CVE-1999-0203

Step 1: Malicious SMTP Command Injection: The attacker crafts an SMTP command sequence. This sequence includes a specially crafted 'mail from' address, potentially containing shell metacharacters or command injection payloads, and an invalid 'rcpt to' address, ensuring the email will bounce.

Step 2: Email Bounce Trigger: The Sendmail server attempts to deliver the email to the invalid recipient. Due to the invalid recipient, the email bounces back to the sender.

Step 3: Bounce Handler Exploitation: The bounce mechanism, designed to handle undeliverable mail, processes the bounced email. This process is where the vulnerability lies. The attacker's crafted 'mail from' address, containing malicious code, is interpreted or executed during the bounce handling process.

Step 4: Code Execution and Privilege Escalation: The malicious code within the 'mail from' address is executed, potentially leading to arbitrary command execution. Because Sendmail often runs with elevated privileges (e.g., root), this allows the attacker to gain root access to the system.

The vulnerability stems from insufficient input validation and improper handling of bounced email messages within Sendmail. Specifically, the program fails to adequately sanitize the 'mail from' and 'rcpt to' addresses provided in SMTP commands. By crafting a malicious 'mail from' address and an invalid 'rcpt to' address, an attacker can force the mail server to bounce the email. The bounce mechanism, designed to return undeliverable mail, can be exploited to execute arbitrary commands. This is achieved by manipulating the bounce process to invoke a program with elevated privileges. The root cause is a combination of flawed input validation and a lack of secure handling of returned mail, leading to a command injection vulnerability.