Vulnerabilities > CVE-2002-1165
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Sendmail Consortium's Restricted Shell (SMRSH) in Sendmail 8.12.6, 8.11.6-15, and possibly other versions after 8.11 from 5/19/1998, allows attackers to bypass the intended restrictions of smrsh by inserting additional commands after (1) "||" sequences or (2) "/" characters, which are not properly filtered or verified.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 7 | |
OS | 5 |
Exploit-Db
description | Sendmail 8.12.x SMRSH Double Pipe Access Validation Vulnerability. CVE-2002-1165 . Local exploit for unix platform |
id | EDB-ID:21884 |
last seen | 2016-02-02 |
modified | 2002-10-01 |
published | 2002-10-01 |
reporter | zen-parse |
source | https://www.exploit-db.com/download/21884/ |
title | Sendmail 8.12.x SMRSH Double Pipe Access Validation Vulnerability |
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2002-259.NASL description The sendmail packages shipped with Red Hat Linux Advanced Server have a security bug if sendmail is configured to use smrsh. This security errata release fixes the problem. [Updated 06 Feb 2003] Added fixed packages for Advanced Workstation 2.1 SMRSH (the SendMail Restricted SHell) is a /bin/sh replacement for Sendmail. It provides the ability to limit the set of executable programs available to Sendmail. A bug in the version of smrsh packaged as part of Sendmail 8.12.6 and 8.11.6 allows attackers to bypass shrsh last seen 2020-06-01 modified 2020-06-02 plugin id 12335 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12335 title RHEL 2.1 : sendmail (RHSA-2002:259) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2002:259. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(12335); script_version ("1.25"); script_cvs_date("Date: 2019/10/25 13:36:10"); script_cve_id("CVE-2002-1165"); script_xref(name:"RHSA", value:"2002:259"); script_name(english:"RHEL 2.1 : sendmail (RHSA-2002:259)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The sendmail packages shipped with Red Hat Linux Advanced Server have a security bug if sendmail is configured to use smrsh. This security errata release fixes the problem. [Updated 06 Feb 2003] Added fixed packages for Advanced Workstation 2.1 SMRSH (the SendMail Restricted SHell) is a /bin/sh replacement for Sendmail. It provides the ability to limit the set of executable programs available to Sendmail. A bug in the version of smrsh packaged as part of Sendmail 8.12.6 and 8.11.6 allows attackers to bypass shrsh's intended restrictions. This can be done by inserting additional commands after '||' or '/' characters, which are not properly filtered or verified. A sucessful attack would allow an attacker who has a local account on a system to execute arbitrary binaries as themselves by utilizing their .forward file. Because sendmail as shipped with Red Hat Linux Advanced Server is not configured to use smrsh, this issue only affects users who have customized their sendmail configuration to use smrsh. Users who have configured sendmail to use smrsh should update to these errata packages which contain a backported security fix, and are therefore not vulnerable to this issue." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2002-1165" ); # http://marc.theaimsgroup.com/?l=bugtraq&m=103350914307274 script_set_attribute( attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=103350914307274" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2002:259" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:sendmail"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:sendmail-cf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:sendmail-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:sendmail-doc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2002/10/11"); script_set_attribute(attribute:"patch_publication_date", value:"2003/02/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2002:259"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"sendmail-8.11.6-9.72.4")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"sendmail-cf-8.11.6-9.72.4")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"sendmail-devel-8.11.6-9.72.4")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"sendmail-doc-8.11.6-9.72.4")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "sendmail / sendmail-cf / sendmail-devel / sendmail-doc"); } }
NASL family SMTP problems NASL id SHN_SENDMAIL_DOUBLEPIPE.NASL description smrsh (supplied by Sendmail) is designed to prevent the execution of commands outside of the restricted environment. However, when commands are entered using either double pipes (||) or a mixture of dot and slash characters, a user may be able to bypass the checks performed by smrsh. This can lead to the execution of commands outside of the restricted environment. In addition, a function in headers.c does not properly sanitize input supplied via the last seen 2020-06-01 modified 2020-06-02 plugin id 11321 published 2003-03-05 reporter This script is Copyright (C) 2003-2018 StrongHoldNet source https://www.tenable.com/plugins/nessus/11321 title Sendmail 8.8.8 - 8.12.7 Multiple Vulnerabilities (Bypass, OF) code # # This script was written by Vincent Renardias <[email protected]> # # Licence: GPLv2 # # Changes by Tenable: # - Revised description (1/22/2009) # - Updated to use compat.inc, added CVSS score (11/20/2009) include("compat.inc"); if(description) { script_id(11321); script_version ("1.25"); script_cvs_date("Date: 2018/06/27 18:42:26"); script_cve_id("CVE-2002-1165", "CVE-2002-1337"); script_bugtraq_id(5845); script_xref(name:"RHSA", value:"2003:073-06"); script_xref(name:"SuSE", value:"SUSE-SA:2003:023"); script_name(english:"Sendmail 8.8.8 - 8.12.7 Multiple Vulnerabilities (Bypass, OF)"); script_summary(english:"Checks sendmail's version number"); script_set_attribute(attribute:"synopsis", value: "The remote host has an application that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "smrsh (supplied by Sendmail) is designed to prevent the execution of commands outside of the restricted environment. However, when commands are entered using either double pipes (||) or a mixture of dot and slash characters, a user may be able to bypass the checks performed by smrsh. This can lead to the execution of commands outside of the restricted environment. In addition, a function in headers.c does not properly sanitize input supplied via the 'Address Field' causing an exploitable buffer overflow condition. However, Nessus has not checked for this."); script_set_attribute(attribute:"solution", value:"Upgrade to Sendmail 8.12.8 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value:"2003/03/05"); script_set_attribute(attribute:"vuln_publication_date", value:"2002/10/01"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2003-2018 StrongHoldNet"); script_family(english:"SMTP problems"); script_dependencie("find_service1.nasl", "smtpserver_detect.nasl"); script_require_ports("Services/smtp", 25); script_require_keys("SMTP/sendmail"); exit(0); } # # The script code starts here # include("smtp_func.inc"); port = get_kb_item("Services/smtp"); if(!port) port = 25; banner = get_smtp_banner(port:port); if(banner) { if(egrep(pattern:"Sendmail.*[^/](8\.8\.[89]|8\.9\..*|8\.1[01]\..*|8\.12\.[0-7][^0-9])/", string:banner)) security_hole(port); }
NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2002-083.NASL description A vulnerability was discovered by zen-parse and Pedram Amini in the sendmail MTA. They found two ways to exploit smrsh, an application intended as a replacement for the sh shell for use with sendmail; the first by inserting specially formatted commands in the ~/.forward file and secondly by calling smrsh directly with special options. These can be exploited to give users with no shell account, or those not permitted to execute certain programs or commands, the ability to bypass these restrictions. last seen 2020-06-01 modified 2020-06-02 plugin id 13981 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13981 title Mandrake Linux Security Advisory : sendmail (MDKSA-2002:083) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2002:083. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(13981); script_version ("1.17"); script_cvs_date("Date: 2019/08/02 13:32:46"); script_cve_id("CVE-2002-1165"); script_xref(name:"MDKSA", value:"2002:083"); script_name(english:"Mandrake Linux Security Advisory : sendmail (MDKSA-2002:083)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A vulnerability was discovered by zen-parse and Pedram Amini in the sendmail MTA. They found two ways to exploit smrsh, an application intended as a replacement for the sh shell for use with sendmail; the first by inserting specially formatted commands in the ~/.forward file and secondly by calling smrsh directly with special options. These can be exploited to give users with no shell account, or those not permitted to execute certain programs or commands, the ability to bypass these restrictions." ); script_set_attribute( attribute:"see_also", value:"http://www.sendmail.org/smrsh.adv.txt" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:sendmail"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:sendmail-cf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:sendmail-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:sendmail-doc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:7.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:8.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.0"); script_set_attribute(attribute:"patch_publication_date", value:"2002/11/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"sendmail-8.11.0-4.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"sendmail-cf-8.11.0-4.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK7.2", cpu:"i386", reference:"sendmail-doc-8.11.0-4.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"sendmail-8.11.6-4.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"sendmail-cf-8.11.6-4.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.0", cpu:"i386", reference:"sendmail-doc-8.11.6-4.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"sendmail-8.11.6-4.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"sendmail-cf-8.11.6-4.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.1", cpu:"i386", reference:"sendmail-doc-8.11.6-4.2mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"sendmail-8.12.1-4.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"sendmail-cf-8.12.1-4.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"sendmail-devel-8.12.1-4.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK8.2", cpu:"i386", reference:"sendmail-doc-8.12.1-4.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"sendmail-8.12.6-3.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"sendmail-cf-8.12.6-3.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"sendmail-devel-8.12.6-3.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.0", cpu:"i386", reference:"sendmail-doc-8.12.6-3.1mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
Packetstorm
data source | https://packetstormsecurity.com/files/download/29793/idefense.smrsh.txt |
id | PACKETSTORM:29793 |
last seen | 2016-12-05 |
published | 2002-10-02 |
reporter | Zen-Parse |
source | https://packetstormsecurity.com/files/29793/idefense.smrsh.txt.html |
title | idefense.smrsh.txt |
Redhat
advisories |
|
References
- ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-023.txt.asc
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000532
- http://marc.info/?l=bugtraq&m=103350914307274&w=2
- http://secunia.com/advisories/7826
- http://www.iss.net/security_center/static/10232.php
- http://www.mandriva.com/security/advisories?name=MDKSA-2002:083
- http://www.redhat.com/support/errata/RHSA-2003-073.html
- http://www.securityfocus.com/bid/5845
- http://www.sendmail.org/smrsh.adv.txt