Slashdot Mirror
Buffer Overflow in Sendmail
ChiefArcher writes "On the footsteps of openssh, Sendmail 8.12.10 has just been released due to a buffer overflow in address parsing. Sendmail states this is potentially remotely exploitable. No updates on the Sendmail site yet, but the FTP site has the release notes."
That's why you should be using qmail, ya' code monkeys! Seems like this happens every couple months.
Show your love for the Hacker community
HackerLogo.com
That's why you should entrust all your email services to Hotmail.
The official announcement is here.
:)
I've already downloaded and installed it. Thank goodness for Slackbuild scripts
Is it perhaps time for a code rewrite in Sendmail, or maybe a quiet, dignified retirement? It appears, from empirical evidence, that Sendmail is insecure by design. And that's not a good idea for a mail server, in today's world of spam
((lambda x ((x))) (lambda x ((x))))
I'll have to dust off my sendmail sploit-of-the-week card and get them to punch it for me! 12 punches and you get a free MTA!
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Aight... I'll fill in the blanks
ftp://ftp.sendmail.org/pub/sendmail/RELEASE_NOTE S
Yesterday was the day of openssh, and today for sendmail (whats next? bind? apache?). More than the usual rant about using alternatives like postfix/qmail/exim/etc instead of sendmail, I see that as a positive thing, could be a signal that more testing, auditing, and usage is being done, and by the open source nature of those tools, that this kind of things will be fixed or the programs will evolve to avoid this kind of things with (really) safer practices.
It's a paradox that people who are so paranoid when it comes to security (there are no proof of concept remote exploits for either of these holes), would download patches from where ever and who ever.
Posts like the parent ("get latest patch from me!") always get moderated up, so there must be somebody downloading and installing them. Maybe I shouldn't give people ideas.
How small a thought it takes to fill a whole life
A serious response to the story is too bleak. Ho-hum, upgrade sendmail, patch it, OK.
Comedy is inappropriate. "Is that sendmail dead? No, it's just sleeping. Oh, I could swear it was dead! No, it's just tired, see? Sendmail gottan exploit, sendmail gottan exploit!"
Irony is difficult. To be honest, I can't even be sure which ironic form I would employ in this case. Forget irony.
Sarcasm? "Sendmail, yeah, like we're still using that dinosaur!" What, we are? Dang. Why? "Cause it was there?" What kind of an excuse is that?!
Nihilism... "yes, another day, another exploit. ssh, now sendmail. I can just see the future, one long bitter trail of unpatched software, server after server to upgrade. brain the size of a planet, and here I am, patching sendmail. what's the use, I ask you...?"
Slashdotisms? All your sendmail overlords are 1-2-3 profit to us? Imagine? In Russia? No, no, no.
SCO! SCO! "It's not an exploit, it's a snippet!!!" Worth a try.
Damn you to the deepest depths of hell, Slsadhot edirots, this story has so little karma leverage it hurts.
Ceci n'est pas une signature
> Does Linux have an Auto-update mechanism similar to
> windows that indicates when new patches are available
> for download?
Yup. it's called "slashdot"
and it's allready been updated in slackware as well. Go Pat!
Before all the Microsoft apologists jump in and point out that any system can have vulnerabilities, and Linux users should not bash Microsoft.
It is true that any system can have unintentional bugs that lead to security vulnerabilities. This is true of any system and not just Microsoft. Therefore, Microsoft should not be unfairly bashed due to these kinds of bugs, any more than any other system.
But there is another kind of security problem for which Microsoft is deservedly bashed. The problem Microsoft is bashed for having poor security is when their system is insecure in its design. (It may not have been a design goal.)
Examples would include, running a webserver under the System or Administrator account so that once it is compromised, the system is rooted. Installing and activating services by default. These problems are all caused by security having a low priority in the past, and Microsoft is deservedly bashed for these. Nimbda or Slammer may be buffer overflows which could happen to anyone, but there is some deserved criticism as to why it was such a huge problem.
No doubt, sendmail also deserves some criticism.
I wonder how many Linux/Apache systems get web pages defaced via. SQL injection or other PHP related attacks, but do not lead to the box being rooted? Any numbers?
Those who would give up liberty in exchange for security and DRM should switch to Microsoft Palladium!
Sendmail has never had a good reputation for code quality. MS doesn't either. Whats your point?
If you can edit a
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
A fix for the "all your misspellings are beloning to us" Verisign hack.
Stack grows downward, buffers on stack grow upward. Overflow a buffer and sooner or later you run into a return pointer on the buffer. Now, if you overflow it in such a way that the function corresponding to that stackgrame doesn't cause a segfault before it returns, the CPU will read in a return address you supplied, which could point to the buffer. CPU then executes the code you put in the buffer. I believe it's traditional to execve /bin/sh at this point.
Google for "Smashing the stack for fun and profit". I don't know too much of the specifics -- I'm not a script kiddie.
You mean when Microsoft publicly discloses the exploit, usually weeks after it was first reported across the Internet?
When did everyone decide the standard way of fixing security bugs was no longer worth the effort. You don't release a new version with a security bug fixed until all the distros have been contacted and the fix has been backported. Why have Sendmail and OpenSSH decided this no longer applies to them? Is Apache next? Are they going to force an upgrade to Apache 2 by rolling security fixes into beta versions and not bothering to tell anyone before they are released?
I'm a happy postfix user myself, but it should be noted for fairness reasons that the last postfix-related advisories are about two weeks old... Face it, some software may be better than others, but no matter what you are running, you'll always have to keep your systems up to date. Looking down on others because the software they run is oh so insecure and yours is perfect is the first step to being rooted.
Programming can be fun again. Film at 11.
What?? You don't trust software compiled by flying butt monkeys?
who are those slashdot people? they swept over like Mongol-Tartars.
The big difference between bugs found in MS products and bugs found in Open Source products seems to be: Bugs in Open Source products seem to make the /. front page the same day a patch is released. MS product bugs are posted about days before a patch comes out.
Of course that could be because the OS projects fix their bugs as soon as they find them rather than having to wait for the red tape to clear up.
"For a successful technology, honesty must take precedence over public relations for nature cannot be fooled." -Feynman
One of the pluses of open source is that you have the ability to look at the code and determine exactly what the patch changes. For a small patch most sysadmins, even though they might not be an "elite" programmer, can determine that the code does some extra boundary checking or the like.
I would hope that sysadmins do this before installing code from an unknown source.
By feeding in a string longer than 100 characters, you go up the stack and can overwrite the return address to the call to 'foo'. You might replace the address with a pointer to code you've embedded in the oversized string. When the call returns, it jumps into your code rather than the calling procedure.
Sendmail has remote exploits every couple of months at best. Why is anyone suprised any more? It's not as if it's easy to set up, administrate or is horribly high performance. It's about as middle of the road as you get. As many have pointed out before I'm sure, this is exactly why we complain about software from microsoft (and I mean just the software, not it's licences nor the biz tactics associated with it).
So why not look for alternatives, all you sysadmins out here? I for one prefer qmail. There are plenty of others.
I know it's hard to switch to a new system when you've gotten profficent in configuring something well, especially when you are so busy using it that you don't have time to play with something new to see if can work for your setup. But I can't see that running a frequently exploited mail server will cause anything but more work.
Especially software that is semi-commercial. They're getting paid to check for these issues, after all.
Ok, credit given where credit is due. The problem has been recognised within a short time of being detected. That's better than Hotmail's "check the password? what for?" bug, that persisted for six or seven months, and remained in effect for several days after the media ran the story.
But that's where the credit ends. It shows that the program isn't being routinely tested and verified with overflow detectors, or (if it is), that the testing procedure is inadequate.
It shows why rival MTAs (eg: Postfix) are gaining popularity, when Sendmail could have kept absolute control of the market, merely by being the best.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Instead of use bluebottle.com? They have free 10 meg accounts without MS bs or advertising and use a TMDA like system for anti-spam verification. I'll never understand why technical people would use a hotmail account (bluebottle *will* also check your hotmail account for you).
Quack, quack.
Here is a HOWTO and a tarball containing all of the files necessary to replace sendmail with qmail on an RPM based system.
Actuall, more than two: the changelog includes several fixes. Right above the fix you quote, there's one that *is* exploitable, which is why they've gone ahead and released it:
The fact it's separate bugs is clear from the indention in the original (Fscking /. doesn't support PRE)
What are you talking about? Can you name a single network operating system since the late 80s that doesn't use virtual memory with 32-bit or larger pointers?!
Who modded this up?
There is no way in hell you'll cause a pointer to wrap around and come back up since if you write to the page mmaped at 0 on essentially every OS out there you get a page fault (and the OS kills the program, Null pointer exception). And before that you walk all over the pages that are between the break and stack, unallocated, or maybe all over the read-only shared libs, and they all will cause page faults and SIGSEGV your ass into next Tuesday.
Here's krog. Krog allocate automatic variable on stack. Stack grow downward. Data fills from lower to upper address (opposite stack growingness). Krog no check length of input. Krog overwrite stack not belonging to his stack frame (previous call). Ooomba, clever hacker, he know offset to return address in leaky function. OOmba, he sendum nasty input Krog no check length on that overwrite return address. When function return, it jump back into buffer instead of last function. Buffer gottem nasty root shell code, not data.
Krog sad.
Ooomba does happy dance.
Yes. Check your inputs.
YES DONT ASSUME YOU KNOW ANYTHING ABOUT HOW LARGE A BUFFER IS
YES, FOR GODS SAKE PEOPLE, NEVER ALLOCATE BUFFERS AS AUTOMATIC VARIABLES ON THE STACK!!! ARE YOU INSANE!!!!!!!!>?>>>>>>>
Fuck Beta. Fuck Dice