• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Sendmail Unsafe Signal Handling Race Condition Vulnerability

Severity: MODERATE

Description:

Several methods of causing undesired or unexpected behaviour in programs that make use of non-atomic or non-reentrant operations in signal handling functions have recently been presented in a paper by Michal Zalewski.

Due to the implications of this paper, the Sendmail MTA has been found to be susceptible to several possible race condition vulnerabilities.

The problems lie in the signal handlers used for dealing with specific signals (such as SIGTERM, SIGINT, etc.) By generating a signal while a signal handling operation is already in progress, an attacker could interrupt a non-reentrant libc function and enter it again from the handler. Precise timing in such an attack could possibly result in, for example, heap corruption or interruption during privilege lowering.

This set of vulnerabilities exist because of reentrant library function calls from signal handlers (malloc, free, syslog, operations on global buffers, etc).

Conditions where these types of attacks may be possible are known to exist in sendmail, which is installed set-uid root and locally executable.

Attacks against sendmail are still theoretical. The program maintains it's root privileges during runtime almost all of the time; no exploitable problems have yet been found with user signal delivery. It is remotely possible that an exploitable condition exists in Sendmail.

Affected Products:

• Caldera OpenLinux Server 3.1.0
• Caldera OpenLinux Workstation 3.1.0
• Compaq Tru64 5.1.0
• Compaq Tru64 5.1.0 B
• Compaq Tru64 5.1.0 a
• Conectiva Linux 6.0.0
• IBM AIX 5.1.0
• IBM AIX 5.2
• RedHat Linux 7.0.0
• RedHat Linux 7.0.0 alpha
• RedHat Linux 7.0.0 i386
• RedHat Linux 7.0.0 sparc
• RedHat Linux 7.1.0
• RedHat Linux 7.1.0 alpha
• RedHat Linux 7.1.0 i386
• RedHat Linux 7.1.0 ia64
• S.u.S.E. Linux 7.1.0
• S.u.S.E. Linux 7.1.0 alpha
• S.u.S.E. Linux 7.1.0 ppc
• S.u.S.E. Linux 7.1.0 sparc
• S.u.S.E. Linux 7.1.0 x86
• S.u.S.E. Linux 7.2.0
• S.u.S.E. Linux 7.2.0 i386
• SCO Open Server 5.0.4
• SCO Open Server 5.0.5
• SCO Open Server 5.0.6
• SCO Open Server 5.0.6 a
• Sendmail Consortium Sendmail 8.10.0
• Sendmail Consortium Sendmail 8.10.1
• Sendmail Consortium Sendmail 8.10.2
• Sendmail Consortium Sendmail 8.11.0
• Sendmail Consortium Sendmail 8.11.1
• Sendmail Consortium Sendmail 8.11.2
• Sendmail Consortium Sendmail 8.11.3
• Sendmail Consortium Sendmail 8.12.0 beta7
• Sun Cobalt Qube3 4000WG
• Sun Cobalt RaQ 4
• Sun Cobalt RaQ XTR
• Sun Cobalt RaQ XTR 3500R
• Sun Cobalt RaQ4 3001R

References:

• Michal Zalewski: Delivering Signals for Fun and Profit

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.