CVE-1999-1506

Step 1: Target Identification: The attacker identifies a vulnerable SunOS system running Sendmail 4.0 or earlier. This can be done through port scanning (port 25) and banner grabbing.

Step 2: Payload Delivery: The attacker crafts a malicious email or SMTP command containing a payload designed to exploit the Sendmail vulnerability. This payload typically includes commands to execute arbitrary code.

Step 3: Command Injection: The crafted payload is sent to the vulnerable Sendmail server. The server, due to the lack of input validation, processes the malicious commands within the payload.

Step 4: Privilege Escalation: The injected commands are executed with the privileges of the Sendmail process, which often runs with elevated permissions (e.g., root). This allows the attacker to execute arbitrary commands with root privileges.

Step 5: System Compromise: The attacker uses the elevated privileges to gain complete control of the system, including the ability to read and modify files, install backdoors, and launch further attacks.

The vulnerability stems from a flaw in how Sendmail 4.0 and earlier handles user input, specifically related to the processing of commands and arguments passed to the mail server. The root cause is a lack of proper input validation and sanitization, allowing attackers to inject malicious commands. This can be achieved through a variety of methods, including crafted email headers or SMTP commands. The absence of robust access controls and the inherent trust placed in the mail server by the operating system further exacerbate the issue, enabling attackers to escalate their privileges and gain complete control of the system. The specific function or logic flaw is related to how Sendmail parses and executes commands, allowing for command injection and privilege escalation.