Sendmail Vulnerabilities and smad attack(sendmail accept dos).

-

Versions of sendmail prior to version 8.8.5 have a variety of vulnerabilities.  Older versions of sendmail may also run in DEBUG mode which could allow access from a malicious user.

Impact

Malicious users exploiting these vulnerabilities are able to gain unauthorized access, possibly even root access, to a target system.

Background

sendmail, first released circa 1983, is a mail router program, and was designed to route email between peers on a network and also to route mail between networks. Note that sendmail is a routing program, and not an application that an ordinary user would use to format and send messages. Instead, sendmail accepts formatted messages from an email program (such as Outlook Express, Eudora or Pegasus), and then sends them to the appropriate recipients. The message is sent using the Simple Mail Transfer Protocol (SMTP), which was designed to be a reliable and effective transport for mail messages.

The Problems

Versions 8.8.3 and 8.8.4 of sendmail have a serious security vulnerability that allows remote users to execute arbitrary commands on the local system with root privileges. By sending a carefully crafted email message to a system running a vulnerable version of sendmail, intruders may be able to force sendmail to execute arbitrary commands with root privileges. Those commands are run on the same system where the vulnerable sendmail is running. This vulnerability may be exploited on systems despite firewalls and other network boundary protective measures. A hacker does not have to be a local user to exploit this vulnerability. This vulnerability is described in CERT Advisory CA-97.05.
An older vulnerability which keeps showing up from time to time is when sendmail runs in DEBUG mode. The DEBUG mode can allow a malicious user to gain access through sendmail.
Very old versions of sendmail, such as version 5.x and earlier, allow a remote attacker to specify commands after a pipe (|) character in certain fields in the e-mail. This could result in arbitrary commands being executed on the server with root privileges. This vulnerability was described in an X-Force Alert.
Version 8 of sendmail (version 8.x.x up to and including 8.8.3) has a vulnerability that can be exploited by a local user to run programs with group permissions of other users. For the exploitation to be successful, group-writable files must be available on the same file system as a file that the attacker can convince sendmail to trust. This vulnerability can only be exploited by local users (i.e., users who have accounts on the target machine). This vulnerability is described in CERT Advisory CA-96.25.
Versions 8.7 through 8.8.2 of sendmail have a vulnerability that can be used to gain root access. sendmail is often run in daemon mode so it can "listen" for incoming mail connections on the standard SMTP networking port (usually port 25). The root user is the only user allowed to start sendmail in this way, and sendmail contains code intended to enforce this restriction. Due to a coding error, sendmail can be invoked in daemon mode in a way that bypasses the built-in check, and any local user is able to start sendmail in daemon mode. By manipulating the sendmail mail environment, the user can then have sendmail execute an arbitrary program with root privileges. This vulnerability can only be exploited by local users (i.e., users who have accounts on the target machine). This vulnerability is described in CERT Advisory CA-96.24. CERT Advisory CA-96.24 also describes additional vulnerabilities in versions 8.8.0 and 8.8.1 of sendmail.
There are two vulnerabilities in versions of sendmail up to and including version 8.7.5. By exploiting the first of these vulnerabilities, users who have local accounts can gain access to the default user, which is often daemon. By exploiting the second vulnerability, any local user can gain root access. Both of these vulnerabilities can only be exploited by local users (i.e., users who have accounts on the target machine). This vulnerability is described in CERT Advisory CA-96.20.

Versions 5 through 8.6.9 of sendmail have a vulnerability which could allow an intruder to execute commands on the server with root privileges. This vulnerability is described in CERT Advisory CA-95.08. 

There is a buffer overflow condition in version 8.6.9 of sendmail in the processing of the response from the ident service. sendmail makes a connection to the ident service on the client host in order to log information about the user who is making the connection. A properly formatted response from the ident service is expected. An attacker could instead send a very long response, thereby overflowing the buffer, enabling the attacker to execute arbitrary commands on the server. This vulnerability was described in an X-Force alert.
Versions 8.8.0 and 8.8.1 of sendmail have a buffer overflow condition in the MIME processing code. A remote attacker could exploit the condition to gain root access on the server. This vulnerability is described in an X-Force Alert.
Smad Attack
Smad prevents sendmail from accepting legitimate connections. A cracker may use this flaw to prevent you from receiving any email, thus lowering the interest of being connected to internet. This attack is specific to some versions of the Linux kernel. There are various security bugs in the implementation of this service which can be used by an intruder to gain a root account rather easily.

Resolution

To correct these vulnerabilities, replace sendmail with the most recent version. Another solution would be to obtain the latest fixed version or patches for sendmail from the vendor.

Where can u read more about this?

To read more about the sendmail vulnerabilities, read CERT Advisories CA-95.08, CA-97.05, CA-96.25, CA-96.24, and CA-96.20.

















Comments

Post a Comment

Popular posts from this blog

How to Repair Kali Linux grub after installing Windows in Dual boot System

-
Image
If your System has primary OS Windows then you install your secondary OS Kali Linux. That will be OK, Kali Linux puts boot entry of Windows automatically for you. At initial boot menu you can see both OS entry to boot. If your windows is corrupt in dual boot system or if you want to install windows as secondary OS after installing Kali Linux as primary OS. You may face corrupt boot-loader menu. You wont be able to boot Kali Linux any more because Windows wont put entry of Kali Linux automatically in their boot menu. So this post motive is to help those guys which are facing those problems subjecting to corrupt Boot-loader. There are mainly two methods: 1. Repair Grub via Kali Linux live USB. 2. Repair Grub Via Boot-rapair-disk. Method 1# Repair Grub via Kali Linux live USB It is up to you which you want to choose but if you are Linux familiar then go for this method. Requirements 1. A Kali Linux ISO image. You can download here: Download Kali Linux
Read more

PDFCrack - Password Cracking Tool for PDF-files

-
Image
PDFcrack is a GNU/Linux tool for cracking password protected PDF files. It is a very small command line application. It is not preinstalled in kali linux. We can install through command line. For installing pdfcrack open a terminal and enter apt install pdfcrack Syntax and options Usage: pdfcrack -f filename [OPTIONS]           : pdfcrack -f filenmae -w passwordfile.txt OPTIONS : -b, --bench perform benchmark and exit -c, --charset=STRING Use the characters in STRING as charset -w, --wordlist=FILE Use FILE as source of passwords to try -n, --minpw=INTEGER Skip trying passwords shorter than this -m, --maxpw=INTEGER Stop when reaching this passwordlength -l, --loadState=FILE Continue from the state saved in FILENAME -o, --owner Work with the ownerpassword -u, --user Work with the userpassword (default) -p, --password=STRING Give userpassword to speed up breaking ownerpassword (implies -o) -q, --quiet Run quietly -s,
Read more

Avet – Open Source Anti-Virus Evasion Tool

-
Image
When we want to perform an exploitation to a windows target, we need a payload that is undetectable to Antivirus Solutions. Msfvenom on its own is not enough. So we need an AV evasion tool to make this easy for us. Avet is a tool for building exe files with shellcode payloads for antivirus evasion. Installing Avet First clone the repository to our machine. git clone https://github.com/govolution/avet.git   After that go inside the folder and run the setup file to install wine and other missing components. cd avet/       Run the setup file to install the missing components.   ./setup.sh     Select create  for new installation   Running Avet There are two ways to run avet. Run avet by typing the command below. python avet_fabric.py   There are two ways to run avet. Either by compiling the make_avet script as shown below, or by  running the avet_fabric.py script, as shown. gcc -0 make_avet make_avet.c
Read more