CVE 1999-0047
Versions 8.8.3 and 8.8.4 of sendmail have a serious
security vulnerability that allows remote users to execute arbitrary commands
on the local system with root privileges. By sending a carefully crafted
email message to a system running a vulnerable version of
sendmail,
intruders may be able to force sendmail to execute arbitrary
commands with root privileges. Those commands are run on the same system
where the vulnerable sendmail is running. This vulnerability
may be exploited on systems despite firewalls and other network boundary
protective measures. A hacker does not have to be a local user to exploit
this vulnerability. This vulnerability is described in CERT Advisory CA-97.05.
CVE 1999-0129
Version 8 of sendmail (version 8.x.x up to and including
8.8.3) has a vulnerability that can be exploited by a local user to run
programs with group permissions of other users. For the exploitation to
be successful, group-writable files must be available on the same file
system as a file that the attacker can convince sendmail
to trust. This vulnerability can only be exploited by local users (i.e.,
users who have accounts on the target machine). This vulnerability is described
in CERT Advisory CA-96.25.
CVE 1999-0130
Versions 8.7 through 8.8.2 of sendmail have a vulnerability
that can be used to gain root access. Sendmail is often
run in daemon mode so it can "listen" for incoming mail connections on
the standard SMTP networking port (usually port 25). The root user is the
only user allowed to start sendmail in this way, and
sendmail
contains code intended to enforce this restriction. Due to a coding error,
sendmail
can be invoked in daemon mode in a way that bypasses the built-in check,
and any local user is able to start sendmail in daemon
mode. By manipulating the sendmail mail environment, the
user can then have
sendmail execute an arbitrary program
with root privileges. This vulnerability can only be exploited by local
users (i.e., users who have accounts on the target machine). This vulnerability
is described in CERT Advisory CA-96.24. CERT Advisory CA-96.24 also describes
additional vulnerabilities in versions 8.8.0 and 8.8.1 of sendmail.
CVE 1999-0206
Versions 8.8.0 and 8.8.1 of sendmail have a buffer overflow
condition in the MIME processing code. A remote attacker could exploit
the condition to gain root access on the server. This vulnerability is
described in an X-Force
Alert.
CVE 1999-0131
There are two vulnerabilities in versions of sendmail up
to and including version 8.7.5. By exploiting the first of these vulnerabilities,
users who have local accounts can gain access to the default user, which
is often daemon. By exploiting the second vulnerability, any local user
can gain root access. Both of these vulnerabilities can only be exploited
by local users (i.e., users who have accounts on the target machine). This
vulnerability is described in CERT Advisory CA-96.20.
CVE 1999-0203
Versions 5 through 8.6.9 of sendmail have a vulnerability
which could allow an intruder to execute commands on the server with
root privileges. This vulnerability is described in CERT Advisory CA-95.08.
CVE 1999-0204
There is a buffer overflow condition in version 8.6.9 of sendmail
in the processing of the response from the ident service. Sendmail
makes a connection to the ident service on the client host
in order to log information about the user who is making the connection.
A properly formatted response from the ident service is
expected. An attacker could instead send a very long response, thereby
overflowing the buffer, enabling the attacker to execute arbitrary commands
on the server. This vulnerability was described in an
X-Force alert.
CVE 1999-0095
An older vulnerability which keeps showing up from time to time is when
sendmail
runs in DEBUG mode. The DEBUG
mode can allow a malicious user to gain access through sendmail.
Very old versions of sendmail, such as version 5.x and earlier, allow a remote attacker to specify commands after a pipe (|) character in certain fields in the e-mail. This could result in arbitrary commands being executed on the server with root privileges. This vulnerability was described in an X-Force Alert.