Slashdot Mirror
Buffer Overflow in Sendmail
ChiefArcher writes "On the footsteps of openssh, Sendmail 8.12.10 has just been released due to a buffer overflow in address parsing. Sendmail states this is potentially remotely exploitable. No updates on the Sendmail site yet, but the FTP site has the release notes."
That's why you should be using qmail, ya' code monkeys! Seems like this happens every couple months.
Show your love for the Hacker community
HackerLogo.com
That's why you should entrust all your email services to Hotmail.
The official announcement is here.
:)
I've already downloaded and installed it. Thank goodness for Slackbuild scripts
Mistakes happen to everyone, and microsoft code isn't necessarily even the most important part of the internet.
Christ, the mods must really have a hard-on for sendmail. Every post critical of it in this thread was instantly downmodded, regardless of the fact that they were TRUE. Sendmail DOES have a long history of serious security flaws, and both Postfix and Qmail (I prefer Qmail) are valid responses to this trend, as neither one of them have exhibited the same problems.
Is it perhaps time for a code rewrite in Sendmail, or maybe a quiet, dignified retirement? It appears, from empirical evidence, that Sendmail is insecure by design. And that's not a good idea for a mail server, in today's world of spam
((lambda x ((x))) (lambda x ((x))))
I'll have to dust off my sendmail sploit-of-the-week card and get them to punch it for me! 12 punches and you get a free MTA!
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Aight... I'll fill in the blanks
ftp://ftp.sendmail.org/pub/sendmail/RELEASE_NOTE S
You'd think that it would be easy to fix this at the language level. It can't be that hard to create a string library that automatically ignores everything past the end of the string.
Yesterday was the day of openssh, and today for sendmail (whats next? bind? apache?). More than the usual rant about using alternatives like postfix/qmail/exim/etc instead of sendmail, I see that as a positive thing, could be a signal that more testing, auditing, and usage is being done, and by the open source nature of those tools, that this kind of things will be fixed or the programs will evolve to avoid this kind of things with (really) safer practices.
Does anyone have a good explanation of how a buffer overflow allows you to execute arbitrary code? It seems to me that the memory that gets overwritten is some what random. It is either the stack or some memory in dynamic store. It seems like each time you sent in the overflow data it will be writing a different area of memory so you don't know if you code will get executed or not. Since you have to start executing at the right place you would almost never be able to execute your code.
It's a paradox that people who are so paranoid when it comes to security (there are no proof of concept remote exploits for either of these holes), would download patches from where ever and who ever.
Posts like the parent ("get latest patch from me!") always get moderated up, so there must be somebody downloading and installing them. Maybe I shouldn't give people ideas.
How small a thought it takes to fill a whole life
RHN Update Agent
Depends on your distro. up2date for RH is a good example.
A serious response to the story is too bleak. Ho-hum, upgrade sendmail, patch it, OK.
Comedy is inappropriate. "Is that sendmail dead? No, it's just sleeping. Oh, I could swear it was dead! No, it's just tired, see? Sendmail gottan exploit, sendmail gottan exploit!"
Irony is difficult. To be honest, I can't even be sure which ironic form I would employ in this case. Forget irony.
Sarcasm? "Sendmail, yeah, like we're still using that dinosaur!" What, we are? Dang. Why? "Cause it was there?" What kind of an excuse is that?!
Nihilism... "yes, another day, another exploit. ssh, now sendmail. I can just see the future, one long bitter trail of unpatched software, server after server to upgrade. brain the size of a planet, and here I am, patching sendmail. what's the use, I ask you...?"
Slashdotisms? All your sendmail overlords are 1-2-3 profit to us? Imagine? In Russia? No, no, no.
SCO! SCO! "It's not an exploit, it's a snippet!!!" Worth a try.
Damn you to the deepest depths of hell, Slsadhot edirots, this story has so little karma leverage it hurts.
Ceci n'est pas une signature
> Does Linux have an Auto-update mechanism similar to
> windows that indicates when new patches are available
> for download?
Yup. it's called "slashdot"
and it's allready been updated in slackware as well. Go Pat!
Before all the Microsoft apologists jump in and point out that any system can have vulnerabilities, and Linux users should not bash Microsoft.
It is true that any system can have unintentional bugs that lead to security vulnerabilities. This is true of any system and not just Microsoft. Therefore, Microsoft should not be unfairly bashed due to these kinds of bugs, any more than any other system.
But there is another kind of security problem for which Microsoft is deservedly bashed. The problem Microsoft is bashed for having poor security is when their system is insecure in its design. (It may not have been a design goal.)
Examples would include, running a webserver under the System or Administrator account so that once it is compromised, the system is rooted. Installing and activating services by default. These problems are all caused by security having a low priority in the past, and Microsoft is deservedly bashed for these. Nimbda or Slammer may be buffer overflows which could happen to anyone, but there is some deserved criticism as to why it was such a huge problem.
No doubt, sendmail also deserves some criticism.
I wonder how many Linux/Apache systems get web pages defaced via. SQL injection or other PHP related attacks, but do not lead to the box being rooted? Any numbers?
Those who would give up liberty in exchange for security and DRM should switch to Microsoft Palladium!
I experience daily buffer overflows receiving mail.
If you can edit a
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
A fix for the "all your misspellings are beloning to us" Verisign hack.
apt-get update
:)
apt-get upgrade
Stick it in a cronjob.
Solved
Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
But they must have, because there are no bugs in any software that runs under Linux. There never have been, and there never will be.
that's pretty sad if you think "a lot" and "allot" mean the same thing. go back to kindergarten.
Sendmail 8.12.9 prescan bug
attack details:
Local exploitation on little endian Linux is confirmed to be trivial
via recipient.c and sendtolist(), with a pointer overwrite leading to a
neat case of free() on user-supplied data, i.e.:
eip = 0x40178ae2
edx = 0x41414141
esi = 0x61616161
SEGV in chunk_free (ar_ptr=0x4022a160, p=0x81337e0) at malloc.c:3242
0x40178ae2 : mov %esi,0xc(%edx)
0x40178ae5 : mov %edx,0x8(%esi)
Remote attack is believed to be possible.
It also seems that a CS student from the university of Sweden has posted a working exploit on this web site. Scary stuff. So patch your system, people!
I feel like my week isn't complete without patching Sendmail at least once. Ahhh... return to normalcy. I feel better.
You mean when Microsoft publicly discloses the exploit, usually weeks after it was first reported across the Internet?
When did everyone decide the standard way of fixing security bugs was no longer worth the effort. You don't release a new version with a security bug fixed until all the distros have been contacted and the fix has been backported. Why have Sendmail and OpenSSH decided this no longer applies to them? Is Apache next? Are they going to force an upgrade to Apache 2 by rolling security fixes into beta versions and not bothering to tell anyone before they are released?
I'm a happy postfix user myself, but it should be noted for fairness reasons that the last postfix-related advisories are about two weeks old... Face it, some software may be better than others, but no matter what you are running, you'll always have to keep your systems up to date. Looking down on others because the software they run is oh so insecure and yours is perfect is the first step to being rooted.
Programming can be fun again. Film at 11.
that many in the Open Source Community are content to imitate Microsoft's latest offerings, but copy exploits is, in my opinion, going too far! ;-)
So rise up, all ye lost ones, as one, we'll claw the clouds.
What?? You don't trust software compiled by flying butt monkeys?
who are those slashdot people? they swept over like Mongol-Tartars.
The big difference between bugs found in MS products and bugs found in Open Source products seems to be: Bugs in Open Source products seem to make the /. front page the same day a patch is released. MS product bugs are posted about days before a patch comes out.
Of course that could be because the OS projects fix their bugs as soon as they find them rather than having to wait for the red tape to clear up.
"For a successful technology, honesty must take precedence over public relations for nature cannot be fooled." -Feynman
You obviously have no first-hand experience with Debian systems. Security updates for the current stable branch are always released within a day or two of any sort of advisory (usually on the same day). The security patches are often backported to older versions rather than just using the newest version of the software. This makes life easy many admins, as new versions of software can be non-backwards compatible or behave differently than older versions.
And if you don't mind this, you can always use the "testing" or "unstable" branches for cutting-edge software.
Besides the fact that Debian is extremely easy to update:
apt-get update
apt-get upgrade
Know what you are talking about before you speak.
Yes.
Debian: apt-get update
Gentoo: emerge sync
RedHat: up2date, or autorpm, or apt-get update
SuSE: you, or autorpm
Mandrake: urpmi update
You can get autorpm to e-mail you a daily summary too.
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
One of the pluses of open source is that you have the ability to look at the code and determine exactly what the patch changes. For a small patch most sysadmins, even though they might not be an "elite" programmer, can determine that the code does some extra boundary checking or the like.
I would hope that sysadmins do this before installing code from an unknown source.
It is a story about a detailed PDF on MacOSX/Darwin+PPC specific ways to run malignant code once and if an exploit is found. The posting is somewhat misleading, the PDF is not about vulnerabilities at all but what to do once they are found, as some reply clarifies.
I am pretty sure that similar docs exist for Linux+i386 and a-plenty of other architectures (MS Wind anyone?).
Dani++
Now tell me why not all software has this feature.
Cig? No, thank you.
as I cannot believe that sendmail would have an exploit (remote or otherwise) given its' history.
Sendmail has remote exploits every couple of months at best. Why is anyone suprised any more? It's not as if it's easy to set up, administrate or is horribly high performance. It's about as middle of the road as you get. As many have pointed out before I'm sure, this is exactly why we complain about software from microsoft (and I mean just the software, not it's licences nor the biz tactics associated with it).
So why not look for alternatives, all you sysadmins out here? I for one prefer qmail. There are plenty of others.
I know it's hard to switch to a new system when you've gotten profficent in configuring something well, especially when you are so busy using it that you don't have time to play with something new to see if can work for your setup. But I can't see that running a frequently exploited mail server will cause anything but more work.
Especially software that is semi-commercial. They're getting paid to check for these issues, after all.
Ok, credit given where credit is due. The problem has been recognised within a short time of being detected. That's better than Hotmail's "check the password? what for?" bug, that persisted for six or seven months, and remained in effect for several days after the media ran the story.
But that's where the credit ends. It shows that the program isn't being routinely tested and verified with overflow detectors, or (if it is), that the testing procedure is inadequate.
It shows why rival MTAs (eg: Postfix) are gaining popularity, when Sendmail could have kept absolute control of the market, merely by being the best.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Interestingly, *nix users don't seem to howl at Slashdot for publishing every vulnerability that comes along in *nix, rather there are discussions of the best way to patch etc, whereas I've noticed that every time there is an post about the latest Windows/IE/SQL Server/?? hole, there is a deluge of postings from defensive MSFT zealots who loudly complain that the Slashdot world is picking on them. Odd.
Posts like the parent ("get latest patch from me!") always get moderated up, so there must be somebody downloading and installing them.
Considering that a lot of mods don't even seem to READ the posts they mod, I doubt they checked out the link.
Um...they're called the following:
emerge (Gentoo)
up2date (Redhat)
apt-get (Debian)
I know on the Gentoo side, they had the SSH fix out the same day. There are distribution methods in place, just depends on the distro you use. So just cause Windows Update notifies you that there's an update or even does it automatically, that doesn't stop you from croning the above commands.
- gtaluvit (prnc. GOT-tuh-LUV-it)
Windows Update does not come configured to automatically download and install updates for you. It also does not always work. It has been reported to falsely report that patches are installed, and to prompt to install patches over and over again that are already installed. And how many people, used to an endless barrage of meaningless dialog boxes from Microsoft products (though they are not the only ones who do this), dismissed the auto-updates configuration, and so go unpatched? Additionally, were you aware of the 31 currently unpatched security holes in IE?
http://www.pivx.com/larholm/unpatched/
As for being informed, if Slashdot is your only source for notification about security vulnerabilites, you have bigger problems than a single sendmail exploit.
WMBC freeform/independent online radio.
Instead of use bluebottle.com? They have free 10 meg accounts without MS bs or advertising and use a TMDA like system for anti-spam verification. I'll never understand why technical people would use a hotmail account (bluebottle *will* also check your hotmail account for you).
Quack, quack.
apt-get upgrade
Stick it in a cronjob.
Yikes! Remind me to never give you a job as an admin for any of my computers. While that sort of thing might be acceptable for a home desktop, it's suicide on a corporate server...
"The invisible and the non-existent look very much alike." -- Delos B. McKown
In case anyone is forced (by legacy apps & shit) to be running old versions of sendmail, the patch supplied applies nicely to version 8.9.x of sendmail. It even continues to work after it's patched.
Not like anyone is going to find this comment so late in the discussion, but...
There was a Dilbert strip where Dogbert tried to sell Dilbert a "perpetual newspaper"; only a thousand dollars and you'll never need to buy another newspaper!
The headlines were like "Pope Denounces Violence" and "Real Estate Values Rise" and "Unrest in the Middle East". I think that "Buffer Overflow Found in Sendmail" would have been a worthy addition to the Tech Pages.
There are two kinds of sysadmins: paranoids and losers. I'm both kinds.
Here is a HOWTO and a tarball containing all of the files necessary to replace sendmail with qmail on an RPM based system.
Vulnerability list
From excellent karma to terible karma with a single +5 funny post...
Actuall, more than two: the changelog includes several fixes. Right above the fix you quote, there's one that *is* exploitable, which is why they've gone ahead and released it:
The fact it's separate bugs is clear from the indention in the original (Fscking /. doesn't support PRE)
You should do that no matter who you download it from, even from the original site, not that long ago the OpenBSD sites, and the GNU sites we're compromised. So just assuming they had good source, wasn't safe. Then at least you know that whoever wrote the patch, also has the private key of whoever signed it (which hopefully is the person whom you trust). If you are a good little author, you sign with a private key on a machine that you sneaker net the source code to, sign there, then sneaker net it back to the public network (or you just drag the MD5SUM there, instead of the original source). At no point, would you ever put the private key on a machine that has ever been connected to the internet (then you just have to physically secure the machine). It's much, much safer that way. Then nobody can get your key except by crytoanalysis, which needs the force of a major gov't behind it to break 4096 PGP encryption last time I checked.
Honest, I'm not as stupid as you think I am.
Kirby
What are you talking about? Can you name a single network operating system since the late 80s that doesn't use virtual memory with 32-bit or larger pointers?!
Who modded this up?
There is no way in hell you'll cause a pointer to wrap around and come back up since if you write to the page mmaped at 0 on essentially every OS out there you get a page fault (and the OS kills the program, Null pointer exception). And before that you walk all over the pages that are between the break and stack, unallocated, or maybe all over the read-only shared libs, and they all will cause page faults and SIGSEGV your ass into next Tuesday.
Here's krog. Krog allocate automatic variable on stack. Stack grow downward. Data fills from lower to upper address (opposite stack growingness). Krog no check length of input. Krog overwrite stack not belonging to his stack frame (previous call). Ooomba, clever hacker, he know offset to return address in leaky function. OOmba, he sendum nasty input Krog no check length on that overwrite return address. When function return, it jump back into buffer instead of last function. Buffer gottem nasty root shell code, not data.
Krog sad.
Ooomba does happy dance.
Yes. Check your inputs.
YES DONT ASSUME YOU KNOW ANYTHING ABOUT HOW LARGE A BUFFER IS
YES, FOR GODS SAKE PEOPLE, NEVER ALLOCATE BUFFERS AS AUTOMATIC VARIABLES ON THE STACK!!! ARE YOU INSANE!!!!!!!!>?>>>>>>>
Fuck Beta. Fuck Dice