Title: Sendmail mail.local Vulnerabilities
Severity: MODERATE
Description:
mail.local is a program included with Sendmail intended as a delivery agent for local mail. mail.local uses LMTP (local mail transfer protocol) taken in from standard input and is what puts messages into users mailboxes. When in LMTP mode, mail.local checks user input for the end of message indicator, ".\n", which sendmail will block before passing to mail.local. It is possible to fake the end of message if a long string (2047 characters) followed by a ".\n" is sent. Any text after the faked end-of-message indicator will be treated by mail.local as LMTP commands, meaning that fake messages and such can be sent to any mailbox without filtering or logging by sendmail.
Another problem is that since LMTP commands are being executed, responses will be generated from mail.local which are not expected by sendmail (it does not retrieve them from the I/O buffer). If many of these responses (ie, error responses) are generated, mail.local and sendmail become deadlocked and the I/O buffer will be filled. This will prevent local mail delivery.
On Solaris machines running Sendmail 8.10.0 or 8.10.1compiled with the -DCONTENTLENGTH flag, it is possible to modify the Content-Length field in the message header the same way the fake end-of-message indicator is added, corrupting the user's mailbox.
Affected Products:
- Eric Allman Sendmail 8.9.3
References:
- Sendmail Consortium: Sendmail Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
