Sendmail Hit by Data Interception Flaw 208
ricepudd writes "Computer Weekly reports that Internet security researchers have discovered a serious flaw in Sendmail. The flaw could allow remote attackers to take control of users' PCs. The Sendmail Consortium urged users to upgrade to version 8.13.6 of the software, which contains a fix to the problem. Computer Weekly seems to think that the fact that the Windows version isn't affected will help curtail the threat."
Reality check: (Score:4, Funny)
Re:Reality check: (Score:5, Funny)
truly, it is the end times
Re:Reality check: (Score:2)
Am I the only one who thinks the idea of running sendmail on windows is downright strange? I've used postfix for years... I know you can come up reasons to run sendmail on windows, but jeeze... That's like finding a reason to run activex on linux.
Re:Reality check: (Score:2)
Am I the only one who thinks the idea of running sendmail on windows is downright strange? I've used postfix for years...
Running sendmail on unix is strange frankly. How many security issues have been found in it? When there are more secure alternatives like Postfix (apparently a drop-in replacement), or Qmail (zero flaws found to date), or Exim, there's really no need to keep installing the old timer.
Flaw seems unexploited (Score:5, Informative)
n/sendmail-8.13.6-i486-1.tgz: Upgraded to sendmail-8.13.6.
This new version of sendmail contains a fix for a security problem
discovered by Mark Dowd of ISS X-Force. From sendmail's advisory:
Sendmail was notified by security researchers at ISS that, under some
specific timing conditions, this vulnerability may permit a specifically
crafted attack to take over the sendmail MTA process, allowing remote
attackers to execute commands and run arbitrary programs on the system
running the MTA, affecting email delivery, or tampering with other
programs and data on this system. Sendmail is not aware of any public
exploit code for this vulnerability. This connection-oriented
vulnerability does not occur in the normal course of sending and
receiving email. It is only triggered when specific conditions are
created through SMTP connection layer commands.
Sendmail's complete advisory may be found here:
http://www.sendmail.com/company/advisory/index.sh
The CVE entry for this issue may be found here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE
(* Security fix *)
Re:Flaw seems unexploited (Score:5, Informative)
Re:Flaw seems unexploited (Score:5, Informative)
We do our best.
Seriously though, CERT told us that the embargo was going to end at 16:00 UTC, so I had a shell window open with a series of "cvs commit" commands waiting for me to hit <enter>, a window with the commit messages I was going to use, a window with the advisory text waiting for me to type in the correction times, a shell window open to ftp-master.freebsd.org waiting for me to copy the patches into the right directory...
When you have two weeks advance notice, it's easy to get advisories out soon after the embargo ends -- the hardest part of the process was making sure that I'd be awake at 8:00 AM (PST).
Re:Flaw seems unexploited (Score:3, Informative)
Re:Flaw seems unexploited (Score:5, Informative)
Gee, Full Disclosure would be nice (Score:2, Interesting)
Re:Gee, Full Disclosure would be nice (Score:5, Informative)
As it happens, someone already posted [slashdot.org] a screenshot of the BSD version of the fix.
A single line of c:
t = 0;
Inserted between lines 147 and 148 of file fflush.c appears to be the fix (reset a mem pointer just use above).
I don't vouch for it and haven't even bothered to look at context or even if its the actual fix required, however its not like it was hidden and you don't need to get uppity about it.
Incidentally, its such small code modifications that can bring great amounts of money to maintainers of corporate code that the monkeys don't understand what they are paying for.
"But you only changed 1 line"
"Yer, but that one line makes it work now...."
Re:Gee, Full Disclosure would be nice (Score:3)
Re:Gee, Full Disclosure would be nice (Score:2)
Re:Gee, Full Disclosure would be nice (Score:2)
Same concept applies to coding.
Re:Gee, Full Disclosure would be nice (Score:2)
My favourite story is one that was related to me a couple of years ago by a coworker. A previous job he'd had was at a place that wrote software for EPOS systems - tills mainly. They received a bug report, and one of the guys was assigned to track down the fault.
To cut a long story short, he spent six months working on it, until h
Re:Gee, Full Disclosure would be nice (Score:2)
The idea in this case isn't so much the time involved as the number of lines of code.
The analogy to the furnace repairman was more of how much observable work went on and the end result. He may still have spent an hour or whatever sounds appropriate looking at the furnace before deciding where to whack it. But a single hammer whack fixed the problem, in much the same way that a change to a single line of code can sometimes fix a bug. What might be difficult, depending on how
Re:Gee, Full Disclosure would be nice (Score:2)
t = 0;
Inserted between lines 147 and 148 of file fflush.c appears to be the fix (reset a mem pointer just use above).
If you bothered to check patches (available on sendmail.org), you'd see that there is more in a patch than a single line.
Re:Gee, Full Disclosure would be nice (Score:2)
Knowing which line to change: $1000
No link to actual advisory in summary or article (Score:5, Informative)
http://www.frsirt.com/english/advisories/2006/104
Re:No link to actual advisory in summary or articl (Score:3, Informative)
can someone explain... (Score:2, Insightful)
(Yes, tongue is firmly in cheek here...)
Why would this qualify as serious if there isn't even a known way to exploit it yet? Or was there one in there I missed?
Re:can someone explain... (Score:4, Funny)
Re:can someone explain... (Score:2)
Re:can someone explain... (Score:2)
Ah! (Score:4, Funny)
The FreeBSD mailing list is a little less alarmist (Score:5, Informative)
From: Claus Assmann <freebsd+security@esmtp.org>
To: freebsd-security@freebsd.org
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-06:13.sendmail
Date: Thu, 23 Mar 2006 10:31:20 -0800
On Thu, Mar 23, 2006, Bigby Findrake wrote:
> Does an attacker need network access to the machine, or does the attacker
Yes.
> merely need to be able to get an SMTP message to the machine?
He needs to control the timeouts (AFAICT).
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
My PC? (Score:2)
That the Windows version is or isn't vulnerable doesn't enter into it. I doubt that 1 in 10000 windows boxes would run an email server. (Okay somebody do the sales of Exchange divided by total Windows boxes and show me to be wrong. ;-)
Re:My PC? (Score:4, Informative)
What do you think the spammers use on their zombie boxes? Code they wrote themselves?
Re:My PC? (Score:2)
What do you think the spammers use on their zombie boxes? Code they wrote themselves?
No, but I didn't think they actually used SMTP for anything. Isn't it all IRC traffic? I've never actually seen a zombie computer, sorry.
Re:My PC? (Score:4, Funny)
Why would a spammer need a smtp server on a zombie box? Don't zombie boxes just send email?
Re:My PC? (Score:5, Funny)
And what protocol do they use to send it? SMTP, of course.
This has been another D'oh! moment.
Re:My PC? (Score:2)
Re:My PC? (Score:2)
Re:My PC? (Score:2)
>It's just easier to open a socket connection on port 25 and spew out
>your faked headers than it is to bother trying to hack it through sendmail.
which is why techniques like HELO verification and greylisting are so effective.
Re:My PC? (Score:2, Informative)
I see an awful lot of this on any given day
@400000004422e50b06a4b4dc Accept::RCPT::Rcpthosts_Rcptto: S:63.145.94.241:unknown H:ms1.remax.local F: T:xxxx@xxxxx
@400000004422e514391f8af4 Accept::RCPT::Rcpthosts_Rcptto: S:65.218.62.86
Re:My PC? (Score:2)
Yes that's true. I tell them to fix their MTA.
Same for requiring reverse dns, spf records, etc. Use any of these for hard rejection, and you're nuts. (Hear me AOL?)
Well I do. The spam situation is out of control. If the problem is that a remote MTA doesn't have a proper reverse DNS entry for instance, that needs to be fixed
Re:My PC? (Score:3, Informative)
I think it is you who need to fix your broken MTA:
"An SMTP server MAY verify that the domain name parameter in the EHLO command actually corresponds to the IP address of the client. However, the server MUST NOT refuse to accept a message for this reason if the verification fails: the information about verification failure is for logging and tracing only."
Note the "MUST NOT". Rejecting an email because the host has no reverse DNS or incorrect host name is prohibited by RFC2821
Re:Not quite (Score:2)
Re:My PC? (Score:2)
And that matters why, exactly? This is a problem with Sendmail, not the SMTP protocol. It's like saying "This Apache bug could affect Windows 2000 boxes running IIS." Just because it's using the same protocol doesn't mean it's using the same codebase.
Re:My PC? (Score:2)
Okay, so if clients are left out, then that leaves Windows 2000 Server and Windows Server 2003. If it's off by default in 2003, that leaves 2000. If it's off by default in 2000 Server, that leaves nothing. What kind of statement was that?
To set the record straight, server versions of Windows 2000 were the only versions of Win
Re:My PC? (Score:2)
Re:My PC? (Score:2)
FC5 comes with sendmail-8.13.6-0.FC5.1 (Score:2)
CONVERT!! CONVERT!! (Score:2)
Re:FC5 comes with sendmail-8.13.6-0.FC5.1 (Score:2)
Re:FC5 comes with sendmail-8.13.6-0.FC5.1 (Score:2)
Re:FC5 comes with sendmail-8.13.6-0.FC5.1 (Score:2)
I mean, Debian *comes with* sendmail, but nobody will have it unless they're dumb enough to explicitly request that it be installed.
The inevitable 'use postfix!' post.... (Score:5, Informative)
The two major alternatives are Qmail and Postfix; Courier is sort of an up-and-comer, but they've had quite a number of security holes in those packages. (of course, that may also be related to the fact that Courier does a lot more than just deliver mail.) Of the three, I prefer Postfix. It's exceedingly solid, very fast, and fairly easy to configure. The initial learning curve is a little steep (mostly because there's about a billion things you can set), but the config files are readable when you're done. You don't have to relearn the whole program every six months. It's also very secure... I'm only aware of two security problems in its entire history. (I don't remember the details, but I think one was minor, and the other was moderately serious.)
QMail is also solid, fast, and secure. But the author has decided that Unix machines should be configured a particular way, with files in particular places, and he uses his code as a weapon to try to force you to do things the way he wants. So I won't run it unless I have to. I don't deny that he's a brilliant coder and forty-eight times smarter than I am, but I refuse to be dictated to.
Postfix can take a beating.. it is Truly Great Software. It will handle any load that Sendmail will handle, it's easier to administer, and the security is better. And, of course, it's truly free... Wietse won't try to make your administration decisions for you.
Agreed (Score:4, Interesting)
Years after I mastered mc files and learned the magic of m4, back around 2002, I succumbed to
Some day I'll try Qmail. Baby steps.
-Waldo Jaquith
Re:Agreed (Score:2)
I didn't know Sendmail sucked until I used Postfix.
You must be a massochist. I remember using sendmail and simply wanting to change my outgoing mail so the from address was me@domain.com instead of me@machine.domain.com. I delved into it like any other project, but decided it wasn't worth it when I found out I had to learn an entire language (m4 or whatever it is), then compile that into another language just to do this one stupid thing. No thanks! A friend recommened postfix, and I've never looked back
Re:Agreed (Score:2)
Back when I ran sendmail I had heaps of problems with it. I bought a book called (I think) sendmail for linux and the conclusion of the book was to run something else. I went to qmail. Since then I have got more into free software (the GNU type) and I can see why the qmail license is a really bad thing. I run netqmail which is packaged as a set of patches with the qmail tarball because Dan Bernstein won't let people extend the source.
I won't move away from qmail yet but
Re:Agreed (Score:3, Informative)
Re:Agreed (Score:3, Informative)
Courier (Score:2)
(If I'm wrong, and there actually is a guide telling how to do this, someone please post a note, I'd like to finally migrate to the new server we got 1.5y ago.)
Re:Courier (Score:2)
Re:Courier (Score:2)
no its not. Its already been done - it is called Postfix. That was the original design spec of Postfix, to create a sendmail replacement that looked like Sendmail, yet didn't break. They have extended it over the years to included additional (read optional) configuration options for stuff that sendmail doesn't do well but otherwise it is simply a better-sendmail. Use it.
Others have mentioned Dove
Re:The inevitable 'use postfix!' post.... (Score:2)
Just doesn't make sense. The first thing I do any redhat system is to chuck sendmail and install postfix instead.
Re:The inevitable 'use postfix!' post.... (Score:2)
While you probably have your reasons for using or sticking with Redhat, I decided years ago to chuck i
Re:The inevitable 'use postfix!' post.... (Score:2)
Re:The inevitable 'use postfix!' post.... (Score:2)
A reliable source told me it's because customers would complain if they made postfix the default. He didn't go to lengths to defend it, but:
They do ship postfix packages, so at least it's trivial to replace sendmail.
SuSE ships with postfix by default.
Re:The inevitable 'use postfix!' post.... (Score:5, Insightful)
These are all good things, and it seems to me to be a bit two-faced to say that the power of open source is that there are many eyes on the source, and then to punish the software with the most eyes on it. Sendmail has been the heart of mail on the Internet for decades, and deservedly will continue to do so for the forseeable future.
These bugs demonstrate the old saying: where there is code, there are bugs. I'll stick with software that has already had the vast majority of its security problems shaken out.
Re:The inevitable 'use postfix!' post.... (Score:3, Insightful)
Unlike sendmail, it was designed to be secure. I'll take the one for which security was not an afterthought, thankyouverymuch.
Re:The inevitable 'use postfix!' post.... (Score:2)
You said it. I run it on dodgeit.com and it hums along quite nicely.
Postfix is awesome "out of the box" and is incredibly flexible when you get fancier and want to inject custom code into the SMTP handshakes, etc.
Just please remember to set "mynetworks_style = host" unless you trust every machine on the same LAN with your mailserver. I've been bitten by that one in a co-lo environment.
Re:The inevitable 'use postfix!' post.... (Score:4, Informative)
The two main configuration files are master.cf and main.cf. Master is the configuration for how the daemons work and talk with one another, and it's used to add in other programs for weird delivery arrangements. For 'normal' mailservers, you probably won't have to mess with that too much. Main.cf, on the other hand, is where you'll do almost all the configuration work... virtually everything goes there.
Stuff that requires lookups, like virtual addresses (the 'virtual' file) or transports (the 'transport' file), is set up in child files, flat text. The 'postmap' program compiles the text files into
You should probably expect to spend a day or two setting up a server the very first time you use it. Nothing is that hard, but it can be a little frustrating figuring out where to look for a given feature. Everything is easy, there's just a lot of it.
Once you have it running, the configuration becomes practically self-documenting, so it's *really* easy to make changes. Sendmail is write-only... you can get it working, come back a week later, and have _no_ idea what you're looking at. Postfix isn't like that... if it works, it will generally be pretty obvious how and why it works. (and it will usually be pretty clear about why things AREN'T working, too.)
If it has a weak point, it's probably that the documentation is rather scattered... expect to do a lot of googling while setting up.
It's really worth the effort. It's one of the best pieces of free software out there. And it's one-time only effort, unlike sendmail.
Re:The inevitable 'use postfix!' post.... (Score:3, Informative)
Most of the other tests use external
Insufficient data. (Score:5, Insightful)
There are also multiple ways of configuring sendmail when compiling it, which tells me that whilst an upgrade may be important, it may be much more important for some users than others.
Also, saying it doesn't affect Windows is unclear. Does it not affect Windows when you use some official
The report, as described, is about as useful as saying "we think we know a way by which under certain circumstances that we know, another may think they know a way by which you might have an increased chance of being struck by an asteroid". If you don't know what the way is, or what those circumstances might be, the information has little value. Sure, it has some in that they provide a bugfixed release, but we don't know how long the bug has existed and therefore have absolutely bugger all way of quantifying what the risk is that a server has already been compromised. It only prevents uncompromised servers from being attacked by this method in future.
Just because the press release is dated XYZ does not mean that every Black Hat under the sun hasn't got a CD-ROM filled with exploits for it and a list of backdoors on cracked sites from three years back. XYZ is merely the date the rest of us know about it. You don't maintain a secure system by assuming all crackers only know the exploits you've fixed. You maintain a secure system by assuming at least one cracker has the means to discover the exploits you've neither heard of nor have patches for - ie: by assuming you're running buggy software and taking the necessary steps to limit what those bugs can do.
eh (Score:2)
Re:Insufficient data. (Score:2)
When my eyes grazed over your text I initially read that as "Sendmail is a big problem"
Do you know why the "sendmail book" has a bat on the cover?
Sendmail has a bat on the cover because... (Score:2)
Re:Sendmail has a bat on the cover because... (Score:2)
Here are some more...
The diet of the North American brown bat consists principally of bugs.
Sendmail is a software package principally composed of bugs.
or this one...
Bat guano is a good source of ammonium nitrate, a major ingredient in things that can blow up in your face, like sendmail.
If I recall correctly, there is a whole list in 'the unix haters handbook'
Re:Insufficient data. (Score:2)
The thing is, if you step back and squint at it, it doesn't look so big.
It needs to listen to port 25. It needs to be able to set up sockets for relaying mail out. It needs to be able to query DNS. It needs read/write access to the spool area, and write access to the users mail files/directories. It needs to be able to verify user credentials with some service or another. It needs to be able to pipe messages through a spam/virus scanner. It needs to be able to read it's own
IE and sendmail flaws on the same day? (Score:5, Funny)
Shared codebase? Hmm?
Re:IE and sendmail flaws on the same day? (Score:2)
I was WONDERING why sendmail wouldn't display my .png files properly...
What about the servers? (Score:2)
Um, unless they mean take control of end user's PCs, what about the sendmail servers that are sending and receiving the email?
I have to wonder how far Slashdot is going with the whole "linux is da bomb for the desktop!" ccrowd.
Re:What about the servers? (Score:2)
All the way, baby. (Score:2)
The average desktop does not run sendmail or anything other than simple mail clients that use their ISP's SMTP sever. Their ISP won't let them. There's a good chance that server will be running sendmail, so users of nicer distributions are thwarted twice by "security measures", but that's all a different issue. Yes, Exim under Debian was easy to set up and worked great for desktop users.
In any case, Lin
More detailed information on how to exploit bug... (Score:2, Informative)
http://www.rapturesecurity.org/jack/exploiting_sen dmail.html [rapturesecurity.org]
Quoted:
written in a rush, pardon the mess
not that ive gotten that far but here is my (confirmed by mark, thanks) attack....
step 1)
connect to sendmail server say something like
helo me\r\n
mail from: myemail@hotmail.com
rcpt to: root
data
step 2)
WTF does sendmail do? (Score:2)
Re:WTF does sendmail do? (Score:2)
Re:WTF does sendmail do? (Score:3, Interesting)
No. Sendmail was written when moving mail was easy- they just thought it was going to get harder so they overengineered it.
The whole message rewriting header/scrambling thing has NEVER been needed to transfer to/from uucp hosts, the 7bit fantasy network, or other messaging networks- it was ALWAYS performed in the gateways to those other networks.
Source routes should never have existed- There should never have
It's Unpossible! (Score:2)
A security hole? In Sendmail? Now you're just talking crazy talk.
Strange... (Score:2)
According to the Sun security advisory [sun.com] related to this (thanks SANS Internet Storm Center [sans.org]), Solaris 8 isn't vulnerable, although it comes with Sendmail 8.11.x or 8.12.x (depending on your patch frequency)--versions in the vulnerable range.
I've been a Solaris admin for a long time and I find this to be a rather bizarre inconsistency. Why would Sun claim non-vulnerability when mere cursory examination of installed release shows vulnerability?
Any /.ers with m
Re:hear that? (Score:2)
Re:Who the hell still uses sendmail? (Score:5, Informative)
This sentence alone shows what an idiot you are. Go look up anomalous and then come back.
Back? Okay, good. Let's move on.
We still use sendmail because it meets our needs and because to those of us who actually know how to use it, it is less of a pain in the ass than your "better" alternatives. Sendmail had a whole slew of security problems many years ago before alternatives were even available, but in recent years, it has really not notably more security issues than any of the other options.
Face the facts here. Qmail and Postfix certainly have their uses, and are both excellent MTAs, but neither is "way better" than Sendmail for all installations. We each have our own requirements, and Sendmail meets those requirements for a lot of my installations.
Re:Who the hell still uses sendmail? (Score:2)
Re:Who the hell still uses sendmail? (Score:2)
No, what you mean to say, is neither is a complete replacement for Sendmail. And that's true- Sendmail does things that Qmail and Postfix don't do.
Unfortunately, that's [also] part of the problem. Sendmail is so much more complicated, that it's hard
Re:Sendmail - now in its third decade of exploits (Score:5, Insightful)
We've been struggling with Linux exploits since its birth, too. Shall we "drop the turkey" every time a new Linux exploit pops up, too, or should we acknowledge that it's a complicated piece of software whose security generally improves as it matures? I thought so.
Oh, and just for good measure...
Results 1 - 10 of about 203,000 for qmail exploit.
Results 1 - 10 of about 283,000 for postfix exploit.
I note that those queries generate about 1/3 and about 1/2 as many results, respectively, for products that have existed for about 1/10 as long as sendmail. By your ridiculously flawed "Google logic", qmail and postfix are far more dangerous "turkeys" than sendmail.
Re:Sendmail - now in its third decade of exploits (Score:3, Informative)
Re:Sendmail - now in its third decade of exploits (Score:3, Informative)
Re:Sendmail - now in its third decade of exploits (Score:3, Insightful)
We've been struggling with Windows exploits since its birth, too, and most of the
And now watch my karma vanish in an instant.
Re:new math? (Score:2)
Sendmail is a derivative of Delivermail, which was originally released in 1979, so we'll say Sendmail is 27 years old.
Qmail was in beta in 1996, so we'll say it's twelve years old, or around 0.44 as old as Sendmail, so the original poster's Google logic suggests it's therefore around 0.75 times as dangerous as Sendmail.
Postfix was released in 1998, which makes it eight years old, or somewher
Re:new math? (Score:2)
Did I just say this? Let's try that again with 10 years old. Maybe you CAN accuse me of "new math" now. If we plug in the right age for Qmail, it actually comes out to 0.9 times as dangerous, using Google logic, and still wins, but just by a nose.
First in two years (Score:5, Insightful)
2 in March 2003
1 in August 2003
1 in September 2003
1 in March 2006
2.5 years between vulnerabilities? Not too shabby, IMHO.
There is, however, one unpatched vulnerability, though the worst it can do is hide details from the log.
Re:First in two years (Score:2)
only 1 remote hacker in your machine is enough to destroy your 2.5-years work without blinking and you think this is good ? i certainly don't.
Re:What? Another one? (Score:2)
You need to apply about 50 patches to get a decent Qmail MTA, at which time all the security guarantees vanish. This is a problem because Dan seems unwilling to apply the patches that make Qmail a usable MTA. Big concurrency patch anyone?
wtf is it with Dan Bernstien's World?
He couldn't use standard SysV init scripts to start Qmail, n
Re:What? Another one? (Score:2)
#
if [ -x
csh -cf '/var/qmail/rc &'
fi
#
smtp stream tcp nowait qmaild
Super gray area (Score:2)
If it's a vulnerability, it's a *very* unlikely one, for the simple reason that almost no configuration on earth gives a single qmail-smtpd 2GB+ of memory.
If I were Bernstein, I'd have given the $500 away and renewed the guarantee. I'd have said that the bug was tremendously unlikely to ever work, and impossible for it to work if you followed good practices in your inst
Re:Wait (Score:2)
Avaliable here (Score:2)
http://www.city-fan.org/ftp/contrib/mail/ [city-fan.org]
Phil
Re:How can it POSSIBLY be... (Score:2)
It had to run suid root and accepted data from many sources. It also had lots of extensibility that resulted in calls to external programs.
At some point, critical bugs were found as frequently as in MSIE today. The phrase "sendmail bug of the month club" was often heard.
Just as with MSIE, after fixing a lot of problems and making some architectural changes, things seem to be more safe ri