Note: This is an archival copy of Security Sun Alert 200355 as previously published on
Latest version of this security advisory is available from as Sun Alert 1000250.1.
Article ID : 1000250.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2003-09-29
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

sendmail(1M) Buffer Overflow Vulnerability in Address Parsing Function prescan()


Release Phase

Solaris 9 Operating System
Solaris 7 Operating System
Solaris 8 Operating System

Bug Id
4924036, 4925761

Date of Workaround Release

Date of Resolved Release


A local or remote unprivileged user may be able to gain unauthorized root access or cause a denial of service due to a buffer overflow in the sendmail(1M) daemon within the prescan() function.

This issue is described in CERT Vulnerability VU#784980 (see which is referenced in CERT Advisory CA-2003-25 (see

Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 7 without patch 107684-10
  • Solaris 8 without patch 110615-10
  • Solaris 9 without patch 113575-05

x86 Platform

  • Solaris 7 without patch 107685-10
  • Solaris 8 without patch 110616-10
  • Solaris 9 without patch 114137-04

Note: Solaris 2.6 will not be evaluated regarding the potential impact of the issue described in this Sun Alert document.

By default, all systems are potentially vulnerable to this issue. Systems are vulnerable if they have a sendmail daemon running. This can be confirmed by the following commands:

1) To determine if a sendmail process is running on the system, do the following:

    $ /usr/bin/ps -e | grep sendmail
20038 ?        0:03 sendmail

2) If there is a sendmail process present, the following command will confirm if the process is the sendmail daemon:

    $ /usr/bin/mconnect
connecting to host localhost (, port 25
connection open
220 ESMTP Sendmail 8.12.8+Sun/8.12.8; Wed, 5 Mar 2003
17:47:49 -0700 (MST)
214-2.0.0 This is sendmail version 8.12.8+Sun
214-2.0.0 Topics:
214-2.0.0       HELO    EHLO    MAIL    RCPT    DATA
214-2.0.0       RSET    NOOP    QUIT    HELP    VRFY
214-2.0.0       EXPN    VERB    ETRN    DSN
214-2.0.0 For more info use "HELP <topic>".
214-2.0.0 To report bugs in the implementation contact Sun
214-2.0.0 Technical Support.
214-2.0.0 For local information send email to Postmaster at your site.
214 2.0.0 End of HELP info
221 2.0.0 closing connection

Note: On sendmail version 8.12.x (available in Solaris 9) the file, "/etc/mail/helpfile", may have been modified by the system administrator which could obscure the version number.

3) If the sendmail daemon is not running (and therefore not available) the output from mconnect(1) would be:

    $ /usr/bin/mconnect
connecting to host localhost (, port 25
connect: Connection refused


There are no reliable symptoms that would show the described issue has been exploited to gain unauthorized root access to a host.


Until patches can be applied, sites may wish to block access to the affected service from untrusted networks such as the Internet or disable the daemon where possible. Use a firewall or other packet-filtering technology to block the appropriate network ports. Consult your vendor or your firewall documentation for detailed instructions on how to configure the ports.

To disable sendmail(1M) the following commands can be executed as root:

    # /etc/init.d/sendmail stop
# mv /etc/rc2.d/S88sendmail /etc/rc2.d/not-S88sendmail

This will prevent e-mail messages from being received on the system until sendmail(1M) is started again and re-enabled with the commands:

    # /etc/init.d/sendmail start
# mv /etc/rc2.d/not-S88sendmail /etc/rc2.d/S88sendmail


This issue is addressed in the following releases:

SPARC Platform

  • Solaris 7 with patch 107684-10 or later
  • Solaris 8 with patch 110615-10 or later
  • Solaris 9 with patch 113575-05 or later

x86 Platform

  • Solaris 7 with patch 107685-10 or later
  • Solaris 8 with patch 110616-10 or later
  • Solaris 9 with patch 114137-04 or later

Modification History
Date: 25-SEP-2003
  • Added "Note" to Contributing Factors

Date: 30-SEP-2003
  • Added BugID 4925761
  • State: Resolved
  • Updated Contributing Factors and Resolution sections with patches



This solution has no attachment