woutiir
Sep 21 2003, 02:31 PM
Ok as we all know there is an vuln found in sendmail. I'll paste the advisory here:
| QUOTE |
Package: sendmail
Vulnerability: remote root exploit
OpenPKG Specific: no
Affected Releases: Affected Packages: Corrected Packages:
OpenPKG CURRENT <= sendmail-8.12.9-20030801 >= sendmail-8.12.10-20030917
OpenPKG 1.3 <= sendmail-8.12.9-1.3.0 >= sendmail-8.12.9-1.3.1
OpenPKG 1.2 <= sendmail-8.12.7-1.2.3 >= sendmail-8.12.7-1.2.4
Dependent Packages: none
Description:
According to a confirmed [1] security advisory from Michal Zalewski
[2], a remotely exploitable vulnerability exists in all versions
prior to 8.12.10 of the Sendmail [0] MTA. An error in its prescan()
function could allow an attacker to write past the end of a buffer,
corrupting memory structures. Depending on platform and operating
system architecture, the attacker may be able to execute arbitrary
code with a specially crafted email message.
The email attack vector is message-oriented as opposed to
connection-oriented. This means that the vulnerability is triggered
by the contents of a specially crafted email message rather than by
lower-level network traffic. The Common Vulnerabilities and Exposures
(CVE) project assigned the id CAN-2003-0694 [3] to the problem.
Additionally, we have included a fix for a potential buffer overflow
in Sendmail's ruleset parsing. This problem is not exploitable in the
default Sendmail configuration; it is exploitable only if non-standard
rulesets recipient (2), final (4), or mailer-specific envelope
recipients rulesets are used. The Common Vulnerabilities and Exposures
(CVE) project assigned the id CAN-2003-0681 [4] to this problem.
Please check whether you are affected by running "<prefix>/bin/rpm
-q sendmail". If you have the "sendmail" package installed and its
version is affected (see above), we recommend that you immediately
upgrade it (see Solution) [5][6]
Solution:
Select the updated source RPM appropriate for your OpenPKG release
[7][8], fetch it from the OpenPKG FTP service [9][10] or a mirror
location, verify its integrity [11], build a corresponding binary
RPM from it [5] and update your OpenPKG installation by applying the
binary RPM [6]. For the current release OpenPKG 1.3, perform the
following operations to permanently fix the security problem (for
other releases adjust accordingly).
$ ftp ftp.openpkg.org
ftp> bin
ftp> cd release/1.3/UPD
ftp> get sendmail-8.12.9-1.3.1.src.rpm
ftp> bye
$ <prefix>/bin/rpm -v --checksig sendmail-8.12.9-1.3.1.src.rpm
$ <prefix>/bin/rpm --rebuild sendmail-8.12.9-1.3.1.src.rpm
$ su -
# <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/sendmail-8.12.9-1.3.1.*.rpm
________________________________________________________________________
References:
[0] http://www.sendmail.org/
[1] http://www.sendmail.org/8.12.10.html
[2] http://www.securityfocus.com/archive/1/337...16/2003-09-22/0
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?n...e=CAN-2003-0694
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?n...e=CAN-2003-0681
[5] http://www.openpkg.org/tutorial.html#regular-source
[6] http://www.openpkg.org/tutorial.html#regular-binary
[7] ftp://ftp.openpkg.org/release/1.2/UPD/sen...7-1.2.4.src.rpm
[8] ftp://ftp.openpkg.org/release/1.3/UPD/sen...9-1.3.1.src.rpm
[9] ftp://ftp.openpkg.org/release/1.2/UPD/
[10] ftp://ftp.openpkg.org/release/1.3/UPD/
[11] http://www.openpkg.org/security.html#signature
________________________________________________________________________
|
Have a look at it and gain as mutch info as you can.
We need to find out what's EXACTLY wrong, so where the overflow is located and with what paramaters we can overflow it. I'm gonna have a look at it.
Greetings,
woutiir
woutiir
Sep 21 2003, 03:12 PM
First i wanna try a local exploitation of this bug..
Info i found:
| QUOTE |
Local exploitation on little endian Linux is confirmed to be trivial
via recipient.c and sendtolist(), with a pointer overwrite leading to a
neat case of free() on user-supplied data, i.e.:
eip = 0x40178ae2
edx = 0x41414141
esi = 0x61616161
SEGV in chunk_free (ar_ptr=0x4022a160, p=0x81337e0) at malloc.c:3242
0x40178ae2 <chunk_free+486>: mov %esi,0xc(%edx)
0x40178ae5 <chunk_free+489>: mov %edx,0x8(%esi)
Remote attack is believed to be possible.
|
Tho what i need to konw is with what paramaters i get to overwrite the pointer...
Let me know if you already know.
Gr. woutiir
GAN_GR33N
Sep 21 2003, 06:46 PM
well i'm on it
will post back as soon as i have anything
GAN_GR33N
Sep 21 2003, 06:57 PM
well i found this at security focus
http://www.securityfocus.com/bid/7230it also has 2 exploits with it but one of is local and they only work on 2 or 3 flavors.
i think this may help us as a first project. later i will setup a sendmail server on redhat 7.0 and pm those who are interested in testing
woutiir
Sep 21 2003, 07:07 PM
that's the old exploit. this one is new. No public sendmail code out there yet.
Gr. woutiir
GAN_GR33N
Sep 21 2003, 08:33 PM
whoops sorry bro
i'll keep looking for info
shaun2k2
Sep 22 2003, 04:02 PM
Okay, nice project, but I might add that this bug might not be exploitable.
Think back to school, remember what the first step in any project is? Research. First, we must research the known facts regarding the vulnerability, then blackbox test the sendmail daemon, and if found possibly exploitable, release any new information we have found, along with exploit code we have produced.
We need to organise these projects properly, we could get an IRC chat running, or we could post here. Real-time is sometimes better than bulletin board posting.
Thank you for your time.
Shaun.
woutiir
Sep 22 2003, 02:29 PM
Both:
nope... We're trying to make our own remote and local exploit for this bug. It's a new bug where no public exploit is available yet. The difference with the exploits you posted is that version 8.12.9 is vulnerable also unlike the 8.12.8 says that it's fixed in 8.12.9... Since there is a new bug found, see the adv. i posted for more info on it.
Gr. woutiir
ComSec
Sep 22 2003, 03:11 PM
woutiir thanks for the feedback.... you both know what your after bud... am watching with interest... as a side line observer...
Cheers
edited and removed codes
woutiir
Sep 22 2003, 05:46 PM
agree,
Tho, locally exploitation is 100% possible, since the examples shows us a pointeroverwrite what we could exploit.
Gr. woutiir
woutiir
Sep 22 2003, 07:32 PM
| QUOTE |
Two vulnerabilities were reported in sendmail.
- CAN-2003-0681
A "potential buffer overflow in ruleset parsing" for Sendmail
8.12.9, when using the nonstandard rulesets (1) recipient (2),
final, or (3) mailer-specific envelope recipients, has unknown
consequences.
- CAN-2003-0694
The prescan function in Sendmail 8.12.9 allows remote attackers to
execute arbitrary code via buffer overflow attacks, as demonstrated
using the parseaddr function in parseaddr.c.
|
Anyone found out how this recipients bug works and how to let it overwrite the buffer. Or have a test server, i couldn't get sendmail t owork, so a test server would be very helpful so i can test some things out.
thnx,
woutiir
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here.
