CVE-1999-0130

Step 1: Local Access: The attacker must first have local access to the vulnerable system, either through a compromised account or physical access. Step 2: Daemon Startup: The attacker executes a command to start Sendmail in daemon mode, typically using a command-line utility or a script. Step 3: Malicious Argument Injection: The attacker crafts a command-line argument that, when processed by Sendmail, leads to the execution of arbitrary code. This could involve manipulating configuration files, logging options, or other parameters that are processed with root privileges. Step 4: Code Execution: Sendmail, running with root privileges, processes the malicious argument, leading to the execution of attacker-controlled code, such as a shell or a payload to gain full root access. Step 5: Privilege Escalation: The attacker's code executes with root privileges, allowing them to modify system files, install backdoors, and gain complete control of the system.

The vulnerability stems from a design flaw in Sendmail's handling of command-line arguments when starting in daemon mode. Specifically, the lack of proper input validation allows a local user to inject malicious arguments, such as those related to configuration files or logging, that are then executed with root privileges. This can lead to arbitrary code execution. The root cause is a combination of insufficient input sanitization and a privileged context for the daemon process, allowing an attacker to manipulate the daemon's behavior and gain elevated privileges. The vulnerability is not a buffer overflow in the traditional sense, but rather a command injection vulnerability.