Bug 127324

SUMMARY

 <http://www.sendmail.com/> sendmail is "a powerful, efficient, and 
scalable Mail Transport Agent"

Improper timeout calculation, usage of memory jumps and integer overflows 
allow attackers to perfom a race condition DoS on sendmail, and may also 
execute arbitrary code.

DETAILS

Vulnerable Systems:
 * Sendmail version 8.13.5 and prior
 * Sendmail version 8.12.10 and prior

Immune Systems:
 * Sendmail version 8.13.6

Race condition DoS
Sendmail contains a signal race vulnerability when receiving and 
processing mail data from remote clients. Sendmail utilizes a signal 
handler for dealing with timeouts that is not async-safe and interruption 
of certain functions by this signal handler will cause static data 
elements to be left in an inconsistent state. These data elements can be 
used to write data to invalid parts of the stack (or heap in some 
scenarios), thus taking control of the vulnerable process.

In order to exploit this vulnerability, an attacker simply needs to be 
able to connect to sendmail SMTP server. This is a multi-shot exploit, 
meaning the attacker can attempt to exploit it an indefinite amount of 
times, since sendmail spawns a new process for each connected client.

Memory Jumps:
Unsafe usage of setjmp and longjmp functions allow attackers to redirect 
memory jumps and execute arbitrary code.

Integer Overflow:
When calculating the header size, an integer overflow may occur when too 
big header size is needed to allocate on unsigned integer causing an 
overflow and allow to execute arbitrary code.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0058> 
CVE-2006-0058