[prev in list] [next in list] [prev in thread] [next in thread]
List: nessus-plugins-writers
Subject: sendmail local attacks
From: "Michel Arboi" <arboi () noos ! fr>
Date: 2002-08-17 11:15:12
Message-ID: 1029582912.6747.9.camel () rotissoire
[Download RAW message or body]
One root compromise, one DoS and one not really dangerous.
It is always the same version that is vulnerable, but following the
principle "one flaw, one plugin", I wrote three scripts instead of two.
# This script was written by Michel Arboi <arboi@bigfoot.com>
#
# GPL
#
# References:
# From: "Michal Zalewski" <lcamtuf@echelon.pl>
# To: bugtraq@securityfocus.com
# CC: sendmail-security@sendmail.org
# Subject: RAZOR advisory: multiple Sendmail vulnerabilities
if(description)
{
script_id(11088);
script_cve_id("CAN-2001-0715");
script_version ("$Revision$");
name["english"] = "Sendmail debug mode leak";
name["francais"] = "Fuite d'information dans le mode debug de sendmail";
script_name(english:name["english"],
francais:name["francais"]);
desc["english"] = "
According to the version number of the remote mail server,
a local user may be able to obtain the complete mail configuration
and other interesting information about the mail queue even if
he is not allowed to access those information directly, by running
sendmail -q -d0-nnnn.xxx
where nnnn & xxx are debugging levels.
If users are not allowed to process the queue (which is the default)
then you are not vulnerable.
Solution : upgrade to the latest version of Sendmail or
do not allow users to process the queue (RestrictQRun option)
Risk factor : Very low / none
Note : This vulnerability is _local_ only";
desc["francais"] = "
D'après le numéro de version du serveur sendmail distant,
un utilisateur local peut obtenir des informations sur la configuration
du courrier et sur l'état de la file d'attente même s'il n'y a pas
accès directement, en lançant :
send -q d0-nnnn.xxx
où nnnn et xxx sont des niveaux de débogage.
Si votre système ne permet pas aux utilisateurs de traiter
la file d'attente (ce qui est le cas par défaut), vous n'êtes pas
vulnérable.
Solution : mettez à jour sendmail or interdisez aux utilisateurs
de toucher à la file d'attente (option RestrictQRun)
Facteur de risque : Très faible / nul
Note : cette vulnérabiité est locale uniquement";
script_description(english:desc["english"],
francais:desc["francais"]);
summary["english"] = "Checks the version number for 'debug mode leak'";
summary["francais"] = "Vérification du numéro de série de sendmail pour la 'fuite \
d'informations en mode debug'"; script_summary(english:summary["english"],
francais:summary["francais"]);
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi",
francais:"Ce script est Copyright (C) 2002 Michel Arboi");
family["english"] = "SMTP problems";
family["francais"] = "Problèmes SMTP";
script_family(english:family["english"], francais:family["francais"]);
script_dependencie("find_service.nes");
script_require_ports("Services/smtp", 25);
exit(0);
}
#
include("smtp_func.inc");
port = get_kb_item("Services/smtp");
if(!port) port = 25;
banner = get_smtp_banner(port: port);
if(! banner) exit(0);
if(ereg(pattern:".*Sendmail.*8\.(([0-9]\..*)|(1[01]\..*)|(12\.0)).*",
string:banner))
security_warning(port);
# This script was written by Michel Arboi <arboi@bigfoot.com>
#
# GPL
#
# References:
# From: "Michal Zalewski" <lcamtuf@echelon.pl>
# To: bugtraq@securityfocus.com
# CC: sendmail-security@sendmail.org
# Subject: RAZOR advisory: multiple Sendmail vulnerabilities
if(description)
{
script_id(11086);
script_cve_id("CAN-2001-0713");
script_version ("$Revision$");
name["english"] = "Sendmail custom configuration file";
name["francais"] = "Fichier de configuration spécifique de sendmail";
script_name(english:name["english"],
francais:name["francais"]);
desc["english"] = "
The remote sendmail server, according to its version number,
may be vulnerable to a 'Mail System Compromise' when a
user supplies a custom configuration file.
Although the mail server is suppose to run as a lambda user,
a programming error allows the local attacker to regain the extra
dropped privileges and run commands as root.
Solution : upgrade to the latest version of Sendmail
Risk factor : High
Note : This vulnerability is _local_ only";
desc["francais"] = "
Le serveur sendmail distant, d'après son numéro de version,
est vulnérable lorsqu'un utilisateur fournit un fichier de
configuration spécifique.
Bien que le serveur soit censé tourner sous une identité lambda,
une erreur de programmation permet à l'attaquant local de regagner
les privilèges abandonnés et d'exécuter des commandes en tant que root.
Solution : mettez à jour sendmail
Facteur de risque : Elevé
Note : cette vulnérabiité est locale uniquement";
script_description(english:desc["english"],
francais:desc["francais"]);
summary["english"] = "Checks the version number for 'custom config file'";
summary["francais"] = "Vérification du numéro de série de sendmail pour l'attaque \
'fichier de configuration spécifique'"; script_summary(english:summary["english"],
francais:summary["francais"]);
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi",
francais:"Ce script est Copyright (C) 2002 Michel Arboi");
family["english"] = "SMTP problems";
family["francais"] = "Problèmes SMTP";
script_family(english:family["english"], francais:family["francais"]);
script_dependencie("find_service.nes");
script_require_ports("Services/smtp", 25);
exit(0);
}
#
include("smtp_func.inc");
port = get_kb_item("Services/smtp");
if(!port) port = 25;
banner = get_smtp_banner(port: port);
if(! banner) exit(0);
if(ereg(pattern:".*Sendmail.*8\.12\.0.*", string:banner))
security_hole(port);
# This script was written by Michel Arboi <arboi@bigfoot.com>
#
# GPL
#
# References:
# From: "Michal Zalewski" <lcamtuf@echelon.pl>
# To: bugtraq@securityfocus.com
# CC: sendmail-security@sendmail.org
# Subject: RAZOR advisory: multiple Sendmail vulnerabilities
if(description)
{
script_id(11087);
script_cve_id("CAN-2001-0714");
script_version ("$Revision$");
name["english"] = "Sendmail queue manipulation & destruction";
name["francais"] = "Manipulation & destruction de la file d'attente de sendmail";
script_name(english:name["english"],
francais:name["francais"]);
desc["english"] = "
The remote sendmail server, according to its version number,
might be vulnerable to a queue destruction when a local user
runs
sendmail -q -h1000
If you system does not allow users to process the queue (which
is the default), you are not vulnerable.
Solution : upgrade to the latest version of Sendmail or
do not allow users to process the queue (RestrictQRun option)
Risk factor : Low
Note : This vulnerability is _local_ only";
desc["francais"] = "
Le serveur sendmail distant, d'après son numéro de version,
est vulnérable à une destruction de file d'attente lorsqu'un
utilisateur local lance :
sendmail -q -h1000
Si votre système ne permet pas aux utilisateurs de traiter
la file d'attente (ce qui est le cas par défaut), vous n'êtes pas
vulnérables.
Solution : mettez à jour sendmail or interdisez aux utilisateurs
de toucher à la file d'attente (option RestrictQRun)
Facteur de risque : Faible
Note : cette vulnérabiité est locale uniquement";
script_description(english:desc["english"],
francais:desc["francais"]);
summary["english"] = "Checks the version number for 'queue destruction'";
summary["francais"] = "Vérification du numéro de série de sendmail pour l'attaque \
'destruction de file d'attente'"; script_summary(english:summary["english"],
francais:summary["francais"]);
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi",
francais:"Ce script est Copyright (C) 2002 Michel Arboi");
family["english"] = "SMTP problems";
family["francais"] = "Problèmes SMTP";
script_family(english:family["english"], francais:family["francais"]);
script_dependencie("find_service.nes");
script_require_ports("Services/smtp", 25);
exit(0);
}
#
include("smtp_func.inc");
port = get_kb_item("Services/smtp");
if(!port) port = 25;
banner = get_smtp_banner(port: port);
if(! banner) exit(0);
if(ereg(pattern:".*Sendmail.*8\.(([0-9]\..*)|(1[01]\..*)|(12\.0)).*",
string:banner))
security_warning(port);
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic