SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)

Dragos Ruiu dr at
Thu Mar 23 20:15:46 UTC 2006

On March 23, 2006 01:41 am, Gadi Evron wrote:
> Here's what ISS releasing the Race Condition vulnerability has to say:
> They say it's a remote code execution. They say it's a race condition. No
> real data available to speak of. I can't see how it's remotely
> exploitable, but well, no details, remember? From what we can see it seems
> like a DoS.

ISS's Mark Dowd is very clever guy. And if duke says it's exploitable
I would believe him :-).  It's an interesting new vector anyway.

But like all timing related attacks, the question is reliability.
Though gossip has it, this one is repeatable with sub-100 attempts
and you get infinite shots at it because even if the process 
does die it's a child of the parent listener. (So it is not really
a DoS per se in any case.)

> Bottom line
> -----------
> What they did behind the smoke-screen is replace a lot of setjmp() and
> longjmp() functions (not very secure ones at that) with goto's
> (interesting choice).

Smoke screen seems like unfarily loaded terminology to use.

OpenBSD fixed (removed) many setjmp/longjmp functions in their
tree a long time ago as a class of bugs. (Though this sendmail 
exploitable collecttimeout() longjmp one is new and they patched
it yesterday with everyone else, because as you noted, replacing
it was kinda hairy...)

I don't think its fair to bitch about people fixing bugs and then not
having the time to send out advisories for every little tweak.
The important thing is to fix the bug. And often times the 
developer won't understand the real impact of fixing a bug 
until someone clever like Mark comes up with some innovative
way to exploit an "unexploitable" bug like this one.

What will be interesting to see when the PoC exploits are 
finally released, is if any of the memory/stack protection schemes
mitigate it.

Besides, there is only one true mailer to mail them all,
and its name is Postfix.

Now if we could only convince Mr. Venema to switch 
to a BSD license _everyone_ would switch to Postfix
and everything would be much better. If it weren't for
that "poison pill" clause in its license, I'm sure most
OSes and commercial systems would have swapped 
out Sendmail for Postfix long ago.


World Security Pros. Cutting Edge Training, Tools, and Techniques
Vancouver, Canada    April 3-7 2006
pgpkey kyxpgp

More information about the NANOG mailing list