An attacker exploits a weakness in the MIME conversion routine to cause a
buffer overflow and gain control over the mail server machine. The MIME
system is designed to allow various different information formats to be
interpreted and sent via e-mail. Attack points exist when data are converted
to MIME compatible format and back.
Attack Execution Flow
Determine whether the mail server is unpatched and
is potentially vulnerable to one of the known MIME
conversion buffer overflows (e.g. Sendmail 8.8.3 and
8.8.4).
Identify places in the system where vulnerable
MIME conversion routines may be used.
Send e-mail messages to the target system with
specially crafted headers that trigger the buffer
overflow and execute the shellcode.
Attack Prerequisites
The target system uses a mail server.
Mail server vendor has not released a patch for the MIME conversion
routine, the patch itself has a security hole or does not fix the original
problem, or the patch has not been applied to the user's system.
Typical Likelihood of Exploit
Likelihood: High
Methods of Attack
Injection
Examples-Instances
Description
A MIME conversion buffer overflow exists in Sendmail versions 8.8.3
and 8.8.4. Sendmail versions 8.8.3 and 8.8.4 are vulnerable to a buffer
overflow in the MIME handling code. By sending a message with
specially-crafted headers to the server, a remote attacker can overflow
a buffer and execute arbitrary commands on the system with root
privileges.
Sendmail performs a 7 bit to 8 bit conversion on email messages. This
vulnerability is due to the fact that insufficient bounds checking was
performed while performing these conversions. This gave attacker an
opportunity to overwrite the internal stack of sendmail while it is
executing with root privileges. An attacker first probes the target
system to figure out what mail server is used on the system and what
version. An attacker could then test out the exploit at their leisure on
their own machine running the same version of the mail server before
using it in the wild.
Related Vulnerabilities
CVE-1999-0047
Attacker Skills or Knowledge Required
Skill or Knowledge Level: Low
It may be trivial to cause a DoS via this attack pattern
Skill or Knowledge Level: High
Causing arbitrary code to execute on the target system.
Probing Techniques
Description
The first step is to figure what mail server (and what version) is
running on the target system.
Solutions and Mitigations
Stay up to date with third party vendor patches
Disable the 7 to 8 bit conversion. This can be done by removing the F=9
flag from all Mailer specifications in the sendmail.cf file.
For example, a sendmail.cf file with these changes applied should look
similar to (depending on your system and configuration):
This can be achieved for the "Mlocal" and "Mprog" Mailers by modifying the
".mc" file to include the following lines:
define(`LOCAL_MAILER_FLAGS',
ifdef(`LOCAL_MAILER_FLAGS',
`translit(LOCAL_MAILER_FLAGS, `9')',
`rmn'))
define(`LOCAL_SHELL_FLAGS',
ifdef(`LOCAL_SHELL_FLAGS',
`translit(LOCAL_SHELL_FLAGS, `9')',
`eu'))
and then rebuilding the sendmail.cf file using m4(1).
From "Exploiting Software", please see reference below.
Use the sendmail restricted shell program (smrsh)
Use mail.local
Attack Motivation-Consequences
Scope
Technical Impact
Note
Confidentiality
Integrity
Availability
Execute unauthorized code or
commands
Integrity
Modify memory
Availability
DoS: crash / exit /
restart
Confidentiality
Access_Control
Authorization
Gain privileges / assume
identity
Injection Vector
The especially formated e-mail message whose body is put together in a way as
to trigger the MIME conversion buffer overflow in the 7 to 8 bit MIME conversion
function.
Payload
The shellcode included as part of the e-mail message body that is executed on
the target system with root privileges after the stack based buffer overflow in
the 7 to 8 bit MIME conversion function is leveraged.
Activation Zone
The function performing 7 to 8 bit MIME conversion.
A MIME conversion buffer overflow exists in Sendmail versions 8.8.3
and 8.8.4. Sendmail versions 8.8.3 and 8.8.4 are vulnerable to a buffer
overflow in the MIME handling code. By sending a message with
specially-crafted headers to the server, a remote attacker can overflow
a buffer and execute arbitrary commands on the system with root
privileges.
Sendmail performs a 7 bit to 8 bit conversion on email messages. This
vulnerability is due to the fact that insufficient bounds checking was
performed while performing these conversions. This gave attacker an
opportunity to overwrite the internal stack of sendmail while it is
executing with root privileges. An attacker first probes the target
system to figure out what mail server is used on the system and what
version. An attacker could then test out the exploit at their leisure on
their own machine running the same version of the mail server before
using it in the wild.
Description
