CVE-2026-41113:sagredo qmail 分支中 DNS MX 记录 Shell 注入导致的远程代码执行
嗯,用户发来了一段邮件内容,看起来是关于一个安全漏洞的公告。他让我用中文总结一下,控制在100字以内,而且不需要特定的开头。首先,我需要理解邮件的内容。 邮件提到了CVE-2026-41113,这是一个远程代码执行漏洞,影响的是sagredo-dev/qmail的某个版本。攻击者通过控制DNS中的MX记录中的主机名,可以注入shell命令,从而执行任意代码。漏洞存在于tls_quit()函数中,利用了notlshosts_auto功能的一个缺陷。 接下来,我需要提取关键信息:漏洞名称、影响范围、攻击方式、CVSS评分以及修复版本。然后把这些信息浓缩成一句话,不超过100字。 可能的结构是:描述漏洞类型、受影响软件、攻击条件、CVSS评分和修复情况。这样既全面又简洁。 最后检查一下字数是否符合要求,并确保语言流畅自然。 </think> qmail远程代码执行漏洞CVE-2026-41113通过DNS MX记录控制主机名实现Shell注入。攻击者可利用该漏洞以qmailr用户身份执行任意命令。该漏洞影响sagredo-dev/qmail v2024.10.26至v2026.04.02版本,CVSS 3.1评分为8.2(高危),已修复于v2026.04.07版本。 2026-4-18 19:12:0 Author: seclists.org(查看原文) 阅读量:13 收藏
嗯,用户发来了一段邮件内容,看起来是关于一个安全漏洞的公告。他让我用中文总结一下,控制在100字以内,而且不需要特定的开头。首先,我需要理解邮件的内容。 邮件提到了CVE-2026-41113,这是一个远程代码执行漏洞,影响的是sagredo-dev/qmail的某个版本。攻击者通过控制DNS中的MX记录中的主机名,可以注入shell命令,从而执行任意代码。漏洞存在于tls_quit()函数中,利用了notlshosts_auto功能的一个缺陷。 接下来,我需要提取关键信息:漏洞名称、影响范围、攻击方式、CVSS评分以及修复版本。然后把这些信息浓缩成一句话,不超过100字。 可能的结构是:描述漏洞类型、受影响软件、攻击条件、CVSS评分和修复情况。这样既全面又简洁。 最后检查一下字数是否符合要求,并确保语言流畅自然。 </think> qmail远程代码执行漏洞CVE-2026-41113通过DNS MX记录控制主机名实现Shell注入。攻击者可利用该漏洞以qmailr用户身份执行任意命令。该漏洞影响sagredo-dev/qmail v2024.10.26至v2026.04.02版本,CVSS 3.1评分为8.2(高危),已修复于v2026.04.07版本。 2026-4-18 19:12:0 Author: seclists.org(查看原文) 阅读量:13 收藏
oss-sec mailing list archives
From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Sat, 18 Apr 2026 12:10:17 -0700
https://blog.calif.io/p/we-asked-claude-to-audit-sagredos and https://github.com/califio/publications/tree/main/MADBugs/qmail disclose CVE-2026-41113 in the version of qmail from https://github.com/sagredo-dev/qmail .
qmail-remote RCE via DNS MX Hostname Shell Injection (CVE-2026-41113) Remote code execution in sagredo-dev/qmail through shell injection in tls_quit(). An attacker who controls DNS for any domain the target server sends mail to can execute arbitrary commands as the qmailr user. Affected sagredo-dev/qmail v2024.10.26 through v2026.04.02 Fixed in v2026.04.07 (commit 749f607) Requirement control/notlshosts_auto enabled CVSS 3.1 8.2 High (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) CVE CVE-2026-41113
Our system zeroed in on a feature called notlshosts_auto that was added in
October 2024. The idea behind it is reasonable: when qmail tries to deliver
mail and the remote server's TLS is broken, you don't want to retry TLS
forever, so this feature automatically remembers the bad host by creating a
marker file named after it, and future deliveries skip TLS for that host.
The implementation lives in qmail-remote.c, inside the TLS error handler
tls_quit():
sprintf(acfcommand, "/bin/touch %s/control/notlshosts/'%s'",
info->pw_dir, partner_fqdn);
fp = popen(acfcommand, "r");
It builds a shell command containing the remote hostname and runs it with
popen(). The author wrapped the hostname in single quotes, presumably
thinking that neutralizes shell metacharacters, but that protection fails
the moment the hostname contains a single quote of its own.
The obvious objection is that hostnames can't contain single quotes, and
that's true of host names in the RFC 952 sense, but it is not true of DNS
labels. On the wire, a DNS label is just a length byte followed by up to
63 arbitrary bytes; RFC 1035 lets you put nearly anything in there, and
most recursive resolvers will happily pass it through. When qmail calls
glibc's dn_expand() to decode an MX record, some special characters get
escaped, but ', `, |, &, <, and > come through untouched. The net result
is that partner_fqdn, the string being pasted into a shell command, is
attacker-controlled via DNS.
Further details about how the bug was found are provided in the blog,
while the github repo provides PoC setup & exploit code.
--
-Alan Coopersmith- alan.coopersmith () oracle com
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
Current thread:
- CVE-2026-41113: RCE in sagredo fork of qmail Alan Coopersmith (Apr 18)
文章来源: https://seclists.org/oss-sec/2026/q2/176
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh