Slashdot Mirror
Sendmail Hit by Data Interception Flaw
ricepudd writes "Computer Weekly reports that Internet security researchers have discovered a serious flaw in Sendmail. The flaw could allow remote attackers to take control of users' PCs. The Sendmail Consortium urged users to upgrade to version 8.13.6 of the software, which contains a fix to the problem. Computer Weekly seems to think that the fact that the Windows version isn't affected will help curtail the threat."
Can you tell us the file and line number that causes the problem and the mitigating circumstances under which it occurs. Jesus, it is open source ya know.
How we know is more important than what we know.
I ignored posts like this for years, figuring it was like the Linux vs. BSD debates -- just a bunch of zealots. I was wrong.
/. peer pressure and switched to Postfix. It's just like Sendmail, only it doesn't suck. I didn't know Sendmail sucked until I used Postfix. It's easy, it's secure, and my servers haven't once been 0wn3d because of the ubiquitous MTA flaws of Sendmail.
Years after I mastered mc files and learned the magic of m4, back around 2002, I succumbed to
Some day I'll try Qmail. Baby steps.
-Waldo Jaquith
http://www.jcb-sc.com/qmail/guninski.html0 _ tut.pl?tutorial_name=Qmail_vulnerabilities.html&fa ct_color=doc&tag=
http://secunia.com/advisories/10649/
http://secunia.com/advisories/15533/
http://www.frsirt.com/english/advisories/2005/049
http://www.frsirt.com/english/product/3207
http://www.saintcorporation.com/cgi-bin/demo_full
You need to apply about 50 patches to get a decent Qmail MTA, at which time all the security guarantees vanish.
/services cruft! Xinetd? Nahh fuck it, I'll write "ucspi-tcp" instead and force that down everyone's throat.
/service is just an easy way to run things ... link a folder under there and have a ./run file in it and you're good.
You need to apply one: netqmail. Or qmail-ldap,which I prefer.
He couldn't use standard SysV init scripts to start Qmail, no... we need the "supervise" and
His software came out before xinetd. And even so, that implementation isn't standard across distros. Plus
ucspi-tcp is good too because it has easy mechanisms for black/whitelisting people.
On the Dailydave mailing list, Mark Dowd of ISS claims to have a working, reliable proof of concept exploit for the bug (Required as part of their assessment process). It's rumored to be floating around already. Frankly, I'm more willing to believe the person who discovered the bug than a handful of advisories and self-proclaimed 'experts'. Gadi Evron, I'm looking at you.
Basically Sendmail was written in the age when moving mail from place A to B actually was difficult
No. Sendmail was written when moving mail was easy- they just thought it was going to get harder so they overengineered it.
The whole message rewriting header/scrambling thing has NEVER been needed to transfer to/from uucp hosts, the 7bit fantasy network, or other messaging networks- it was ALWAYS performed in the gateways to those other networks.
Source routes should never have existed- There should never have been a reason why the person sending the message might know more about the messaging server than the server itself.
There's no reason a user should ever send mail to a program- users only ever sent mail to addresses, and by exposing programs as "a special kind of address" - they made it possible to yes, use UUCP without the mail administrators' permission, but they also opened the whole slew of bugs in sendmail that popularized the mid '90s.
Sendmail _never_ had to be this complicated. They did it this way because of equal parts stupidity and hubris, and pretending it was anything else means it'll happen again (see IPV6 for more details).
By the way, I've had zero difficulty getting qmail- which itself doesn't understand how to send mail over uucp, Fido or Citnet, to actually transfer mail bidirectionally with all of these networks. Love or hate qmail, if the naive mailbox-to-user approach was good enough for all these networks, it would've worked for sendmail.