xfocus logo xfocus title
首页 焦点原创 安全文摘 安全工具 安全漏洞 焦点项目 焦点论坛 关于我们
English Version
 最近严重漏洞 
Microsoft RPC接口远程任意代码可执行漏洞
Cisco IOS接口不正确处理IPV4包远程拒绝服务漏洞
Microsoft Windows CreateFile API命名管道权限提升漏洞

Sendmail DNS Maps远程拒绝服务攻击漏洞


发布时间:2003-09-01
更新时间:2003-09-01
严重程度:
威胁程度:远程拒绝服务
错误类型:意外情况处置错误
利用方式:服务器模式

BUGTRAQ ID:8485
CVE(CAN) ID: CAN-2003-0688

受影响系统
Compaq Tru64 5.0 a
Compaq Tru64 5.1 b
Compaq Tru64 5.1 a
Compaq Tru64 5.1
FreeBSD FreeBSD 4.6
FreeBSD FreeBSD 4.7
FreeBSD FreeBSD 4.8
FreeBSD FreeBSD 5.0
OpenBSD OpenBSD 3.2
RedHat sendmail-8.12.5-7.i386.rpm
   + RedHat Linux 8.0 i386
RedHat sendmail-8.12.8-4.i386.rpm
   + RedHat Linux 9.0 i386
RedHat sendmail-cf-8.12.5-7.i386.rpm
   + RedHat Linux 8.0 i386
RedHat sendmail-cf-8.12.8-4.i386.rpm
   + RedHat Linux 9.0 i386
RedHat sendmail-devel-8.12.5-7.i386.rpm
   + RedHat Linux 8.0 i386
RedHat sendmail-devel-8.12.8-4.i386.rpm
   + RedHat Linux 9.0 i386
RedHat sendmail-doc-8.12.5-7.i386.rpm
   + RedHat Linux 8.0 i386
RedHat sendmail-doc-8.12.8-4.i386.rpm
   + RedHat Linux 9.0 i386
Sendmail Consortium Sendmail 8.12.1
   + HP MPE/iX 7.0
   + HP MPE/iX 7.5
   + MandrakeSoft Linux Mandrake 8.2
   + MandrakeSoft Linux Mandrake 8.2 ppc
Sendmail Consortium Sendmail 8.12.2
   + Apple MacOS X 10.2
   + Apple MacOS X 10.2.1
   + Apple MacOS X 10.2.2
   + Apple MacOS X 10.2.3
   + Apple MacOS X Server 10.2
   + Apple MacOS X Server 10.2.1
   + Apple MacOS X Server 10.2.2
   + Apple MacOS X Server 10.2.3
   + OpenBSD OpenBSD 3.1
Sendmail Consortium Sendmail 8.12.3
   + Debian Linux 3.0
   + Debian Linux 3.0 alpha
   + Debian Linux 3.0 arm
   + Debian Linux 3.0 hppa
   + Debian Linux 3.0 ia-32
   + Debian Linux 3.0 ia-64
   + Debian Linux 3.0 m68k
   + Debian Linux 3.0 mips
   + Debian Linux 3.0 mipsel
   + Debian Linux 3.0 ppc
   + Debian Linux 3.0 s/390
   + Debian Linux 3.0 sparc
   + FreeBSD FreeBSD 4.6
   + S.u.S.E. Linux 8.0
   + S.u.S.E. Linux 8.0 i386
Sendmail Consortium Sendmail 8.12.4
   + OpenBSD OpenBSD 3.2
   + Slackware Linux -current
   + Slackware Linux 8.1
Sendmail Consortium Sendmail 8.12.5
   + Conectiva Linux 9.0
   + OpenBSD OpenBSD 3.2
Sendmail Consortium Sendmail 8.12.6
   + Apple MacOS X 10.2.4
   + FreeBSD FreeBSD 4.7
   + FreeBSD FreeBSD 5.0
   + MandrakeSoft Corporate Server 2.1
   + MandrakeSoft Linux Mandrake 9.0
   + OpenBSD OpenBSD 3.2
   + S.u.S.E. Linux 8.1
Sendmail Consortium Sendmail 8.12.7
   + OpenPKG OpenPKG 1.2
   + Slackware Linux 8.1
   + SOTLinux SOTLinux 2003 Desktop
   + SOTLinux SOTLinux 2003 Server
Sendmail Consortium Sendmail 8.12.8
   + RedHat Linux 8.0 i386
   + RedHat Linux 9.0 i386
SGI IRIX 6.5.19
SGI IRIX 6.5.20
SGI IRIX 6.5.21
未影响系统
OpenBSD OpenBSD 3.3
Sendmail Consortium Sendmail 8.12.9
SGI IRIX 6.5
SGI IRIX 6.5.1
SGI IRIX 6.5.2
SGI IRIX 6.5.3
SGI IRIX 6.5.4
SGI IRIX 6.5.5
SGI IRIX 6.5.6
SGI IRIX 6.5.7
SGI IRIX 6.5.8
SGI IRIX 6.5.9
SGI IRIX 6.5.10
SGI IRIX 6.5.11
SGI IRIX 6.5.12
SGI IRIX 6.5.13
SGI IRIX 6.5.14
SGI IRIX 6.5.15
SGI IRIX 6.5.16
SGI IRIX 6.5.17
SGI IRIX 6.5.18
SGI IRIX 6.5.22
详细描述
sendmail 8.12.8及之前的版本受这个漏洞影响,8.12.9不受此漏洞影响。

如果你在sendmail.cf文件中使用dns maps,大量的smtp通信可能造成sendmail随机崩溃。搜索邮件日志回出现如下信息:

sm-mta[90653]: ERROR: DNS RDLENGTH=63885 > data len=2468

问题是dns_parse_reply()中sendmail构建了RESOURCE_RECORD_T结构链,由于错误的初始化这些结构,如果sendmail获得不正确的DNS应答(actual reply size != announced reply size),调用dns_free_data (sm_resolve.c:227),其中最后链结构的rr_next段被垃圾数据填充,在dns_free_data()中sendmail尝试释放结构链,由于rr_next段中的垃圾数据给释放,而导致随机地址释放,可造成崩溃。

测试代码
尚无

解决方案
升级程序:

Sendmail Consortium Sendmail 8.12.1:

Sendmail Consortium Upgrade sendmail.8.12.9.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.gz

Sendmail Consortium Sendmail 8.12.2:

Sendmail Consortium Upgrade sendmail.8.12.9.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.gz

Sendmail Consortium Sendmail 8.12.3:

Sendmail Consortium Upgrade sendmail.8.12.9.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.gz

Sendmail Consortium Sendmail 8.12.4:

Sendmail Consortium Upgrade sendmail.8.12.9.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.gz

Sendmail Consortium Sendmail 8.12.5:

Sendmail Consortium Upgrade sendmail.8.12.9.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.gz

Sendmail Consortium Sendmail 8.12.6:

Sendmail Consortium Upgrade sendmail.8.12.9.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.gz

Sendmail Consortium Sendmail 8.12.7:

Sendmail Consortium Upgrade sendmail.8.12.9.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.gz

Sendmail Consortium Sendmail 8.12.8:

Sendmail Consortium Upgrade sendmail.8.12.9.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.gz

相关信息
参考:http://www.securityfocus.com/advisories/5733
http://www.securityfocus.com/advisories/5754
http://www.securityfocus.com/advisories/5737
http://www.securityfocus.com/advisories/5746
http://www.securityfocus.com/advisories/5748
http://www.securityfocus.com/advisories/5747
http://www.securityfocus.com/advisories/5774
http://www.securityfocus.com/advisories/5741
http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/54367
http://www.sendmail.org/dnsmap1.html
http://www.openbsd.org/errata32.html
http://www.sotlinux.org/en/sotlinux/sa/2003/2003-0019.php
Copyright © 1998-2003 XFOCUS Team. All Rights Reserved