Signature Detail

DNS: Malformed DNS TXT Record

This signature detects attempts to send a malformed TXT reply from a server back to a requesting client. Some Sendmail versions are vulnerable. When this signature is matched, the replying server is probably hostile or compromised.

Extended Description

Sendmail is a freely available, open source mail transport agent. It is available for most Unix and Linux operating systems. A buffer overflow in the DNS handling code of Sendmail has been discovered. Sendmail attempting to map an address using a TXT query type does not properly check bounds on data returned from the nameserver. Because of this, a malicious nameserver could send a string of arbitrary length to the mail server, resulting in a buffer overflow, and potential code execution. The Sendmail Consortium has stated that the possibility of exploitation is relatively low, as there are no known configurations that use this DNS map option.

Affected Products

• Sendmail Consortium Sendmail 8.11.0
• Sendmail Consortium Sendmail 8.11.1
• Sendmail Consortium Sendmail 8.11.2
• Sendmail Consortium Sendmail 8.11.3
• Sendmail Consortium Sendmail 8.11.4
• Sendmail Consortium Sendmail 8.11.5
• Sendmail Consortium Sendmail 8.11.6
• Sendmail Consortium Sendmail 8.12.0 .0
• Sendmail Consortium Sendmail 8.12.1
• Sendmail Consortium Sendmail 8.12.2
• Sendmail Consortium Sendmail 8.12.3
• Sendmail Consortium Sendmail 8.12.4
• Sun Solaris 9 Sparc

References

• BugTraq: 5122
• CVE: CVE-2002-0906
• URL: http://www.faqs.org/rfcs/rfc1464.html