Sendmail是一款互联网上最流行的邮件传输代理(MTA)。
Sendmail中的prescan()函数(与 http://www.nsfocus.net/index.php?act=sec_bug&do=view&bug_id=4625 描述的漏洞不同)存在问题,远程攻击者可以利用这个漏洞可能以Sendmail进程权限在系统上执行任意指令。
在Linux上的本地利用方法可以通过recipient.c和sendtolist(),利用用户提交的数据覆盖指针,在调用free()函数时可能导致指令重定向,攻击者可以构建恶意邮件消息提交给Sendmail解析可能以Sendmail进程权限在系统上执行任意指令。一般的利用方式是通过parseaddr()函数间接调用prescan()函数来覆盖一些数据结构来触发溢出,也有可能存在其他的利用方式,远程利用此漏洞也是可能的。
解决方法
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 停止使用Sendmail。
* 在配置文件中设置RunAsUser选项。但这仅能减小攻击所带来的威胁,并不能
彻底消除安全漏洞。
厂商补丁:
Conectiva
---------
Conectiva已经为此发布了一个安全公告(CLA-2003:742)以及相应补丁:
CLA-2003:742:sendmail
链接:http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000742
补丁下载:
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-8.11.6-1U70_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-cf-8.11.6-1U70_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-doc-8.11.6-1U70_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/sendmail-8.11.6-1U70_5cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/sendmail-8.11.6-2U80_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/sendmail-cf-8.11.6-2U80_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/sendmail-doc-8.11.6-2U80_5cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/sendmail-8.11.6-2U80_5cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/sendmail-8.12.5-26986U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/sendmail-cf-8.12.5-26986U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/sendmail-doc-8.12.5-26986U90_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/sendmail-8.12.5-26986U90_3cl.src.rpm
Debian
------
Debian已经为此发布了一个安全公告(DSA-384-1)以及相应补丁:
DSA-384-1:New sendmail packages fix buffer overflows
链接:http://www.debian.org/security/2002/dsa-384
补丁下载:
Source archives:
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6.dsc
Size/MD5 checksum: 751 a7d0da0bedbe35592233cb9ce710f551
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6.diff.gz
Size/MD5 checksum: 255026 5a86a93275a55af8c92677469c4a8cd3
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3.orig.tar.gz
Size/MD5 checksum: 1840401 b198b346b10b3b5afc8cb4e12c07ff4d
http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.5.dsc
Size/MD5 checksum: 738 cc23a68bcf23332d560086c3c55cd16a
http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.5.diff.gz
Size/MD5 checksum: 327218 7f2fc2d0efe7935713b2d77dec66359c
http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta.orig.tar.gz
Size/MD5 checksum: 1870451 4c7036e8042bae10a90da4a84a717963
Architecture independent components:
http://security.debian.org/pool/updates/main/s/sendmail/sendmail-doc_8.12.3-6.6_all.deb
Size/MD5 checksum: 747778 9c4362147654d4f28d8346fa4ad84ed0
Alpha architecture:
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-6.6_alpha.deb
Size/MD5 checksum: 267842 4f53274558b9e29ca341721a68fb4adc
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6_alpha.deb
Size/MD5 checksum: 1109340 78cb6eb6b340e5dc52982889532a844a
http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.5_alpha.deb
Size/MD5 checksum: 440712 b22b97caba3652ef2a7d9f35633e3040
ARM architecture:
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-6.6_arm.deb
Size/MD5 checksum: 247568 ac8f0778eb56f7c0a852fdc54ef071b1
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6_arm.deb
Size/MD5 checksum: 979454 6b9898686e6361abe657c5fd75d962c5
http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.5_arm.deb
Size/MD5 checksum: 369568 3baf5caa46b2c9d0b67c6d60f47d8030
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-6.6_i386.deb
Size/MD5 checksum: 237374 0662e6e9bb58db37a1d8f511e4ba2fce
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6_i386.deb
Size/MD5 checksum: 917848 3717265bb7ed3f5bd81fb9a712826cec
http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.5_i386.deb
Size/MD5 checksum: 328914 23af5c312cef6a53f000f4663980b11d
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-6.6_ia64.deb
Size/MD5 checksum: 282028 a35b9ca4cfc7a1c1ec6bdb1f2e00d8bb
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6_ia64.deb
Size/MD5 checksum: 1332734 9f4ae78c3aa4644366e7e3f4bb787096
http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.5_ia64.deb
Size/MD5 checksum: 575024 9e4283bf8427361959efc71fa10b47db
HP Precision architecture:
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-6.6_hppa.deb
Size/MD5 checksum: 261692 a91642fb4a90687c7d318342cac40b81
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6_hppa.deb
Size/MD5 checksum: 1081070 f8359f91edc1a1587de9ef3fee05e48a
http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.5_hppa.deb
Size/MD5 checksum: 413758 f7ebfefbe7bc3a212a0233531969d6ce
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-6.6_m68k.deb
Size/MD5 checksum: 231156 5a6f6c5597d65c625a8f93bca3ba91c7
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6_m68k.deb
Size/MD5 checksum: 865868 3f8e05c30f67a10b3148868b884b181a
http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.5_m68k.deb
Size/MD5 checksum: 300824 fcfe51748953a3cbec6b67ec6b59c815
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-6.6_mips.deb
Size/MD5 checksum: 255192 f6e277fc5dd3aad2471224cd5a93d8b2
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6_mips.deb
Size/MD5 checksum: 1022140 9ffa270d18fcff47eb50a379abf83423
http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.5_mips.deb
Size/MD5 checksum: 378446 3eb569322bf2ca44efad2e619ac60e09
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-6.6_mipsel.deb
Size/MD5 checksum: 254886 1671ae782111b31689db3cdcc8a685ca
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6_mipsel.deb
Size/MD5 checksum: 1022564 2c6d07a51a6799b3adf0465708ea965a
http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.5_mipsel.deb
Size/MD5 checksum: 380428 af4eb3885b34141ac8ca280d9588c236
PowerPC architecture:
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-6.6_powerpc.deb
Size/MD5 checksum: 257296 6327996cfa6ba83133ca891e9ee7e06b
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6_powerpc.deb
Size/MD5 checksum: 978630 a328cc8608dfe496bacb51984a813eff
http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.5_powerpc.deb
Size/MD5 checksum: 363018 a7310a71887232474be479fdc0dc8846
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-6.6_s390.deb
Size/MD5 checksum: 242622 86d18643513d01467640277260d5faf4
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6_s390.deb
Size/MD5 checksum: 966352 db7b4c5516759dde0c244f87394e206a
http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.5_s390.deb
Size/MD5 checksum: 354934 7d9e5afceef87330409cc68a284e0b99
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/s/sendmail/libmilter-dev_8.12.3-6.6_sparc.deb
Size/MD5 checksum: 245326 d2c2c75a72bb25db831cf200aaa84ae2
http://security.debian.org/pool/updates/main/s/sendmail/sendmail_8.12.3-6.6_sparc.deb
Size/MD5 checksum: 982550 7e755b31bb2b0db5aa82ca5f516ac46d
http://security.debian.org/pool/updates/main/s/sendmail-wide/sendmail-wide_8.12.3+3.5Wbeta-5.5_sparc.deb
Size/MD5 checksum: 356148 c330e1560c9b37e25dd73947fe6fbc22
补丁安装方法:
1. 手工安装补丁包:
首先,使用下面的命令来下载补丁软件:
# wget url (url是补丁下载链接地址)
然后,使用下面的命令来安装补丁:
# dpkg -i file.deb (file是相应的补丁名)
2. 使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
# apt-get update
然后,使用下面的命令安装更新软件包:
# apt-get upgrade
FreeBSD
-------
FreeBSD已经发布了一个安全公告FreeBSD-SA-03:13.sendmail以修复此漏洞:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:13.sendmail.asc
您可以下载针对FreeBSD 5.1, 4.8, 以及 4.7的安全补丁:
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:13/sendmail.patch
然后以root身份执行下列命令:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/libsm
# make obj && make depend && make
# cd /usr/src/lib/libsmutil
# make obj && make depend && make
# cd /usr/src/usr.sbin/sendmail
# make obj && make depend && make && make install
重新启动sendmail:
# /bin/sh /etc/rc.sendmail restart
IBM
---
IBM
AIX安全小组会发布以下APAR修复这个漏洞:
AIX 4.3.3的APAR编号: IY48659 (大约在10/03/03发布)
AIX 5.1.0的APAR编号: IY48658 (大约在10/15/03发布)
AIX 5.2.0的APAR编号: IY48657 (大约在10/29/03发布)
IBM很快就会发布efix补丁。可从以下位置获得efxi补丁:
ftp://ftp.software.ibm.com/aix/efixes/security/sendmail_4_efix.tar.Z
MandrakeSoft
------------
MandrakeSoft已经为此发布了一个安全公告(MDKSA-2003:092)以及相应补丁:
MDKSA-2003:092:Updated sendmail packages fix buffer overflow vulnerability
链接:http://www.linux-mandrake.com/en/security/2003/2003-092.php
补丁下载:
Updated Packages:
Corporate Server 2.1:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/sendmail-8.12.6-3.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/sendmail-cf-8.12.6-3.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/sendmail-devel-8.12.6-3.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/sendmail-doc-8.12.6-3.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/SRPMS/sendmail-8.12.6-3.5mdk.src.rpm
Mandrake Linux 8.2:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/RPMS/sendmail-8.12.1-4.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/RPMS/sendmail-cf-8.12.1-4.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/RPMS/sendmail-devel-8.12.1-4.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/RPMS/sendmail-doc-8.12.1-4.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/SRPMS/sendmail-8.12.1-4.5mdk.src.rpm
Mandrake Linux 8.2/PPC:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/RPMS/sendmail-8.12.1-4.5mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/RPMS/sendmail-cf-8.12.1-4.5mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/RPMS/sendmail-devel-8.12.1-4.5mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/RPMS/sendmail-doc-8.12.1-4.5mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/SRPMS/sendmail-8.12.1-4.5mdk.src.rpm
Mandrake Linux 9.0:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/RPMS/sendmail-8.12.6-3.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/RPMS/sendmail-cf-8.12.6-3.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/RPMS/sendmail-devel-8.12.6-3.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/RPMS/sendmail-doc-8.12.6-3.5mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/SRPMS/sendmail-8.12.6-3.5mdk.src.rpm
Mandrake Linux 9.1:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/sendmail-8.12.9-1.2mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/sendmail-cf-8.12.9-1.2mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/sendmail-devel-8.12.9-1.2mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/sendmail-doc-8.12.9-1.2mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/SRPMS/sendmail-8.12.9-1.2mdk.src.rpm
Mandrake Linux 9.1/PPC:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/sendmail-8.12.9-1.2mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/sendmail-cf-8.12.9-1.2mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/sendmail-devel-8.12.9-1.2mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/sendmail-doc-8.12.9-1.2mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/SRPMS/sendmail-8.12.9-1.2mdk.src.rpm
上述升级软件还可以在下列地址中的任意一个镜像ftp服务器上下载:
http://www.mandrakesecure.net/en/ftp.php
RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2003:283-09)以及相应补丁:
RHSA-2003:283-09:Updated Sendmail packages fix vulnerability.
链接:https://rhn.redhat.com/errata/RHSA-2003-283.html
补丁下载:
Red Hat Linux 7.1:
SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/sendmail-8.11.6-27.71.src.rpm
i386:
ftp://updates.redhat.com/7.1/en/os/i386/sendmail-8.11.6-27.71.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/sendmail-doc-8.11.6-27.71.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/sendmail-devel-8.11.6-27.71.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/sendmail-cf-8.11.6-27.71.i386.rpm
Red Hat Linux 7.2:
SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/sendmail-8.11.6-27.72.src.rpm
i386:
ftp://updates.redhat.com/7.2/en/os/i386/sendmail-8.11.6-27.72.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/sendmail-doc-8.11.6-27.72.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/sendmail-devel-8.11.6-27.72.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/sendmail-cf-8.11.6-27.72.i386.rpm
ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-8.11.6-27.72.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-doc-8.11.6-27.72.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-devel-8.11.6-27.72.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/sendmail-cf-8.11.6-27.72.ia64.rpm
Red Hat Linux 7.3:
SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/sendmail-8.11.6-27.73.src.rpm
i386:
ftp://updates.redhat.com/7.3/en/os/i386/sendmail-8.11.6-27.73.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/sendmail-doc-8.11.6-27.73.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/sendmail-devel-8.11.6-27.73.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/sendmail-cf-8.11.6-27.73.i386.rpm
Red Hat Linux 8.0:
SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/sendmail-8.12.8-9.80.src.rpm
i386:
ftp://updates.redhat.com/8.0/en/os/i386/sendmail-8.12.8-9.80.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/sendmail-doc-8.12.8-9.80.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/sendmail-devel-8.12.8-9.80.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/sendmail-cf-8.12.8-9.80.i386.rpm
Red Hat Linux 9:
SRPMS:
ftp://updates.redhat.com/9/en/os/SRPMS/sendmail-8.12.8-9.90.src.rpm
i386:
ftp://updates.redhat.com/9/en/os/i386/sendmail-8.12.8-9.90.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/sendmail-doc-8.12.8-9.90.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/sendmail-devel-8.12.8-9.90.i386.rpm
ftp://updates.redhat.com/9/en/os/i386/sendmail-cf-8.12.8-9.90.i386.rpm
可使用下列命令安装补丁:
rpm -Fvh [文件名]
Sendmail Consortium
-------------------
http://www.debian.org/security/2003/dsa-384
Sun
---
Sun承认在Solaris 7,8和9上最近版本的sendmail 8.12.10受这个漏洞影响。
Sun很快就会在发布一个针对此漏洞的Sun安全公告:
http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/56860
目前还没有补丁。