[woutiir]

Ok as we all know there is an vuln found in sendmail. I'll paste the advisory here:

Quote

Package: sendmail
Vulnerability: remote root exploit
OpenPKG Specific: no


Affected Releases: Affected Packages: Corrected Packages:
OpenPKG CURRENT <= sendmail-8.12.9-20030801 >= sendmail-8.12.10-20030917
OpenPKG 1.3 <= sendmail-8.12.9-1.3.0 >= sendmail-8.12.9-1.3.1
OpenPKG 1.2 <= sendmail-8.12.7-1.2.3 >= sendmail-8.12.7-1.2.4


Dependent Packages: none


Description:
  According to a confirmed [1]security advisory from Michal Zalewski
  [2], a remotely exploitable vulnerability exists in all versions
  prior to 8.12.10 of the Sendmail [0] MTA. An error in its prescan()
  function could allow an attacker to write past the end of a buffer,
  corrupting memory structures. Depending on platform and operating
  system architecture, the attacker may be able to execute arbitrary
  code with a specially crafted email message.
 
  The email attack vector is message-oriented as opposed to
  connection-oriented. This means that the vulnerability is triggered
  by the contents of a specially crafted email message rather than by
  lower-level network traffic. The Common Vulnerabilities and Exposures
  (CVE) project assigned the id CAN-2003-0694 [3] to the problem.


  Additionally, we have included a fix for a potential buffer overflow
  in Sendmail's ruleset parsing. This problem is not exploitable in the
  default Sendmail configuration; it is exploitable only if non-standard
  rulesets recipient (2), final (4), or mailer-specific envelope
  recipients rulesets are used. The Common Vulnerabilities and Exposures
  (CVE) project assigned the id CAN-2003-0681 [4] to this problem.


  Please check whether you are affected by running "<prefix>/bin/rpm
  -q sendmail". If you have the "sendmail" package installed and its
  version is affected (see above), we recommend that you immediately
  upgrade it (see Solution) [5][6]


Solution:
  Select the updated source RPM appropriate for your OpenPKG release
  [7][8], fetch it from the OpenPKG FTP service [9][10] or a mirror
  location, verify its integrity [11], build a corresponding binary
  RPM from it [5] and update your OpenPKG installation by applying the
  binary RPM [6]. For the current release OpenPKG 1.3, perform the
  following operations to permanently fix the security problem (for
  other releases adjust accordingly).


  $ ftp ftp.openpkg.org
  ftp> bin
  ftp> cd release/1.3/UPD
  ftp> get sendmail-8.12.9-1.3.1.src.rpm
  ftp> bye
  $ <prefix>/bin/rpm -v --checksig sendmail-8.12.9-1.3.1.src.rpm
  $ <prefix>/bin/rpm --rebuild sendmail-8.12.9-1.3.1.src.rpm
  $ su -
  # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/sendmail-8.12.9-1.3.1.*.rpm
________________________________________________________________________


References:
  [0] http://www.sendmail.org/
  [1] http://www.sendmail.org/8.12.10.html
  [2] http://www.securityf...16/2003-09-22/0
  [3] http://cve.mitre.org...e=CAN-2003-0694
  [4] http://cve.mitre.org...e=CAN-2003-0681
  [5] http://www.openpkg.o...#regular-source
  [6] http://www.openpkg.o...#regular-binary
  [7] ftp://ftp.openpkg.or...7-1.2.4.src.rpm
  [8] ftp://ftp.openpkg.or...9-1.3.1.src.rpm
  [9] ftp://ftp.openpkg.org/release/1.2/UPD/
  [10] ftp://ftp.openpkg.org/release/1.3/UPD/
  [11] http://www.openpkg.o....html#signature
________________________________________________________________________

Have a look at it and gain as mutch info as you can.

We need to find out what's EXACTLY wrong, so where the overflow is located and with what paramaters we can overflow it. I'm gonna have a look at it.

Greetings,
woutiir

[woutiir]

First i wanna try a local exploitation of this bug..
Info i found:

Quote

  Local exploitation on little endian Linux is confirmed to be trivial
  via recipient.c and sendtolist(), with a pointer overwrite leading to a
  neat case of free() on user-supplied data, i.e.:



  eip = 0x40178ae2
  edx = 0x41414141
  esi = 0x61616161



  SEGV in chunk_free (ar_ptr=0x4022a160, p=0x81337e0) at malloc.c:3242



  0x40178ae2 <chunk_free+486>: mov %esi,0xc(%edx)
  0x40178ae5 <chunk_free+489>: mov %edx,0x8(%esi)



  Remote attack is believed to be possible.

Tho what i need to konw is with what paramaters i get to overwrite the pointer...

Let me know if you already know.

Gr. woutiir

[GAN_GR33N]

well i'm on it

will post back as soon as i have anything

[GAN_GR33N]

well i found this at security focus

http://www.securityfocus.com/bid/7230

it also has 2 exploits with it but one of is local and they only work on 2 or 3 flavors.

i think this may help us as a first project. later i will setup a sendmail server on redhat 7.0 and pm those who are interested in testing

[woutiir]

that's the old exploit. this one is new. No public sendmail code out there yet.


Gr. woutiir

[GAN_GR33N]

whoops sorry bro

i'll keep looking for info

[shaun2k2]

Okay, nice project, but I might add that this bug might not be exploitable.

Think back to school, remember what the first step in any project is? Research. First, we must research the known facts regarding the vulnerability, then blackbox test the sendmail daemon, and if found possibly exploitable, release any new information we have found, along with exploit code we have produced.

We need to organise these projects properly, we could get an IRC chat running, or we could post here. Real-time is sometimes better than bulletin board posting.


Thank you for your time.
Shaun.

[woutiir]

Both:
nope... We're trying to make our own remote and local exploit for this bug. It's a new bug where no public exploit is available yet. The difference with the exploits you posted is that version 8.12.9 is vulnerable also unlike the 8.12.8 says that it's fixed in 8.12.9... Since there is a new bug found, see the adv. i posted for more info on it.

Gr. woutiir

[Kenny]

woutiir thanks for the feedback.... you both know what your after bud... am watching with interest... as a side line observer... :D

Cheers

edited and removed codes

[woutiir]

agree,

Tho, locally exploitation is 100% possible, since the examples shows us a pointeroverwrite what we could exploit.

:)

Gr. woutiir

[woutiir]

Quote

Two vulnerabilities were reported in sendmail.

- CAN-2003-0681

  A "potential buffer overflow in ruleset parsing" for Sendmail
  8.12.9, when using the nonstandard rulesets (1) recipient (2),
  final, or (3) mailer-specific envelope recipients, has unknown
  consequences.

- CAN-2003-0694

  The prescan function in Sendmail 8.12.9 allows remote attackers to
  execute arbitrary code via buffer overflow attacks, as demonstrated
  using the parseaddr function in parseaddr.c.

Anyone found out how this recipients bug works and how to let it overwrite the buffer. Or have a test server, i couldn't get sendmail t owork, so a test server would be very helpful so i can test some things out.

thnx,

woutiir