in version 2.99.51.
> In other words is adding -W to prevent attacks on sendmail
> MTAs from coming from or through a zmailer MTA?
Right.
Further experimentation did show, that even without it,
current ZMailers (since around 1995 onwards) have rewritten
8-bit bytes in headers into MIME quoted-printable header
tokens:
=?UNKNOWN-8BIT?Q?=xx=xx=xx=xx?=
That happens completely unconditionally, and will always render
any white-space separated 8-bit byte containing strings
into those tokens.
Resulting tokens are not always with completely legal syntax,
but at least it will very unlikely be executable code.
> --
> Daryle A. Tilroe
--
/Matti Aarnio <mea@nic.funet.fi>
-
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi