CVE-1999-0096

Step 1: Craft Malicious Email: The attacker crafts an email containing a uuencoded file. This file is designed to overwrite a critical system file, such as /etc/passwd or a configuration file.

Step 2: Send Email to Vulnerable Server: The attacker sends the crafted email to the vulnerable Sendmail server, typically targeting an address that triggers the decode alias.

Step 3: Sendmail Processing: Sendmail receives the email and, due to the configuration of the decode alias, attempts to decode the uuencoded file.

Step 4: Path Manipulation: The attacker has control over the output file path specified within the uuencoded data. This allows them to specify a target file to be overwritten.

Step 5: File Overwrite: Sendmail, lacking proper input validation, writes the decoded data to the attacker-specified file path, overwriting the target file.

Step 6: System Compromise: Depending on the overwritten file, the attacker gains control of the system. Overwriting /etc/passwd allows for password reset and root access. Overwriting configuration files can lead to remote code execution.

The vulnerability stems from a flaw in Sendmail's handling of the decode alias. Specifically, the decode alias, designed for decoding uuencoded files, lacks proper input validation and sanitization. When a crafted email containing a malicious uuencoded file is sent to the server, Sendmail, processing the alias, attempts to decode the file. The lack of checks allows an attacker to specify the output file path, enabling them to overwrite critical system files, such as /etc/passwd or /etc/shadow, leading to account compromise and complete system takeover. The root cause is a path traversal vulnerability combined with a lack of input validation on the destination file path. This allows attackers to write to any location on the filesystem accessible by the Sendmail process, typically with root privileges.