Vulnerabilities > CVE-2002-1165

047910
CVSS 4.6 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
local
low complexity
sendmail
netbsd
nessus
exploit available

Summary

Sendmail Consortium's Restricted Shell (SMRSH) in Sendmail 8.12.6, 8.11.6-15, and possibly other versions after 8.11 from 5/19/1998, allows attackers to bypass the intended restrictions of smrsh by inserting additional commands after (1) "||" sequences or (2) "/" characters, which are not properly filtered or verified.

Exploit-Db

descriptionSendmail 8.12.x SMRSH Double Pipe Access Validation Vulnerability. CVE-2002-1165 . Local exploit for unix platform
idEDB-ID:21884
last seen2016-02-02
modified2002-10-01
published2002-10-01
reporterzen-parse
sourcehttps://www.exploit-db.com/download/21884/
titleSendmail 8.12.x SMRSH Double Pipe Access Validation Vulnerability

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2002-259.NASL
    descriptionThe sendmail packages shipped with Red Hat Linux Advanced Server have a security bug if sendmail is configured to use smrsh. This security errata release fixes the problem. [Updated 06 Feb 2003] Added fixed packages for Advanced Workstation 2.1 SMRSH (the SendMail Restricted SHell) is a /bin/sh replacement for Sendmail. It provides the ability to limit the set of executable programs available to Sendmail. A bug in the version of smrsh packaged as part of Sendmail 8.12.6 and 8.11.6 allows attackers to bypass shrsh
    last seen2020-06-01
    modified2020-06-02
    plugin id12335
    published2004-07-06
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/12335
    titleRHEL 2.1 : sendmail (RHSA-2002:259)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2002:259. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(12335);
      script_version ("1.25");
      script_cvs_date("Date: 2019/10/25 13:36:10");
    
      script_cve_id("CVE-2002-1165");
      script_xref(name:"RHSA", value:"2002:259");
    
      script_name(english:"RHEL 2.1 : sendmail (RHSA-2002:259)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The sendmail packages shipped with Red Hat Linux Advanced Server have
    a security bug if sendmail is configured to use smrsh. This security
    errata release fixes the problem.
    
    [Updated 06 Feb 2003] Added fixed packages for Advanced Workstation
    2.1
    
    SMRSH (the SendMail Restricted SHell) is a /bin/sh replacement for
    Sendmail. It provides the ability to limit the set of executable
    programs available to Sendmail.
    
    A bug in the version of smrsh packaged as part of Sendmail 8.12.6 and
    8.11.6 allows attackers to bypass shrsh's intended restrictions. This
    can be done by inserting additional commands after '||' or '/'
    characters, which are not properly filtered or verified. A sucessful
    attack would allow an attacker who has a local account on a system to
    execute arbitrary binaries as themselves by utilizing their .forward
    file.
    
    Because sendmail as shipped with Red Hat Linux Advanced Server is not
    configured to use smrsh, this issue only affects users who have
    customized their sendmail configuration to use smrsh.
    
    Users who have configured sendmail to use smrsh should update to these
    errata packages which contain a backported security fix, and are
    therefore not vulnerable to this issue."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2002-1165"
      );
      # http://marc.theaimsgroup.com/?l=bugtraq&m=103350914307274
      script_set_attribute(
        attribute:"see_also",
        value:"https://marc.info/?l=bugtraq&m=103350914307274"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2002:259"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:sendmail");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:sendmail-cf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:sendmail-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:sendmail-doc");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2002/10/11");
      script_set_attribute(attribute:"patch_publication_date", value:"2003/02/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2002:259";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"sendmail-8.11.6-9.72.4")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"sendmail-cf-8.11.6-9.72.4")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"sendmail-devel-8.11.6-9.72.4")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"sendmail-doc-8.11.6-9.72.4")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "sendmail / sendmail-cf / sendmail-devel / sendmail-doc");
      }
    }
    
  • NASL familySMTP problems
    NASL idSHN_SENDMAIL_DOUBLEPIPE.NASL
    descriptionsmrsh (supplied by Sendmail) is designed to prevent the execution of commands outside of the restricted environment. However, when commands are entered using either double pipes (||) or a mixture of dot and slash characters, a user may be able to bypass the checks performed by smrsh. This can lead to the execution of commands outside of the restricted environment. In addition, a function in headers.c does not properly sanitize input supplied via the
    last seen2020-06-01
    modified2020-06-02
    plugin id11321
    published2003-03-05
    reporterThis script is Copyright (C) 2003-2018 StrongHoldNet
    sourcehttps://www.tenable.com/plugins/nessus/11321
    titleSendmail 8.8.8 - 8.12.7 Multiple Vulnerabilities (Bypass, OF)
    code
    #
    # This script was written by Vincent Renardias <[email protected]>
    #
    # Licence: GPLv2
    #
    # Changes by Tenable:
    # - Revised description (1/22/2009)
    # - Updated to use compat.inc, added CVSS score (11/20/2009)
    
    
    include("compat.inc");
    
    if(description)
    {
     script_id(11321);
     script_version ("1.25");
     script_cvs_date("Date: 2018/06/27 18:42:26");
    
     script_cve_id("CVE-2002-1165", "CVE-2002-1337");
     script_bugtraq_id(5845);
     script_xref(name:"RHSA", value:"2003:073-06");
     script_xref(name:"SuSE", value:"SUSE-SA:2003:023");
    
     script_name(english:"Sendmail 8.8.8 - 8.12.7 Multiple Vulnerabilities (Bypass, OF)");
     script_summary(english:"Checks sendmail's version number");
     
     script_set_attribute(attribute:"synopsis", value:
    "The remote host has an application that is affected by multiple
    vulnerabilities.");
     script_set_attribute(attribute:"description", value:
    "smrsh (supplied by Sendmail) is designed to prevent the execution of
    commands outside of the restricted environment.  However, when
    commands are entered using either double pipes (||) or a mixture of
    dot and slash characters, a user may be able to bypass the checks
    performed by smrsh.  This can lead to the execution of commands
    outside of the restricted environment. 
    
    In addition, a function in headers.c does not properly sanitize input
    supplied via the 'Address Field' causing an exploitable buffer
    overflow condition.  However, Nessus has not checked for this.");
     script_set_attribute(attribute:"solution", value:"Upgrade to Sendmail 8.12.8 or later.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
     script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
     script_set_attribute(attribute:"plugin_publication_date", value:"2003/03/05");
     script_set_attribute(attribute:"vuln_publication_date", value:"2002/10/01");
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_end_attributes();
     
     script_category(ACT_GATHER_INFO);
     
     script_copyright(english:"This script is Copyright (C) 2003-2018 StrongHoldNet");
     
     script_family(english:"SMTP problems");
     script_dependencie("find_service1.nasl", "smtpserver_detect.nasl");
     script_require_ports("Services/smtp", 25);
     script_require_keys("SMTP/sendmail");
     exit(0);
    }
    
    #
    # The script code starts here
    #
    
    include("smtp_func.inc");
    
    port = get_kb_item("Services/smtp");
    if(!port) port = 25;
    
    banner = get_smtp_banner(port:port);
    
    if(banner)
    {
     if(egrep(pattern:"Sendmail.*[^/](8\.8\.[89]|8\.9\..*|8\.1[01]\..*|8\.12\.[0-7][^0-9])/", string:banner))
            security_hole(port);
    }
    
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2002-083.NASL
    descriptionA vulnerability was discovered by zen-parse and Pedram Amini in the sendmail MTA. They found two ways to exploit smrsh, an application intended as a replacement for the sh shell for use with sendmail; the first by inserting specially formatted commands in the ~/.forward file and secondly by calling smrsh directly with special options. These can be exploited to give users with no shell account, or those not permitted to execute certain programs or commands, the ability to bypass these restrictions.
    last seen2020-06-01
    modified2020-06-02
    plugin id13981
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13981
    titleMandrake Linux Security Advisory : sendmail (MDKSA-2002:083)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2002:083. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(13981);
      script_version ("1.17");
      script_cvs_date("Date: 2019/08/02 13:32:46");
    
      script_cve_id("CVE-2002-1165");
      script_xref(name:"MDKSA", value:"2002:083");
    
      script_name(english:"Mandrake Linux Security Advisory : sendmail (MDKSA-2002:083)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A vulnerability was discovered by zen-parse and Pedram Amini in the
    sendmail MTA. They found two ways to exploit smrsh, an application
    intended as a replacement for the sh shell for use with sendmail; the
    first by inserting specially formatted commands in the ~/.forward file
    and secondly by calling smrsh directly with special options. These can
    be exploited to give users with no shell account, or those not
    permitted to execute certain programs or commands, the ability to
    bypass these restrictions."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.sendmail.org/smrsh.adv.txt"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:sendmail");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:sendmail-cf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:sendmail-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:sendmail-doc");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2002/11/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"sendmail-8.11.0-4.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"sendmail-cf-8.11.0-4.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"sendmail-doc-8.11.0-4.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"sendmail-8.11.6-4.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"sendmail-cf-8.11.6-4.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"sendmail-doc-8.11.6-4.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"sendmail-8.11.6-4.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"sendmail-cf-8.11.6-4.2mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"sendmail-doc-8.11.6-4.2mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"sendmail-8.12.1-4.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"sendmail-cf-8.12.1-4.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"sendmail-devel-8.12.1-4.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"sendmail-doc-8.12.1-4.1mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"sendmail-8.12.6-3.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"sendmail-cf-8.12.6-3.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"sendmail-devel-8.12.6-3.1mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"sendmail-doc-8.12.6-3.1mdk", yank:"mdk")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/29793/idefense.smrsh.txt
idPACKETSTORM:29793
last seen2016-12-05
published2002-10-02
reporterZen-Parse
sourcehttps://packetstormsecurity.com/files/29793/idefense.smrsh.txt.html
titleidefense.smrsh.txt

Redhat

advisories
rhsa
idRHSA-2003:073