Slashdot Mirror
Buffer Overflow in Sendmail
ChiefArcher writes "On the footsteps of openssh, Sendmail 8.12.10 has just been released due to a buffer overflow in address parsing. Sendmail states this is potentially remotely exploitable. No updates on the Sendmail site yet, but the FTP site has the release notes."
That's why you should be using qmail, ya' code monkeys! Seems like this happens every couple months.
Show your love for the Hacker community
HackerLogo.com
qmail?
Look, someone had to say it, it might as well have been me.
Mod me down with all of your hatred and your journey towards the dark side will be complete!
Should say: from the what-else-is-new dept. Umkay?
A programmer is a machine for converting coffee into code.
That's why you should entrust all your email services to Hotmail.
Openssh is also exploitable today. (AGAIN!)
They missed a few from yesterday.
http://www.flyingbuttmonkeys.com/ssh/
has a few RPMS (9/8/7.3) i just compiled to patch the problem.. (backported).. THe SRPM is also available for those unwilling to trust my patching efforts.
Or you can wait a few hours for official redhat releases.
The official announcement is here.
:)
I've already downloaded and installed it. Thank goodness for Slackbuild scripts
Does Linux have an Auto-update mechanism similar to windows that indicates when new patches are available for download? That would be a very useful feature. The number of patches on all OSes are getting ridiculous these days.
Mistakes happen to everyone, and microsoft code isn't necessarily even the most important part of the internet.
Use Microsoft Exchange Server!
Is it perhaps time for a code rewrite in Sendmail, or maybe a quiet, dignified retirement? It appears, from empirical evidence, that Sendmail is insecure by design. And that's not a good idea for a mail server, in today's world of spam
((lambda x ((x))) (lambda x ((x))))
I'll have to dust off my sendmail sploit-of-the-week card and get them to punch it for me! 12 punches and you get a free MTA!
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
A buffer overflow has been found in my brain whereby I get fucking angry every time a new bug is found that requires me to update 8 damned machines.
Same with the Micro$loth world. Hate Outlook Express? Use something else. God knows I would.
Aight... I'll fill in the blanks
ftp://ftp.sendmail.org/pub/sendmail/RELEASE_NOTE S
No surprise, "MS" Sendmail is buggy and has been...use Postfix
You'd think that it would be easy to fix this at the language level. It can't be that hard to create a string library that automatically ignores everything past the end of the string.
The lengths some people will goto to try and damage Sendmail's pride.
Seriously, it seems like these guys have about as many security holes per line of code as MS (but obviously MS has a lot more code). Anyway, why does anyone use sendmail anymore? The difference between configuring sendmail and configuring postfix is like the difference between banging your head on the wall and having sex with the most beautiful woman on earth.
autopr0n is like, down and stuff.
Is it just me, or does it seem like lately there have been A LOT of security issues found in web daemons?
It's just you, because neither SSH nor SMTP have anything to do with the web.
Cuz OSS is so secure an M$ is teh suck!
I don't need no instructions to know how to rock!!!!
Yesterday was the day of openssh, and today for sendmail (whats next? bind? apache?). More than the usual rant about using alternatives like postfix/qmail/exim/etc instead of sendmail, I see that as a positive thing, could be a signal that more testing, auditing, and usage is being done, and by the open source nature of those tools, that this kind of things will be fixed or the programs will evolve to avoid this kind of things with (really) safer practices.
Geez, am I suddenly running MS-Linux? What's up?
Anyway, updates thoughtfully provided and hosted, ala yesterday, god damn it. PATCH! NOW! Unless you think "arbitrary code execution" is a feature. And NO, I'm not talking about ActiveX.
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
Does anyone have a good explanation of how a buffer overflow allows you to execute arbitrary code? It seems to me that the memory that gets overwritten is some what random. It is either the stack or some memory in dynamic store. It seems like each time you sent in the overflow data it will be writing a different area of memory so you don't know if you code will get executed or not. Since you have to start executing at the right place you would almost never be able to execute your code.
Just assume that Sendmail is garbage.
Just assume that bind is garbage.
Stop using them.
Stop making unix/linux look bad.
Just a note, the word is "alot". No space.
postfix, you insensitive clod!
Ok, this is not a poll but anyways... *why* ppl still uses sendmail?
It's possible that Microsoft and Sendmail are both bad at security. Sendmail is a horrible piece of software anyway.
autopr0n is like, down and stuff.
I for one welcome our new "retarded" overlords.
Bug found in Bugmail. News at 11. *yawn*
If you're surprised by this announcement, you ARE an idiot. Why does this program still get used? There are compatible replacements out there that aren't NEARLY so bug-ridden. WTF is wrong with you people?!
Ever wonder if microsoft has teams of people getting paid that do nothing but search for and anonymously submit bugs and proof of exploits in competing OS's. I mean hey. .in a way it's good this stuff gets discovered and patched. .but it's still bad press for linux when there is a new bug out every day. .
Let's look at their code and start doing the same. . ohh wait. . we can't. . They don't let us see it. .We're just supposed to trust them it's all good. .
last i checked it's two words.
Click here for sendmail 8.12.10 release notes
Also, a swedish CS student has posted an exploit on his web site. (With some code deliberately hobbled to prevent skript kiddies from abusing it)
A serious response to the story is too bleak. Ho-hum, upgrade sendmail, patch it, OK.
Comedy is inappropriate. "Is that sendmail dead? No, it's just sleeping. Oh, I could swear it was dead! No, it's just tired, see? Sendmail gottan exploit, sendmail gottan exploit!"
Irony is difficult. To be honest, I can't even be sure which ironic form I would employ in this case. Forget irony.
Sarcasm? "Sendmail, yeah, like we're still using that dinosaur!" What, we are? Dang. Why? "Cause it was there?" What kind of an excuse is that?!
Nihilism... "yes, another day, another exploit. ssh, now sendmail. I can just see the future, one long bitter trail of unpatched software, server after server to upgrade. brain the size of a planet, and here I am, patching sendmail. what's the use, I ask you...?"
Slashdotisms? All your sendmail overlords are 1-2-3 profit to us? Imagine? In Russia? No, no, no.
SCO! SCO! "It's not an exploit, it's a snippet!!!" Worth a try.
Damn you to the deepest depths of hell, Slsadhot edirots, this story has so little karma leverage it hurts.
Ceci n'est pas une signature
Yeah, that SSH web daemon yesterday and now the Sendmail web daemon. It goes with all those Microsoft RPC web daemon holes... duh.
Trolling is a art,
Gasp!
Why, this is totally unprecedented!
This hasn't happened since...uhm...well...for at least about 15 minutes now.
"Provided by the management for your protection."
Before all the Microsoft apologists jump in and point out that any system can have vulnerabilities, and Linux users should not bash Microsoft.
It is true that any system can have unintentional bugs that lead to security vulnerabilities. This is true of any system and not just Microsoft. Therefore, Microsoft should not be unfairly bashed due to these kinds of bugs, any more than any other system.
But there is another kind of security problem for which Microsoft is deservedly bashed. The problem Microsoft is bashed for having poor security is when their system is insecure in its design. (It may not have been a design goal.)
Examples would include, running a webserver under the System or Administrator account so that once it is compromised, the system is rooted. Installing and activating services by default. These problems are all caused by security having a low priority in the past, and Microsoft is deservedly bashed for these. Nimbda or Slammer may be buffer overflows which could happen to anyone, but there is some deserved criticism as to why it was such a huge problem.
No doubt, sendmail also deserves some criticism.
I wonder how many Linux/Apache systems get web pages defaced via. SQL injection or other PHP related attacks, but do not lead to the box being rooted? Any numbers?
Those who would give up liberty in exchange for security and DRM should switch to Microsoft Palladium!
I found a bunch of them.
s id ja'ksda;fsdsdfffweaoruhypoweuthwo[sgisdfasdfgsgsdg [rtrieawhasdjlhf;lsnfsl;dfl;sdhf;lhsd;lfhs;ldfagdf gdfagdfgdfgdfggggggddffffffffagsdfgdagdfgdfgadfgdf h;ls';kf'sdafsdk'af'sd'dk;fj'sdkfjsd'ajfsd'afj'ssd afj;ksadfj'asdkfasjdfkas'fj'safj;ksd'afj;sdaf'sfdf gadfsgafdsgasdgfdgsdffliasfllklhksadjfhlaslkjfasas dlkasjhdflkahsklfjhkasdhfkladshfklsadlflkasjdsadsf dsfkjdlkhkfshflsdkljfhklsdflhsdfjskljdfsdjkljksdkl jfhskdjfhsldfhlkjsdflkjsdlkflkjsdlkfskjdfskklsdfld l/rm -r /@yahoo.com
I'll tell you how to fix them if you mail me at
sdjfsa;dhf;asdfljsd'shfgsd;ath/lsa;hds;ljfhdsag
^_^
There was a couple of potential buffer overflows found in OpenSSH and one in Sendmail. Both of which have nothing to do with the "web". Who has time to find them? Check out http://www.securityfocus.com/
I experience daily buffer overflows receiving mail.
Anytime a MS product and a competing product go head to head, everyone talks about the Anti-MS product working better...
Well, why is Sendmail's Overflow more "Buff" than Exchange's???
Will its "Buffer" Overflow run on a 64bit processor? Did it get "Buffer" legally, or like so many from the Open Source movement, is it on drugs of some kind that just make it SEEM "Buffer"?
Why would you want your Overflow to be "Buffer" anyways? We should be saving resources as much as possible and overflow is wasteful so really having Buff overflow is bad for the environment too...
---"What did I say that sounded like 'Tell me about your day?'"---
This is the patch: parse8.359.2.8.
The word you've entered isn't in the dictionary. Click on a spelling suggestion below or try again using the Dictionary search box to the right.
........
Suggestions for alot:
1. allot
2. all-out
3. eluate
4. Aleut
"I can not bring myself to believe that if knowledge presents danger, the solution is ignorance" - Isaac Asimov
It was me who complained, yes, beloved, it was meeee, all meeee.
Heckle, I command thee.
And yet, strangely, I feel compelled to agree with you that Microsoft code is not the most important part of the Internet. Very true. In fact, if the only code out there was Microsoft's there would be no Internet.
OK, you can heckle now, I'm mentally prepared.
Ceci n'est pas une signature
I'm sorry. .were you claiming you didn't know what I meant by demonstrating your inability to deduce the point I was attempting to make, or do you just like seeing your own posts?
Thanks for whoring,
-Rich
A buffer overflow in sendmail? Who woulda thought it?
http://xkcd.com/386/
to keep other people from exploting all the undiscovered holes in postfix.
A fix for the "all your misspellings are beloning to us" Verisign hack.
But they must have, because there are no bugs in any software that runs under Linux. There never have been, and there never will be.
If you go out of bounds on an array, you get an exception. In fact it it's possible to compile C and C++ apps to prevent this. For example, Microsoft's C++ debug-mode compiler creates buffers around each freshly allocated memory space and checks them after each time you allocate more memory. It's not a perfect solution, but it helps a little bit. I would think these overflow 'sploits come from pre-allocated memory though (otherwise you wouldn't theoretically know where the code was going to be in memory. I could be wrong though)
It's definitely possible to write C++ code that doesn't do this crap.
(but keep in mind there is more to security then buffer overflows)
autopr0n is like, down and stuff.
Regardless of what you think they should do to this slogan due to the OpenSSH buffer overflows, here's an excerpt from the email I just got from the security-announce@openbsd.org mailing list:
---------
A buffer overflow in sendmail's address parsing routines has been
found by Michal Zalewski. The bug appears to be remotely exploitable
on Linux and while it will be more difficult to exploit on OpenBSD
it still looks to be possible.
---------
I guess the huge numbers of people who have no jobs have nothing better to do!
Who cares? Sendmail is obsolete.
qmail
postfix
exim
We have more to fear from the bungling of the incompetent than from the machinations of the wicked.
Sendmail 8.12.9 prescan bug
attack details:
Local exploitation on little endian Linux is confirmed to be trivial
via recipient.c and sendtolist(), with a pointer overwrite leading to a
neat case of free() on user-supplied data, i.e.:
eip = 0x40178ae2
edx = 0x41414141
esi = 0x61616161
SEGV in chunk_free (ar_ptr=0x4022a160, p=0x81337e0) at malloc.c:3242
0x40178ae2 : mov %esi,0xc(%edx)
0x40178ae5 : mov %edx,0x8(%esi)
Remote attack is believed to be possible.
It also seems that a CS student from the university of Sweden has posted a working exploit on this web site. Scary stuff. So patch your system, people!
http://www.trl.ibm.com/projects/security/ssp/
stack-smashing protection helps to limit these kind of attacks even the the specific vulnerability is not fixed.
For a person calling himself "NetMagi" I'd think you'd know the differences between a "web daemon" and a "daemon", weiner.
I feel like my week isn't complete without patching Sendmail at least once. Ahhh... return to normalcy. I feel better.
Great post, I believe you accurately summarized a good 200 or so slashdot readers' minds on Wednesday September 17, @02:11PM
Sehr geehrter Toilettenbenutzer!
ya know. .originally I authored the post with just the word "daemon" and I thought. .gee. . .the morons out there won't get it. .
.prove others wrong even when you know quite well what they mean?
.be sure to point them out to me
so I added "web". .
now, granted, a better choice would have been "internet". .
but, the IDIOTS out there were probably able to figure out the word "daemon" with "web" in front of it, and the "smart people" knew what I meant
but. . . instead of moving on, no less than 3 of em felt the need to "say I'm wrong"
Is this the most exciting thing to do on slashdot.
I guess it's better than "flaming newsgroups".
-rich
P.S.
please, for godssake, if I made any spelling errors.
When did everyone decide the standard way of fixing security bugs was no longer worth the effort. You don't release a new version with a security bug fixed until all the distros have been contacted and the fix has been backported. Why have Sendmail and OpenSSH decided this no longer applies to them? Is Apache next? Are they going to force an upgrade to Apache 2 by rolling security fixes into beta versions and not bothering to tell anyone before they are released?
I'm a happy postfix user myself, but it should be noted for fairness reasons that the last postfix-related advisories are about two weeks old... Face it, some software may be better than others, but no matter what you are running, you'll always have to keep your systems up to date. Looking down on others because the software they run is oh so insecure and yours is perfect is the first step to being rooted.
Programming can be fun again. Film at 11.
"On the footsteps of openssh, Sendmail 8.12.10 has just been released due to a buffer overflow in address parsing."
:)
Wow, they better get that fixed before the buffer overflow releases something more interesting, like Half Life 2.
that many in the Open Source Community are content to imitate Microsoft's latest offerings, but copy exploits is, in my opinion, going too far! ;-)
So rise up, all ye lost ones, as one, we'll claw the clouds.
I do, see my own reply to my original msg. For the record, I've worked as a sysadmin of linux machines (three flavors) since 1994 for a fairly large web-hosting company I won't mention here. I think I know the difference as well.
.I'm looking for you to ask yourself if you knew what I "meant". . If yes, thank you and drive through.
-rich
I'm not looking for your respect.
That guy Eric Allman purposely puts bugs in his code so he can write exploits and crack into machines. He's been doing it since the late 80's. We cracked his box years ago and found an unpublished exploit THAT HE WROTE for the current version of sendmail sitting in his home directory. Coincidence?
Do you think the seemingly constant buffer overflows we see in open source software might be showing the weaknesses of C/C++?
>> The difference is ... that IT'S ALREADY FIXED
Does it matter if it's already fixed? It seems to me that the real issue is "How long does it take for enough vulnerable computers to be patched so worms can't spread?"
In order to become widespread, worms like the recent ones need to infect a lot of machines *quickly*, so they can outrun updates to antivirus software and/or patches getting applied.
I'd be willing to bet that most mainstream computer users (read: "Windows users") don't scrupulously keep up with antivirus / OS updates. So it hardly matters if a fix is made, unless there is a delivery mechanism to disperse the fix *ahead* of the worm's spread.
I think Microsoft has a fairly good track record at releasing timely fixes; they're just not applied quickly enough to prevent outbreaks. Of course it would be nice if the holes didn't exist in the first place, but most software contains exploitable holes...
While surely not being a Microsoft fan, Microsoft has understood this and has made solutions available for patch management like the SUS server. It enables you to store patches on a central server (so they do not need to be downloaded a hundred times...) and specify which updates to approve for distribution.
And for the paranoid of you, clients do not need to have any Internet access, so please spare me the usual "Microsoft is spying on us" screams.
On the Linux front, Debian has a system, SuSE has another (which is a GUI application *cough*), RedHat charges you for patch manegement etc.
Yes I understood what you were implying, I was just being a facetious bastard.
Trolling is a art,
The big difference between bugs found in MS products and bugs found in Open Source products seems to be: Bugs in Open Source products seem to make the /. front page the same day a patch is released. MS product bugs are posted about days before a patch comes out.
Of course that could be because the OS projects fix their bugs as soon as they find them rather than having to wait for the red tape to clear up.
"For a successful technology, honesty must take precedence over public relations for nature cannot be fooled." -Feynman
Boy, I sure am glad that my SendmailUpdate notified me automatically that there was a problem and automatically downloaded the patch for me. Windows never does that, right folks?
... and you're right, they're both prone to problems along with everyone else's code. The point is DISTRIBUTING A FIX. I don't see much of an open source solution for that.
Seriously. How many people out there are running sendmail and don't read slashdot (thus never getting notification?). How many people are running a brand-spankin-new linux distro that came set up out of the box with sendmail, and don't even know they're running it? How many know they have it but just don't give a shit?
Yes, the patch was released quickly. But how easily is it widely distributed? Windows may have buggy software - but so does the rest of the world, atleast MS put automatic WindowsUpdate in XP to help take care of the distribution problem.
Some people already are saying "well, MS code sucks, and so does sendmail's"
So there.
no comment
Human genome = 3 billion base pairs = 6 GBit. Windows + Office = 20 Gbit. Which is more impressive?
It is a story about a detailed PDF on MacOSX/Darwin+PPC specific ways to run malignant code once and if an exploit is found. The posting is somewhat misleading, the PDF is not about vulnerabilities at all but what to do once they are found, as some reply clarifies.
I am pretty sure that similar docs exist for Linux+i386 and a-plenty of other architectures (MS Wind anyone?).
Dani++
Well, one problem that I've encountered in distros like debian is that there are rather annoying dependencies. There are things that require a local MTD. There are things that require EMACS. That's just dumb if it only makes one obsecure call.
Otherwise, I've been really happy with Debian.
Do not look into laser with remaining eye.
see you spell as bad as I choose descriptive words!!! AND yer a bastard . .which I like :)
"Hackers distributing new Windows exploit"
From the SecurityFocus article:
Patch! Patch now!
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
Now tell me why not all software has this feature.
Cig? No, thank you.
please, mod parent up as "FRICKIN' HILARIOUS!"
as I cannot believe that sendmail would have an exploit (remote or otherwise) given its' history.
thanks, you just made my point
Sendmail has remote exploits every couple of months at best. Why is anyone suprised any more? It's not as if it's easy to set up, administrate or is horribly high performance. It's about as middle of the road as you get. As many have pointed out before I'm sure, this is exactly why we complain about software from microsoft (and I mean just the software, not it's licences nor the biz tactics associated with it).
So why not look for alternatives, all you sysadmins out here? I for one prefer qmail. There are plenty of others.
I know it's hard to switch to a new system when you've gotten profficent in configuring something well, especially when you are so busy using it that you don't have time to play with something new to see if can work for your setup. But I can't see that running a frequently exploited mail server will cause anything but more work.
Especially software that is semi-commercial. They're getting paid to check for these issues, after all.
Ok, credit given where credit is due. The problem has been recognised within a short time of being detected. That's better than Hotmail's "check the password? what for?" bug, that persisted for six or seven months, and remained in effect for several days after the media ran the story.
But that's where the credit ends. It shows that the program isn't being routinely tested and verified with overflow detectors, or (if it is), that the testing procedure is inadequate.
It shows why rival MTAs (eg: Postfix) are gaining popularity, when Sendmail could have kept absolute control of the market, merely by being the best.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
OpenSSH & Sendmail exploits on *nix
... what was its name... Slammer which at its peak had fewer boxes then Code Red still holds)
vs
RPC over HTTP on Windows NT/2k/XP
which virus strain will make the best use of which OS's exploit? will we see another clear win by Windows (like the Code Red, MSBlaster and other well known victories) or will *nix finally have a chance (unlike that lousy display of power
or will we see a team effert in bringing down the internet, a cross-OS virus that exploits all the wholes. Will we finnaly see 'Yellow/Blue worm' realized?
Would taint-checking addresses in a CGI program cover this hole in unpatched sendmails?
Certainly you want to patch your own machine, and get the admins you know to fix theirs. But I am thinking now about people running on a virtual hosting server which is perhaps getting most hits from Perl CGI program, and which are using sendmail only internally, for example to send email to automatically registered users. Would it be sufficient to (as usual) check length of address and remove nulls?
I agree....you have to keep updated pretty much no matter what...it's just a matter of frequency. Although I have to say I have not heard of any vulnerabilities in qmail, and I have been using it for about 3 years now. No one has claimed the cash prize that I know of either.
If someone knows better, feel free to correct me.
I'm not supposed to get jigs in it!
There seems to be a remotely exploitable vulnerability in Sendmail up to
and including the latest version, 8.12.9. The problem lies in prescan()
function, but is not related to previous issues with this code.
The primary attack vector is an indirect invocation via parseaddr(),
although other routes are possible. Heap or stack structures, depending
on the calling location, can be overwritten due to the ability to go
past end of the input buffer in strtok()-alike routines.
As said above (and my $0.02), Sendmail has never been a big one on security. Most distros have sendmail by default configured open which is adding to the whole mess. This vulnerability will probably haunt a lot of people for a while, especially those who have no idea what Sendmail is or how to harden it.
The biggest security hole sits between the keyboard and chair.
-Andrew McAllister
SO QUIT BITCHING AT ME TO SWITCH TO EXIM/QMAIL/MSEXCHANGE/WHATEVER!
You people are almost as irritating as Christians trying to win converts!
You're a whiny pansy. Welcome to /.
Where is there a spelling mistake in there?
, thanks
Interestingly, *nix users don't seem to howl at Slashdot for publishing every vulnerability that comes along in *nix, rather there are discussions of the best way to patch etc, whereas I've noticed that every time there is an post about the latest Windows/IE/SQL Server/?? hole, there is a deluge of postings from defensive MSFT zealots who loudly complain that the Slashdot world is picking on them. Odd.
Here, I'll sum up EVERY SINGLE RELEASE for you:
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
More testing, auditing, evolving safer practices, and security avoidance? Easy Boy!
This is sendmail we're talking about, which has more exploitable holes than a parade of hookers. So that leaves you with yesterday's openssh event as significant.
Could you at least give a few of the vendors a few days to release fixed packages/rpms/ports etc? I know that isn't all cool with bugtraq and the other full disclosure lists, but we're talking about fucking *sendmail* here, that comes default installed on my fucking linux toaster-oven and everyone else's machine for that matter. Give the people who actually care about security a day or two to patch up and prepare for the worst. Now it's a fucking arms race that ultimately the script kiddie will win while we wait for our vendor to issue an official patch. (What, apply our own unofficial patch? Yeah, let me clear that with my anal boss and fill out some paperwork in triplicate and hope nothing fucks up and puts my ass on the line without someone else to blame. CYA baby).
When is Micro$haft going to stop releasing crappy stuff that makes us have to patch our copy of...
:^)
linux
Oh.
Never mind
j/k
The FreeBSD version of Linux has a auto-updater.
/usr/src
su - root
cd
make update
(You now have the fixes)
make buildworld
make buildkernel
(You have made the fixes)
mergemaster
make installworld
make installkernel
Now reboot, just like in windows and you have the latest patched Linux system.
When is Microsoft going to start creating secure software? I mean I'm personally tired of all these security flaws. It has gotten to the point where there isn't any room left in Microsoft products. Now the bugs and flaws are leaving Redmond and starting to take up residence in ssh and Sendmail.
When will it all end?
Yet, a year after year sendmail remains the buggiest open source code ever produced and - to make matters even worse - it is used in the very backbone of the internet.
BOO! TERRO
what else is new...
f jkasl;kdjf;laskjdfl;k ....
lasjkdf;lkasjdfl;kjasl;dfjkasl;jkfl;askjdflk;asjd
Damn slashdot and 20secs.
The war with islam is a war on the beast
The war on terror is a war for peace
For example, the ones for Linux actually work. I have never heard complaints about APT or up2date where updates were reported to be installed but were not installed, or vice-versa. There have been quite a few reports lately of this happening with Windows Update.
To be fair, Debian has (once, AFAIK) released a security patch with an error in it; an update to man caused a glitch in a nightly cron job. But this is far less serious than some of the flaws in the history of Windows updates.
For update notification with Debian, I rely on their email security announcements. You can subscribe to their list, and they also post the announcements to BUGTRAQ. There is probably a cute, glowy applet like Red Hat has for up2date available somewhere, but most of my servers don't run X.
Also, you can look at the number of security announcements for a Linux distribution and say that it's "ridiculous", but you have to take into account that you probably don't have most of those packages installed, and that distributions like Debian issue security updates for several thousand packages, not several.
WMBC freeform/independent online radio.
There is a patch for the "prescan" bug in:
http://ftp.pg.gda.pl/pub/software/sendmail/
Isn't it the same as this bug? BUT LOOK AT THE DATE! It was written in march. Has this bug been known for half a year?
ummm... because that means you're the overlord?
That version of postfix that you reference isn't even current. It's a full MAJOR release behind. Consider that before you bash it.
perl -e 'printf("mmm %x\n", 3735928559)'
I hate to suggest this (well, not really), but sometimes, the timing is too weird. A couple weeks after Microsoft starts taking a heavy bashing from security holes, the *n*x OS's get some exploits.
Anyone think its possible that Microsoft hired a few "consultants" to work full time looking for exploits in competing OS's? Regardless of the severity/exploitability of any exploits found, they make powerful bullets in the Microsoft PR gun.
I've got a remotely exploitable hole, man. Fuckin' A, I've got a remotely exploitable hole.
MOD PARENT TOPWISE. TOPWIIISE!
Slashdot requires you to wait 2 minutes between each successful posting of a comment to allow everyone a fair chance at posting a comment.
It's been 1 minute since you last successfully posted a comment
Chances are, you're behind a firewall or proxy, or clicked the Back button to accidentally reuse a form. Please try again. If the problem persists, and all other options have been tried, contact the site administrator.
because Linux will just get better and better without ever being compromised by one of these exploits. At the same time, M$, with their policy of NEVER fixing a vulnerability until it IS exploited, does nothing but continue to drive people to Linux.
I don't know what the fuck you're trying to say here, but it's clearly wrong.
(Or should that be: I don't know what you think you're talking about, but the gostak distims the doshes.)
Shower, Coffee, Slashdot, Sendmail bugs... some things we can rely on daily...
[[ the only 15 letter word that is spelled without repeating a letter is uncopyrightable: it may soon be, however. ]]
Ok, so I am an idiot.
To me writing a codeing mistake is bad, but haveing it found after its been published is unspeakable. Take time, check your code. Some tools autofind bufferoverflow problems. why isnt anyone using these, why isnt anyoing pointing out this fact, why is it that linux gets hacked more then microsoft? think about this before you reply, I hate micro$oft, but I really hate people talking trash about their code while their own code is being exploited. Im not talking about just sendmail, apache, ssh, and more then I can count have the same problem.
+-+-+-The folowing statement is true. The previous statement is false.-+-+-+
He is, unfortunately, absolutely right. MS doesn't believe in full disclosure... something which is incredibly common in the commercial world. As a result, it is quite possible for an MS security bug to exist, possibly with an exploit, and for the public to find out only because someone other than Microsoft finally reports it.
I have a job and rarely do things as worthwhile as find security holes in ssh and sendmail.
Isn't it Ironic?
Like when there 1000 websites with Sendmail patches and all you really wanted was a Postfix install disc.
(with absolutely NO fsking apologies to Ms Morisette)
Everyone will start to cheer when you put on your sailin' shoes.
you seem to have done pretty good anyways.
Of course, there is little point posting a comment that does not interest and intrigue.
Ceci n'est pas une signature
Instead of use bluebottle.com? They have free 10 meg accounts without MS bs or advertising and use a TMDA like system for anti-spam verification. I'll never understand why technical people would use a hotmail account (bluebottle *will* also check your hotmail account for you).
Quack, quack.
From the Debian security advisory (earlier today):
two more buffer handling problems have been found in addition to the one described in DSA-382-1. It is not known if these bugs are exploitable, but as a precaution an upgrade is advised.
They're just fixing more buffer problems that came up after the first one was addressed yesterday.
The first thing I do when I install a Linux distro is wipe out sendmail. Running it is simply asking to be broken into. It is old, full of holes, and far past its prime. Why people still run it, I do not know...but it's probably for the same reason they still run BIND.
The alternatives I prefer to these veritable blocks of swiss cheese are qmail and djbdns (tinydns)
-R
if(cnt > maxlen) break;
Yeah, check the MD5 checksums of trojaned code to make sure nobody else tampered with it. That helps alot. The point is if you are downloading software from flyingbuttmonkeys, you are a moron.
In case anyone is forced (by legacy apps & shit) to be running old versions of sendmail, the patch supplied applies nicely to version 8.9.x of sendmail. It even continues to work after it's patched.
Not like anyone is going to find this comment so late in the discussion, but...
There was a Dilbert strip where Dogbert tried to sell Dilbert a "perpetual newspaper"; only a thousand dollars and you'll never need to buy another newspaper!
The headlines were like "Pope Denounces Violence" and "Real Estate Values Rise" and "Unrest in the Middle East". I think that "Buffer Overflow Found in Sendmail" would have been a worthy addition to the Tech Pages.
There are two kinds of sysadmins: paranoids and losers. I'm both kinds.
Smashing the stack, for fun and profit http://www.insecure.org/stf/smashstack.txt
Ooooh! That "M$" is so clever!
http://www.penny-arcade.com/view.php3?date=2002-07 -22&res=l
- Peter Brodersen; professional nerd
Has postfix been better security wise? Last exploit in postfix was what, 2 weeks ago? I hate to break it to you, but upgrading to an arguably slightly less secure MTA is pointless. Either way you have to apply the odd patch here and there, what's the difference?
Qmail at least gives a legitimate reason to upgrade, but alot of people need more than the bare minimum smtp support, so its not a reasonable option. Still other people have this weird notion of supporting free software, again making djbware useless.
Get over yourself, sendmail is not that bad, and alot of people use it on purpose, knowing full well about qmail, postfix, exim, courier, etc.
Well, I don't use sendmail. I use postfix.
Do you use OpenSSH?
Hmm, two remotely-exploitable holes in as many days. Are you as quick to ditch OpenSSH as you are to ditch Sendmail?
I had to kill off my SSH servers yesterday waiting for the Sun patch....
And now BAM ! Sendmail exploit and I can't ssh to my goddam servers to shut it off...
I'm fscked, hope no one notices my servers...
Could anyone tell me if it's easy to migrate to postfix from a fairly complex sendmail.cf ?
That guy Theo deRaadt purposely puts bugs in his code so he can write exploits and crack into machines. He's been doing it since the late 90's. We cracked his box years ago and found an unpublished exploit THAT HE WROTE for the current version of OpenSSH sitting in his home directory. Coincidence?
I cannot believe Microsoft has another security hole! The open source community would never---
oh, fuck.
jack's bicycle is music to my ears
Here is a HOWTO and a tarball containing all of the files necessary to replace sendmail with qmail on an RPM based system.
Vulnerability list
From excellent karma to terible karma with a single +5 funny post...
Actuall, more than two: the changelog includes several fixes. Right above the fix you quote, there's one that *is* exploitable, which is why they've gone ahead and released it:
The fact it's separate bugs is clear from the indention in the original (Fscking /. doesn't support PRE)
I've posted several times that all OS's have vulnerabilities, but now I'm done. Anyone who posts to /. about M$ vulnerabilities vs. *nix vulnerabilities are just listening to themselves mumble some platform bigotry crap. Who gives a shit what I think? Who gives a shit what you think? This exploit is being released as a service to the community, and bitching about it in a post is a flaccid, pointless exercise in listening to ourselves talk. That said, I'm going to go clean out some spam from my yahoo account. Big deal...Microsoft sucks...Linux users are pompous, nobody gives a shit what you think...just patch your farging server and shut up.
man rtfm
The signup page at BlueBottle currently reads:
New account sign-ups have been temporarily disabled - For
further information, please contact support@bluebottle.com.
Dan East
Better known as 318230.
Comparing it to (sorry, should have included a TMDA link for those not familiar with it) filtering and RBL's is not fair because unlike the latter two, it does *exactly* what its supposed to. I'll admit its a hack, but for the time being it is the best hack out there.
The reason I suspect you haven't used it is because you mention one of the same concerns I've had about it, mainly automated responses. Bluebottle's answer to this is in the form of a 'pending' list (which you can 'OK' emails from) and the ability to manually add specific email addresses or even whole domains.
Its really a pretty good system. I think almost everyone is clear now that RBL's are a potential nightmare and filtering only creates a new list of email to cull through (looking for mislabled email).
Quack, quack.
Please, Cathrine Bell has too much hair and obviously fake boobs.
autopr0n is like, down and stuff.
THERE IS NO TRUSTED MD5 SUM. Are you retarded? Go read what he said. He compiled the RPMs himself, who the fuck is the trusted party that you are going to check your MD5 sums against?
Back in ~1985, Bell Labs had the UPAS mailer in V8, which became the System V mailer, which had a regular-expression-based simple scripting language and didn't run as root, so it was not only much simpler and cleaner to configure (seldom more than a dozen lines of config, and fewer if you didn't need UUCP), and wasn't a big gaping security hole. There was also smail in 1985. Unlike sendmail, the UPAS configuration file language wasn't something you could turn into a Turing Machine, but this isn't a *bad* problem :-)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
If it's not obvious, ARPA folks and defense contractors often care a *lot* about security (and Sendmail started before DNS did, so they ARPAnet wasn't .mil :-) If security was lax, it was because we were making more progress developing new technology and trying to keep it stable, but how to make things like TCP/IP secure was cutting-edge research back then, and we've learned a lot since. And remember Multics? Things were more relaxed over on the University side, though.
However, in 1988, the Internet got a big wakeup with the Morris worm. Sendmail and Fingerd were the two main culprits (both with buffer overflow bugs being exploited.) Finger was nice, but wasn't important enough for people to keep it given the security risk, so it disappeared rapidly, but sendmail was too entrenched already, and kept getting patched and bandaided. It's also gotten a few rewrites over the years, but having a buffer overflow bug left after all this time is simply inexcusable.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
For probably 95-99% of the users, though they don't have anything interesting in their sendmail.cf files except some anti-spammer configs they've added in the last few years (DNSBL checkers, etc.) Otherwise, it's a pretty straightforward set of features, defining what domain names they're accepting mail for and where the username database lives (e.g. if it's on LDAP instead of /etc/passwd.) The way you replace that isn't to build an interpreter, it's to write a native script for your new mailer.
The main people who are likely to be doing sophisticated things with sendmail.cf are really big mail shops (who are bright enough to do new scripts assuming they documented the sendmail.cf adequately) and people using it to front-end MS Exchange to defend it from whatever brain-damaged problems they were having. The latter group either get sympathy (poor bastards) or admiration (wow! 6-12 month contract extension!), or both.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
But Eric\\\\Marvin, how did you get here to the Restaurant at the End of the Unibus?
I waited....
The first ten million bugs were the worst. The next ten million bugs were the worst too. After that it went into a bit of a decline.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
A bug announcment for send mail. This product has had about a gazillion bugs found in it...
It's been so long since I saw a bug anouncment for this product that I though the project was dead. Good to see there are still people hard at work on it.
The race isn't always to the swift... but that's the way to bet!
I'm not sure that "insecure by design" is quite fair to the hard-working folks who developed this near-ubiquitous MTA.
Actually, it was.
When Eric Allman first wrote it, it was to be installed on some large number of machines at UCB. And of course as a work in progress it needed a bunch of tweaking. So for his own convenience he included a "wizard mode" backdoor to give himself a remote root exploit on the machines in question. When you're publishing the source (so readers can discover the backdoor) you really can't get more "insecure by design" than that. B-)
Unfortunately, the code got cloned into general use with the wizard mode backdoor still in place. B-( So that was one of the first exploits to get patched out.
= = = =
But all kidding aside...
The original code was written back in the dark ages, when buffer overflows were a "bug" rather than a "security hole". Buffer overflow exploits were almost unheard of and a wizard-level stunt, rather than a newspaper topic and a script-kiddie classic. With gets(3S) in the standard library and heavily used, it's hardly surprising that sendmail had a bunch of buffer-overflow vulnerabilities, and one of 'em has escaped detection until now.
Sendmail was a very important piece of work. And its continued large market share today (despite arguably more secure, cleaner, and easier-to-use replacements) is a testimony to its utility and its author's contribution to the net.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Sendmail is incredibly:
By comparison, the others are a walk in the park. But they won't handle all the legacy or rewriting capability sometimes needed in large-sphere enterprise email. And many don't scale for shit. Exim for my laptop or home net, exchange for small turnkey shops, and know enough sendmail to survive...
One of my favorite early usenet sigs went along the line of "Sendmail Administration is not black magic-- there are legitimate technical reasons why it requires the sacrificing of a live chicken." (I've googled for 5 mins and can't find exact quote or origin... .anyone?)
Next, did you check the narrowness of this bug? It's a problem in a fairly uncommon non-default sendmail configuration only:
But, it was found and promptly fixed. Slow news day or obscurity is the only reason it got posted here.Sendmail, arcane as it is, is the big bad voodoo daddy of mail. I use it, I fear it, and I deeply respect the sendmail development team. Feel free to check my posting history and you'll see I've never wasted keystrokes like this before. Fact is, you've just accomplished a mod-4 troll and I'd say bravo if it wasn't against this particular target.
Now, on to StupidTrollTalkIndicators (to train the untrainable slashdot moderation mindset):
Ediron's Law: Good engineers make modules, not suites. Microsoft's greatest liability is omnibus code. I dislike that more than antitrust tactics. They refuse to modularize and we're screwed as a result. Sendmail, alas, isn't very modularizable: it still accepts goop from a mainframe that resorts to %-escaping to allow passthru to a legitimate mail relay, because that used to be (and may still be) needed somewhere.
Troll troll troll troll troll. Even a 4-digit id. Sigh... Rob/Taco/etc, gimme the ability to spend my subscription money on mod points for numb-nutz responses like this and other techno-sounding wrongness. I'll start spending like mad! --
...seeing as how you've been modded down to "Flamebait".
Personally, I thought most of your points were spot-on... I just got done reading a post that basically said, "MS code is clearly buggier than Open Source code." The sad thing is, many people will read that statement and NOT realize how fallacious or unprovable it really is...
On a semi-related note, I just previewed my comment, and the date on the preview says "31 December 1969." Is that normal?
What are you talking about? Can you name a single network operating system since the late 80s that doesn't use virtual memory with 32-bit or larger pointers?!
Who modded this up?
There is no way in hell you'll cause a pointer to wrap around and come back up since if you write to the page mmaped at 0 on essentially every OS out there you get a page fault (and the OS kills the program, Null pointer exception). And before that you walk all over the pages that are between the break and stack, unallocated, or maybe all over the read-only shared libs, and they all will cause page faults and SIGSEGV your ass into next Tuesday.
Here's krog. Krog allocate automatic variable on stack. Stack grow downward. Data fills from lower to upper address (opposite stack growingness). Krog no check length of input. Krog overwrite stack not belonging to his stack frame (previous call). Ooomba, clever hacker, he know offset to return address in leaky function. OOmba, he sendum nasty input Krog no check length on that overwrite return address. When function return, it jump back into buffer instead of last function. Buffer gottem nasty root shell code, not data.
Krog sad.
Ooomba does happy dance.
Yes. Check your inputs.
YES DONT ASSUME YOU KNOW ANYTHING ABOUT HOW LARGE A BUFFER IS
YES, FOR GODS SAKE PEOPLE, NEVER ALLOCATE BUFFERS AS AUTOMATIC VARIABLES ON THE STACK!!! ARE YOU INSANE!!!!!!!!>?>>>>>>>
Fuck Beta. Fuck Dice
umm, there are lots of setting options for the .mc file at sendmail.org
----- Question authority, but not ours. Hate the man, but we're not him.
Dynamic strings are fine--until you run out of memory.
Whether static or dynamic, there is, eventually, a limit you'll run into, and if you don't code with that limit in mind then, eventually, you'll be screwed. In some cases, static allocation can be better because you know ahead of time what the limit is.
Either way, it's a matter of knowing the tools you use. I use the standard C string functions (albeit with some of my own additions), and I'll put my skills up against dynamic string library users any day.
(That said, I hope eventually to be able to use a better language altogether, but I'm still looking for one that doesn't assume top-of-the-line hardware (*cough*Perl*cough*Python*cough*Java*cough*)...
This is it! If you patch this one, sendmail will be secure! Really!
Of course, they said that the last twenty times, but this time for
real, because sendmail is focused on security, just like Microsoft!
Ahem. I won't let sendmail anywhere near any network I administrate,
ever. Argue the relative merits of the other options -- qmail,
postfix, exim, or Net::Server::Mail, but pick one of them, because
letting sendmail listen for incoming connections from the internet,
given its (in)security record, is about as smart as using Outlook
to get your mail. It hasn't been six months since the last sendmail
remote root exploit, and it won't be six months until the next one.
Some things never change.
Cut that out, or I will ship you to Norilsk in a box.
If I had a nickel everytime there was an exploit in sendmail, I'd have a whole jar full of nickels!
Perhaps instead of posting every exploit on slashdot we should focus on posts that show news that is not covered better elsewhere.
“Common sense is not so common.” — Voltaire
I half suspect this is a troll, but...
you have no idea what you are talking about in regard to Microsoft's OS architectural security
You missed the parent's next paragraph, which gives examples of "running a webserver under the System or Administrator account" and "[i]nstalling and activating services by default". He's not, or at least doesn't appear to be, bashing the architecture or technology itself; he's bashing the way it's used (or not used, as the case may be). I don't have the knowledge to discuss the security capabilities of NT, but no matter how capable it is, such capabilities are pointless if they aren't used properly. To borrow the tired old house analogy, it's like installing a new ultra-secure electromechanical lock on your door--and then leaving the door wide open while you go on vacation. That's why so many people, myself included, keep railing against Microsoft and Windows for its "lack of security".
or, its called adding apt-get update and apt-get upgrade to /etc/cron.daily.
If opportunity came disguised as temptation, one knock would be enough.
3^2 * 67^1 * 977^1
fair. will take five, at $100