CVE-2003-0688
CVSS5.0
发布时间 :2003-10-20 00:00:00
修订时间 :2008-09-10 15:20:09
NMCOS    

[原文]The DNS map code in Sendmail 8.12.8 and earlier, when using the "enhdnsbl" feature, does not properly initialize certain data structures, which allows remote attackers to cause a denial of service (process crash) via an invalid DNS response that causes Sendmail to free incorrect data.


[CNNVD]Sendmail dnsmap远程拒绝服务攻击漏洞(CNNVD-200310-027)

        
        Sendmail是一款免费开放源代码的邮件传输代理,可使用在多种Unix和Linux操作系统下。
        Sendmail在处理dns map时存在问题,远程攻击者可以利用这个漏洞以sendmail服务进行拒绝服务攻击。
        如果在sendmail.cf中使用了dns maps,一定程度的smtp通信可使sendmail随机崩溃。日志会显示如下内容:
        sm-mta[90653]: ERROR: DNS RDLENGTH=63885 > data len=2468
        在dns_parse_reply()函数中构建了RESOURCE_RECORD_T链结构,由于错误的初始化这些结构,如果sendmail获得不适当的dns应答(实际应答大小不等于要求的应答大小),在调用dns_free_data (sm_resolve.c:227)时会把垃圾信息填充到最后一个链结构的rr_next字段。在dns_free_data()函数中sendmail尝试释放这些结构时,垃圾信息会导致sendmail调用free()释放随机地址而导致崩溃,可能利用这个漏洞用于任意指令执行。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:sgi:irix:6.5.21SGI IRIX 6.5.21
cpe:/o:compaq:tru64:5.1Compaq Tru64 5.1
cpe:/o:freebsd:freebsd:5.0FreeBSD 5.0
cpe:/a:sendmail:sendmail:8.12.5Sendmail Sendmail 8.12.5
cpe:/o:freebsd:freebsd:4.6FreeBSD 4.6
cpe:/a:sendmail:sendmail:8.12.1Sendmail Sendmail 8.12.1
cpe:/a:sendmail:sendmail:8.12.6Sendmail Sendmail 8.12.6
cpe:/a:redhat:sendmail:8.12.8-4::i386
cpe:/a:redhat:sendmail:8.12.5-7::i386_doc
cpe:/a:sendmail:sendmail:8.12.2Sendmail Sendmail 8.12.2
cpe:/o:freebsd:freebsd:4.7FreeBSD 4.7
cpe:/a:redhat:sendmail:8.12.8-4::i386_cf
cpe:/a:redhat:sendmail:8.12.5-7::i386_cf
cpe:/a:sendmail:sendmail:8.12.7Sendmail Sendmail 8.12.7
cpe:/o:sgi:irix:6.5.19SGI IRIX 6.5.19
cpe:/a:redhat:sendmail:8.12.5-7::i386
cpe:/o:freebsd:freebsd:4.8FreeBSD 4.8
cpe:/a:redhat:sendmail:8.12.5-7::i386_dev
cpe:/a:redhat:sendmail:8.12.8-4::i386_doc
cpe:/o:openbsd:openbsd:3.2OpenBSD 3.2
cpe:/a:sendmail:sendmail:8.12.4Sendmail Sendmail 8.12.4
cpe:/a:sendmail:sendmail:8.12.3Sendmail Sendmail 8.12.3
cpe:/a:redhat:sendmail:8.12.8-4::i386_dev
cpe:/o:sgi:irix:6.5.20SGI IRIX 6.5.20
cpe:/o:compaq:tru64:5.0aCompaq Tru64 5.0a
cpe:/a:sendmail:sendmail:8.12.8Sendmail Sendmail 8.12.8

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:597Denial of Service in Sendmail via the enhdnsbl Feature
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0688
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0688
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200310-027
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/993452
(UNKNOWN)  CERT-VN  VU#993452
http://www.redhat.com/support/errata/RHSA-2003-265.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2003:265
http://www.sendmail.org/dnsmap1.html
(UNKNOWN)  CONFIRM  http://www.sendmail.org/dnsmap1.html
http://www.novell.com/linux/security/advisories/2003_035_sendmail.html
(UNKNOWN)  SUSE  SuSE-SA:2003:035
ftp://patches.sgi.com/support/free/security/advisories/20030803-01-P
(UNKNOWN)  SGI  20030803-01-P
http://www.mandriva.com/security/advisories?name=MDKSA-2003:086
(UNKNOWN)  MANDRAKE  MDKSA-2003:086
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000727
(UNKNOWN)  CONECTIVA  CLA-2003:727

- 漏洞信息

Sendmail dnsmap远程拒绝服务攻击漏洞
中危 设计错误
2003-10-20 00:00:00 2005-10-20 00:00:00
远程  
        
        Sendmail是一款免费开放源代码的邮件传输代理,可使用在多种Unix和Linux操作系统下。
        Sendmail在处理dns map时存在问题,远程攻击者可以利用这个漏洞以sendmail服务进行拒绝服务攻击。
        如果在sendmail.cf中使用了dns maps,一定程度的smtp通信可使sendmail随机崩溃。日志会显示如下内容:
        sm-mta[90653]: ERROR: DNS RDLENGTH=63885 > data len=2468
        在dns_parse_reply()函数中构建了RESOURCE_RECORD_T链结构,由于错误的初始化这些结构,如果sendmail获得不适当的dns应答(实际应答大小不等于要求的应答大小),在调用dns_free_data (sm_resolve.c:227)时会把垃圾信息填充到最后一个链结构的rr_next字段。在dns_free_data()函数中sendmail尝试释放这些结构时,垃圾信息会导致sendmail调用free()释放随机地址而导致崩溃,可能利用这个漏洞用于任意指令执行。
        

- 公告与补丁

        厂商补丁:
        SGI
        ---
        SGI已经为此发布了一个安全公告(20030803-01-P)以及相应补丁:
        20030803-01-P:Sendmail DNS Map Vulnerability
        链接:ftp://patches.sgi.com/support/free/security/advisories/20030803-01-P
        sendmail 8.12.9修正了这个问题,也可以使用如下补丁:
        --- sm_resolve.c.orig Fri Jun 28 00:43:24 2002
        +++ sm_resolve.c Thu Jul 10 01:21:17 2003
        @@ -233,6 +233,7 @@
         dns_free_data(r);
         return NULL;
         }
        + memset(*rr, 0, sizeof(**rr));
         (*rr)->rr_domain = sm_strdup(host);
         if ((*rr)->rr_domain == NULL)
         {
        SGI也提供了补丁方案,具体补丁情况如下:
         系统版本 是否受影响 补丁号 备注
         ---------- ----------- ------- -------------
         IRIX 3.x 未知 备注 1
         IRIX 4.x 未知 备注 1
         IRIX 5.x 未知 备注 1
         IRIX 6.0.x 未知 备注 1
         IRIX 6.1 未知 备注 1
         IRIX 6.2 未知 备注 1
         IRIX 6.3 未知 备注 1
         IRIX 6.4 未知 备注 1
         IRIX 6.5 不
         IRIX 6.5.1 不
         IRIX 6.5.2 不
         IRIX 6.5.3 不
         IRIX 6.5.4 不
         IRIX 6.5.5 不
         IRIX 6.5.6 不
         IRIX 6.5.7 不
         IRIX 6.5.8 不
         IRIX 6.5.9 不
         IRIX 6.5.10 不
         IRIX 6.5.11 不
         IRIX 6.5.12 不
         IRIX 6.5.13 不
         IRIX 6.5.14 不
         IRIX 6.5.15 不
         IRIX 6.5.16 不
         IRIX 6.5.17 不
         IRIX 6.5.18 不
         IRIX 6.5.19 是 5287 备注 2 & 3
         IRIX 6.5.20 是 5287 备注 2 & 3
         IRIX 6.5.21 是 5287 备注 2 & 3
         IRIX 6.5.22 不
        备注:
        
        1) 这个版本的IRIX系统已经不再被维护了,请升级到受支持的版本,参看
        
        http://support.sgi.com/irix/news/index.html#policy
来获得更多的信息。
        2) 如果你还未收到一张IRIX 6.5.x for IRIX 6.5的CD,请联系SGI的支持部门,或访问:
        http://support.sgi.com

        

- 漏洞信息

6480
Sendmail DNS Map Code Remote DoS
Remote / Network Access Denial of Service
Loss of Availability

- 漏洞描述

- 时间线

2003-03-29 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Sendmail DNS Maps Remote Denial of Service Vulnerability
Design Error 8485
Yes No
2003-08-25 12:00:00 2009-07-11 11:56:00
Discovery of this vulnerability has been credited to Maurice Makaay of InterNLnet B.V.

- 受影响的程序版本

SGI IRIX 6.5.21
SGI IRIX 6.5.20
SGI IRIX 6.5.19
SGI IRIX 6.5.18
SGI IRIX 6.5.17
SGI IRIX 6.5.16
SGI IRIX 6.5.15
SGI IRIX 6.5.14
SGI IRIX 6.5.13
SGI IRIX 6.5.12
SGI IRIX 6.5.11
SGI IRIX 6.5.10
SGI IRIX 6.5.9
SGI IRIX 6.5.8
SGI IRIX 6.5.7
SGI IRIX 6.5.6
SGI IRIX 6.5.5
SGI IRIX 6.5.4
SGI IRIX 6.5.3
SGI IRIX 6.5.2
SGI IRIX 6.5.1
SGI IRIX 6.5
Sendmail Consortium Sendmail 8.12.8
+ RedHat Linux 9.0 i386
+ RedHat Linux 8.0 i386
+ Yellow Dog Linux 3.0
Sendmail Consortium Sendmail 8.12.7
+ OpenPKG OpenPKG 1.2
+ Slackware Linux 8.1
+ SOTLinux SOTLinux 2003 Desktop
+ SOTLinux SOTLinux 2003 Server
Sendmail Consortium Sendmail 8.12.6
+ Apple Mac OS X 10.2.4
+ Conectiva Linux Enterprise Edition 1.0
+ FreeBSD FreeBSD 5.0
+ FreeBSD FreeBSD 4.7
+ MandrakeSoft Corporate Server 2.1
+ Mandriva Linux Mandrake 9.0
+ OpenBSD OpenBSD 3.2
+ S.u.S.E. Linux 8.1
Sendmail Consortium Sendmail 8.12.5
+ Conectiva Linux 9.0
+ OpenBSD OpenBSD 3.2
Sendmail Consortium Sendmail 8.12.4
+ OpenBSD OpenBSD 3.2
+ Slackware Linux 8.1
+ Slackware Linux -current
Sendmail Consortium Sendmail 8.12.3
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ FreeBSD FreeBSD 4.6
+ S.u.S.E. Linux 8.0 i386
+ S.u.S.E. Linux 8.0
Sendmail Consortium Sendmail 8.12.2
+ Apple Mac OS X 10.2.3
+ Apple Mac OS X 10.2.2
+ Apple Mac OS X 10.2.1
+ Apple Mac OS X 10.2
+ Apple Mac OS X Server 10.2.3
+ Apple Mac OS X Server 10.2.2
+ Apple Mac OS X Server 10.2.1
+ Apple Mac OS X Server 10.2
+ OpenBSD OpenBSD 3.1
Sendmail Consortium Sendmail 8.12.1
+ HP MPE/iX 7.5
+ HP MPE/iX 7.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
RedHat sendmail-doc-8.12.8-4.i386.rpm
+ RedHat Linux 9.0 i386
RedHat sendmail-doc-8.12.5-7.i386.rpm
+ RedHat Linux 8.0 i386
RedHat sendmail-devel-8.12.8-4.i386.rpm
+ RedHat Linux 9.0 i386
RedHat sendmail-devel-8.12.5-7.i386.rpm
+ RedHat Linux 8.0 i386
RedHat sendmail-cf-8.12.8-4.i386.rpm
+ RedHat Linux 9.0 i386
RedHat sendmail-cf-8.12.5-7.i386.rpm
+ RedHat Linux 8.0 i386
RedHat sendmail-8.12.8-4.i386.rpm
+ RedHat Linux 9.0 i386
RedHat sendmail-8.12.5-7.i386.rpm
+ RedHat Linux 8.0 i386
OpenBSD OpenBSD 3.2
FreeBSD FreeBSD 5.0
FreeBSD FreeBSD 4.8
FreeBSD FreeBSD 4.7
FreeBSD FreeBSD 4.6
Compaq Tru64 5.1 b
Compaq Tru64 5.1 a
Compaq Tru64 5.1
Compaq Tru64 5.0 a
SGI IRIX 6.5.22
SGI IRIX 6.5.18
SGI IRIX 6.5.17
SGI IRIX 6.5.16
SGI IRIX 6.5.15
SGI IRIX 6.5.14
SGI IRIX 6.5.13
SGI IRIX 6.5.12
SGI IRIX 6.5.11
SGI IRIX 6.5.10
SGI IRIX 6.5.9
SGI IRIX 6.5.8
SGI IRIX 6.5.7
SGI IRIX 6.5.6
SGI IRIX 6.5.5
SGI IRIX 6.5.4
SGI IRIX 6.5.3
SGI IRIX 6.5.2
SGI IRIX 6.5.1
SGI IRIX 6.5
Sendmail Consortium Sendmail 8.12.9
+ Slackware Linux 9.0
+ Slackware Linux 8.1
+ Slackware Linux -current
OpenBSD OpenBSD 3.3

- 不受影响的程序版本

SGI IRIX 6.5.22
SGI IRIX 6.5.18
SGI IRIX 6.5.17
SGI IRIX 6.5.16
SGI IRIX 6.5.15
SGI IRIX 6.5.14
SGI IRIX 6.5.13
SGI IRIX 6.5.12
SGI IRIX 6.5.11
SGI IRIX 6.5.10
SGI IRIX 6.5.9
SGI IRIX 6.5.8
SGI IRIX 6.5.7
SGI IRIX 6.5.6
SGI IRIX 6.5.5
SGI IRIX 6.5.4
SGI IRIX 6.5.3
SGI IRIX 6.5.2
SGI IRIX 6.5.1
SGI IRIX 6.5
Sendmail Consortium Sendmail 8.12.9
+ Slackware Linux 9.0
+ Slackware Linux 8.1
+ Slackware Linux -current
OpenBSD OpenBSD 3.3

- 漏洞讨论

A potential vulnerability has been discovered in Sendmail 8.12.x versions prior to 8.12.9, when implementing the use of DNS Maps. The problem specifically lies in the fact that Sendmail fails to properly initialized dynamically allocated data, which may referenced at a later time when freeing memory.

The problem specifically occurs when an invalid DNS reply is returned, specifically one with a differing size than announced. This will cause Sendmail to enter a routine designed to free the final object from a list of the uninitialized structures. The structures are traversed until a NULL pointer is detected, however due to the incorrect initialization the structures may contain garbage data, potentially triggering a call to free() on random data. This would effectively result in Sendmail dereferencing invalid data, causing it to crash.

Theoretically, if this data were to be controlled by an attacker at some point during execution, it may be possible to exploit this issue to execute arbitrary code. This however has not been confirmed.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

Red Hat has released an advisory (RHSA-2003:265-01) to address this issue. See referenced advisory for further detail regarding applying fixes.

SGI has released a security advisory containing a patch to address this issue in IRIX 6.5.19 - 6.5.21.

A patch haS been released for OpenBSD 3.2, however OpenBSD 3.3 was distributed with Sendmail 8.12.9 and therefore is not affected.

A patch has been released by FreeBSD to address this issue. It has been confirmed to work on FreeBSD 5.0, 4.8, 4.7, and 4.6 systems. Additional details regarding RELENG releases, and other fixed releases can be found in the attached FreeBSD advisory.

Mandrake Linux has released a security advisory containing fixes to address this issue.

Conectiva has released a security advisory (CLA-2003:727) that includes fixes to address this issue.

SOTLinux has released a security advisory (SLSA-2003:39) that includes fixed to address this issue.

HP has released a security bulletin (SSRT3612) for Tru64 UNIX that includes fixes for Sendmail. Please see the attached advisory for details on obtaining and applying fixes. It should be noted that this bulletin has been revised to state that Sendmail versions shipped with Tru64 UNIX 5.1A and 5.1B are not affected by this vulnerability.

This issue has been addressed in Sendmail 8.12.9 and users are urged to upgrade as soon as possible.


OpenBSD OpenBSD 3.2

RedHat sendmail-8.12.5-7.i386.rpm

RedHat sendmail-devel-8.12.8-4.i386.rpm

RedHat sendmail-doc-8.12.8-4.i386.rpm

RedHat sendmail-doc-8.12.5-7.i386.rpm

RedHat sendmail-cf-8.12.5-7.i386.rpm

RedHat sendmail-cf-8.12.8-4.i386.rpm

RedHat sendmail-devel-8.12.5-7.i386.rpm

RedHat sendmail-8.12.8-4.i386.rpm

FreeBSD FreeBSD 4.6

FreeBSD FreeBSD 4.7

FreeBSD FreeBSD 4.8

FreeBSD FreeBSD 5.0

SGI IRIX 6.5.19

SGI IRIX 6.5.20

SGI IRIX 6.5.21

Sendmail Consortium Sendmail 8.12.1

Sendmail Consortium Sendmail 8.12.2

Sendmail Consortium Sendmail 8.12.3

Sendmail Consortium Sendmail 8.12.4

Sendmail Consortium Sendmail 8.12.5

Sendmail Consortium Sendmail 8.12.6

Sendmail Consortium Sendmail 8.12.7

Sendmail Consortium Sendmail 8.12.8

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站