CVE-1999-0129

Step 1: File Creation: The attacker creates a malicious .forward or :include: file in their home directory. This file contains commands designed to write to a system file or execute a privileged command.

Step 2: Triggering Sendmail: The attacker sends an email to their own account or another account configured to use the malicious .forward or :include: file. This triggers Sendmail to process the file.

Step 3: Privilege Escalation: Sendmail, running with the group privileges of mail or smmsp, executes the commands in the malicious file. The commands write to a system file (e.g., /etc/passwd) or execute a privileged command, effectively granting the attacker elevated privileges.

Step 4: System Compromise: The attacker uses the newly acquired privileges to gain control of the system, potentially installing backdoors, stealing data, or disrupting services.

The vulnerability stems from Sendmail's insecure handling of .forward and :include: files. When Sendmail processes these files to forward or include other files, it often does so with the group privileges of the mail or smmsp user, depending on the system configuration. The root cause is a lack of proper input validation and access control when writing to these files. An attacker can create a malicious .forward or :include: file that, when processed by Sendmail, writes to a system file with the group privileges of the Sendmail process. This allows the attacker to overwrite critical system files, such as /etc/passwd or /etc/shadow, or to execute arbitrary commands with elevated privileges. The flaw is not a specific buffer overflow or race condition, but rather a design flaw in how Sendmail handles file permissions and user input when processing these configuration files.