Sendmail mail.local Vulnerabilities

mail.local is a program included with Sendmail intended as a delivery agent for local mail. mail.local uses LMTP (local mail transfer protocol) taken in from standard input and is what puts messages into users mailboxes. When in LMTP mode, mail.local checks user input for the end of message indicator, ".\n", which sendmail will block before passing to mail.local. It is possible to fake the end of message if a long string (2047 characters) followed by a ".\n" is sent. Any text after the faked end-of-message indicator will be treated by mail.local as LMTP commands, meaning that fake messages and such can be sent to any mailbox without filtering or logging by sendmail.

Another problem is that since LMTP commands are being executed, responses will be generated from mail.local which are not expected by sendmail (it does not retrieve them from the I/O buffer). If many of these responses (ie, error responses) are generated, mail.local and sendmail become deadlocked and the I/O buffer will be filled. This will prevent local mail delivery.

On Solaris machines running Sendmail 8.10.0 or 8.10.1compiled with the -DCONTENTLENGTH flag, it is possible to modify the Content-Length field in the message header the same way the fake end-of-message indicator is added, corrupting the user's mailbox.


Privacy Statement
Copyright 2010, SecurityFocus