Signal handling bug in Sendmail

Here’s an interesting vulnerability:

Sendmail contains a signal race vulnerability when receiving and processing mail data from remote clients. Sendmail utilizes a signal handler for dealing with timeouts that is not async-safe and interruption of certain functions by this signal handler will cause static data elements to be left in an inconsistent state. These data elements can be used to write data to invalid parts of the stack (or heap in some scenarios), thus taking control of the vulnerable process.

It’s a good reminder that signal handling turns any program into a multithreaded program.

14 May 2006 by trevor #