92448 2003-03-03 19:21 /222 rader/ Claus Assmann <ca+bugtraq@sendmail.org>
Importerad: 2003-03-03 19:21 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: vulnwatch@vulnwatch.org
Mottagare: Bugtraq (import) <3766>
Ärende: sendmail 8.12.8 available
------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Sendmail, Inc., and the Sendmail Consortium announce the availability
of sendmail 8.12.8. It contains a fix for a critical security
problem discovered by Mark Dowd of ISS X-Force; we thank ISS X-Force
for bringing this problem to our attention. Sendmail urges all users
to either upgrade to sendmail 8.12.8 or apply the patch for 8.12 that
is part of this announcement. Patches for older versions can be
downloaded from ftp.sendmail.org, see http://www.sendmail.org/ for
details. Remember to check the PGP signatures of patches or releases
obtained. For those not running the open source version, check with
your vendor for a patch. There is a bug fix for ident parsing in
8.12.8. While this is not believed to be exploitable, if you are not
upgrading to 8.12.8, you may want to turn off ident checking by
adding this to your .mc file:
define(`confTO_IDENT', `0s')
For a complete list of changes see the release notes down below.
Please send bug reports to sendmail-bugs@sendmail.org as usual.
Note: We have changed the way we digitally sign the source code
distributions to simplify verification: in contrast to earlier
versions two .sig files are provided, one each for the gzip'ed
version and the compressed version. That is, instead of signing the
tar file, we sign the compressed/gzip'ed files, so you do not need
to uncompress the file before checking the signature.
This version can be found at
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.8.tar.gz
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.8.tar.gz.sig
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.8.tar.Z
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.8.tar.Z.sig
and the usual mirror sites.
MD5 signatures:
71b4ce8276536b82d4acdf6ec8be306a sendmail.8.12.8.tar.gz
2ecf7890c2ff5035aed8d342473d85a5 sendmail.8.12.8.tar.gz.sig
b06953b5fd11f9cd63b1eb89625ad881 sendmail.8.12.8.tar.Z
b505fc5b36fbba5b3af2afecb4d587b3 sendmail.8.12.8.tar.Z.sig
You either need the first two files or the third and fourth, i.e.,
the gzip'ed version or the compressed version and the corresponding
.sig file. The PGP signature was created using the Sendmail Signing
Key/2003, available on the web site (http://www.sendmail.org/) or
on the public key servers.
Since sendmail 8.11 and later includes hooks to cryptography, the
following information from OpenSSL applies to sendmail as well.
PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG
CRYPTOGRAPHY SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST
COMMUNICATING TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS
ILLEGAL IN SOME PARTS OF THE WORLD. SO, WHEN YOU IMPORT THIS
PACKAGE TO YOUR COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST
EMAIL TECHNICAL SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR
OR OTHER PEOPLE YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO
ANY EXPORT/IMPORT AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS
ARE NOT LIABLE FOR ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT
IS YOUR RESPONSIBILITY.
SENDMAIL RELEASE NOTES
$Id: RELEASE_NOTES,v 8.1340.2.113 2003/02/11 19:17:41 gshapiro Exp $
This listing shows the version of the sendmail binary, the version
of the sendmail configuration files, the date of release, and a
summary of the changes in that release.
8.12.8/8.12.8 2003/02/11
SECURITY: Fix a remote buffer overflow in header parsing by
dropping sender and recipient header comments if the
comments are too long. Problem noted by Mark Dowd
of ISS X-Force.
Fix a potential non-exploitable buffer overflow in parsing the
.cf queue settings and potential buffer underflow in
parsing ident responses. Problem noted by Yichen Xie of
Stanford University Compilation Group.
Fix ETRN #queuegroup command: actually start a queue run for
the selected queue group. Problem noted by Jos Vos.
If MaxMimeHeaderLength is set and a malformed MIME header is fixed,
log the fixup as "Fixed MIME header" instead of "Truncated
MIME header". Problem noted by Ian J Hart.
CONFIG: Fix regression bug in proto.m4 that caused a bogus
error message: "FEATURE() should be before MAILER()".
MAIL.LOCAL: Be more explicit in some error cases, i.e., whether
a mailbox has more than one link or whether it is not
a regular file. Patch from John Beck of Sun Microsystems.
Instructions to extract and apply patch for sendmail 8.12:
The data below is a uuencoded, gzip'ed tar file. Store the data
between "========= begin patch ========" and "========= end patch
==========" into a file called "patch.sm" and apply the following
command:
uudecode -p < patch.sm | gunzip -c | tar -xf -
This will give you two files:
sendmail.8.12.security.cr.patch
sendmail.8.12.security.cr.patch.sig
Check the integrity of the patch file using PGP or GPG, e.g.,
gpg --verify sendmail.8.12.security.cr.patch.sig
sendmail.8.12.security.cr.patch
Then apply the patch to the sendmail source code:
cd sendmail-8.12.7
patch -p0 < sendmail.8.12.security.cr.patch
recompile sendmail, and install the new binary.
========= begin patch ========
begin 644 sendmail.8.12.security.cr.patch.tar.gz
M'XL("+5P,3X"`W-E;F1M86EL+C@N,3(N<V5C=7)I='DN8W(N<&%T8V@N=&%R
M`.T:2VPD1]71"H4V@@N72!%1V1OMS'AZ9KM[/AZ/U\X.MI==M+8W7B>*M&O-
MMGMJ9CH[T]W;W>-/-LL%A!0D)"!!Y(C@`$B`%(E+($)(X<*)7(`3![APA0.1
MD!#AO?KT9S[>#9!%@BY9GJZJ]ZI?O?^KKH`ZG:%I#\J-LFZ4`VJ-?#L\+5M^
MV3-#JS_WGVBZIM6K53)'B*'I-?R%IHE?8E2-2I60Y;I>->K+1D4G1*]6Z]H<
MT>8>0QL%H>D3,F>99\,=]RD=S/W/M5*I1`*A`Q?[U.Q0/RA;BEXAGS<=D)=6
M(?I*LZ(UC08I:="41MFHU\O5<F6^6"Q.Q:W'N$:E6=&;^C+'G;]\F93JRW6U
M08K\Y_+E>:(HBMTE^<-1]Y9V0!;62.ZVEBNP\?OL/Y^VPX"&^:OM*WN[VRKI
ME];[[>[`[`6%PGP)@11ZXIE.)V_YIG77['1\7+&@$OBODL!^A;I=]BR@N?(1
M6EB=+\Y$5V%>%?,"87PYM@*CDI%T9`Y&E*R18-CV/=<=M(/0[XR\]DF>EM8I
M'V,TI;#81LB%-?*%J^W-K2NM%Z[O\^D'C&4K*PUUF13Q1]<9SY:6%#LD0"_Q
MJ3<P+1H0Z!_;89\L/MM;+!.RWZ?$,_V`$CL@H1N:@\$I,3ND[UH,'7'MP,F%
MA!Y1A_1&IF\Z(:4=`"8#:AY1$KA#&O9MIT>"4R<TK="V<!7^]@YU6!_!C_MF
MB.]'4PIA!:0#2+CJ'L/:OHI3'1=(9,O.EP`]L30=FHY8F42KEN>+CP!%0#$\
M-PCLPP$%00Q@LT`(O"4(.7Z2;&*YOD^MD"W-IJ^X/J$GYM!#;*#1ZIM.#\A<
MW*.P]HXYI.22#X^7!5#9<H?K)+_A#H=`0&&1+0+;3\(_VTM"E)%7C%_[?1"#
M.>BYX%[[0](W`W)(@>\64.L`RT8>,A((Z`Q@$\!!,";B(ST,'93-,@.@#<S5
M`6$>PG[NC5QD-@KR$'0V&)A!G]#`,CT8!;4#O@5EIC_@@)?5.BGJFJZ#(G$%
M8NO>`*D#C\%PFZROH.;C2T)0'WRF`6H/T$J88=`.EXQ")1`$#!_V2JAS1`>N
M1^,M[]%PY#O1PB`I&Q3,Q^40T:''!+0CL%U'4JFOJ.!F@$RCJM8TJ>@*OMSU
M;-@5R!OD9$N2?#H*D"*R='&>S!?/=VC7=BBYN=V^VGIQJ[VWN[NM*/G\H4<N
MH<D-[&&!7+C`7`T\DTMK.`H.#%Q(<;YXD6D%(2W/@S$0`N@#[%F0#(O`VX\I
MR`A,PW?=89F#7^NB1%3BC1QID;AO\FP/`2[BR@G"6C=N;.ULMC>NMO;R5H$Y
MEMO@8#JNHD2=^XEGYON2&RI$,\K2H0<>>(W`0JO1*%I!`EWIN4`\)ZD703T`
MD[5!T?(:V_EY>,EVZZ6=UO86<$K7YHM;>WN[>]'8$((D\EL:%P,Y#TP"O(M+
M*53"=LQ81Y;F2[$WQ7_PLO0`>D_P<S[MV0'RF:/A#'KEK9T7MZ[OWM@B2Q2\
MX?U)0&]U8LQ:!?\.>D:L83B@1[*'9IP>`=,:4.BK;$[V(FS7.TUT#Y%JT3\$
M#T[N#=T.C7JX0GHDN&M['AA@-."-PM[0M$!:71,D%"^$1@PZ/3X.8F,T39NP
MW('KQ!/%Y'Y!P"`1BSL@D!88);$=^`,"A%-@(AKGR@P\=Q1.0XS8Q=$XI0]Y
MF60I1]'(VAK""A^CDG6-0:10(K9S'-:EDKHN>.]K-X[J;`D0/K7N<DS&)AAD
M5`E4),@:N`$NSZF--Q<C<1ER#!0,0B.<;_=L!UP\W])S"8Q8\I-82=8E<<95
M@;-P`$MU3LFQ#_H`OB-)U9B*,'A'1&HV";V3,.&N8MP)-6+(77<$?JIK^V#*
MN4NY-'Q:NQ+P)LDU&>R$'1XR0Q3/S+>F^I@:Q@,H+CY2C$'`ER`$)!`0K?FJ
MF`]*SU(D^@',`P2ZPW"_DZ]45**#W^:!HU93C1H&CH:A&@;/*M$WFYV7P74!
MIP8F4LL=.+CB#D8@<.``Q2*'(B*"#`CP<`'?S_,\EDB2$J=!@4#`P'`/_(G9
MIEP@@8=S@+;,T!!+;ET\(IZP"AP1-@6/28\$76ZB8CSJ:(R!T]!GP@/QPJ)X
MOZ0PW160\CER*],FI5W%<"@5$4WRJ-1+$)0*R32>)?$07"'O%O$2PS_PIHLB
M"8@+64!W!%EQSP6[`9TV2>!1RP:#6Y1^=%%B,S)"S#?!KBA+!.Y2ZH%/Z*&!
M8L)W`FOSA!.S6["($<M:Q0+"+%E:">E1D8_N^Z?3EQHQEQ%`)AV1#!V+2L0\
M%#\`:&,.=W@JLPS4+*Y:\%:Y!U06CZRO$6DB)9Q%A9927`>W"/G)@L3@E8T,
M\]:JS`<2\`46Y"<2"RX6YM*98T1G.9XD!MR6^8KHCG.W;^>D134:6*3INF[$
M59KBE4JB:F%9!3HR6::4E$?9RMA>IF]FZFXFWOD`=LA)75GFI!JZJE<%K?&>
M%G-(A[`"R/@T5EGRPE(J]4(4O!^VB>)TB%2"QH#N\ZT@;&0^8GO"5R`O61\S
MMM1,L2BXG#2\A422460L1Q#+A4K(&5')$OY&\3;&'EW75!U]HUYE#T*6G"'L
M3:S/0M#`/>;:S?1%QDO4?0=U1;)G"C_2#$B4[O%>HQTE7JVDV0FJ$4DH6H%7
M_QYZ%.%U9<$?:5..Y%;%V)B"36H3P$8E_PQ%$[Q]P'G*N6BP"ES7:PU10,4$
M\OU$6Q1[P7Y)F<ZQ&2R+=AQS*5HUH1J<H,H*)ZB^$A'$"N!8\PNYA*J#?(5'
MH[[O^DTR<H9XP`=NJY"4[;^I^ESFTD]$-JK7ECFUC65!K2"*_:`?W8C<U.;6
MA@-)G@<E,B777B1W[C2;N1S)]]T@;#:AX/.%6T1G#MD#_*10&$89,/A^:2`.
M0R`%@!R`%TX<]<.@23HMC%8!P"(AEV&%9CDT3\O#4R0/L*$`C&#OW!F;Y^0G
MW@&*/:`@!1XP,&)P=M7K*I12P*\5]I#6-R:$V)\Q,0F+YZH2)XRA/Z()-3Q;
MN)/>6"CEA&6E![`,FVE/4R>6O+2E*5[D#1).GK.BH:E5'5AA@!^K5B0KDDG8
M:G2$*#8N'5`JXD`@6)T:7F!"ADM>94"8Q.,8%#3+5##KQ;K>=$ZY=Y2!4U%*
M)4]P0V1`=F`&EFWGEV"&G378`4/!+0LN"TC(!'CE<N$"'Q?GBV>OP`6<\OH)
M[G%NHA'E[R72S55R#VIS;Y6D/#/+U>XA:BGA9:.#DE@EI#IA&!4A=4PU9D*-
M^VE(,&8ZZG&Q8#+R<$<]'D%G0#Z8I2,DL?<UGKTCRV[I!Y+9AW'6P]Z3)C]6
MJQEZE1#Y6'K<E`Q*LC$E@C'V2<M[,#67FFU^LWD2A7Y0[=`W[0'&>Z`62DJ>
M!T!Z#N$_)%#,]'QWY#5EK!C7]PE=Q>[D9F*?@8I7?)2%4OG4-$=2C&P@F1?)
MNDCCFXV+[HD3%\*CJZSG/.%Y#*/"G;`!U:4,L8)G<9!=Y>FE>%WDCS>PB-Z]
M>\UIL6.ODA3R=!&G!?S@T5/ZJ.0/>$TT-$_Y^20_'Q4GQ'&:'X2^U??SVU`4
M/X]S&X`?J,1B"KGSPO7K(FDT:E6U:N#>&Q6U6DM&;.*Z'CN&EN_AI^905_ED
MB)6U\(V)>E1?G98ZEF2FDX:<GE&.I=0+L@R=D5(GJE0>`HL)?7^LL>-2%CO^
MGV+'XX@;E_[[<>-#>ECF4RH:U.<5\"F52B4NU!GQD0>(LD[!7#GQKQ53)67<
MQ43K),JI8L3#<:<R`33E\"M9+I:41`TV1F4T/K-2/J-"6X^<QD2*SEFKUUEY
M5:G&Q>"XI<=:/%YL3U6*&;(?/V\0[S>J:@5#907JO*HX?T5]:$;!<CQ`"FT1
M%6HB-*Y'9ZLL@;A5T@^B:K8TM>B7`]NMC;W=K9=NM'8VTQ.Y7BZ.*_(54Y8O
MGGE<,#:1>-MT`'AK8=PR>#`21S4\'H'8?>J9ML]CA/QB33KFT(2PRM*MB5.D
MU$`RT\*/F>SL,>EF2M*1),\5Y'G;C*DS%RV,+QK;EUPV:4]GKK7.UHJ]O,9D
MM<2"M.PE'1Q;H"@*Q6!D04@-5O$CIOS(V8198.I-_ODI=%T"J5A/?)_E7SKX
M31/F2E=%']4@K4%\W#B(]`>[E0-),^]7#V(J@V$[.`T&;B]_??=S[=;UK;U]
ME;!;'W:'72(A9''3=SW\/&\[1^;`[L@/;@'I^NZ0\#LT\IO8(DLMBG*3S2E?
M/\3A.KRYX\%VPVY^,?K`NK9^9Y$KX`DH8)"/[IPDH7.W'0X$WHM]UV&?KMDW
M#0+ZB:?VR0M">-A=MI1&ZH*/MM*LK427@QJ-Y;)1UI?3MX,$(KC]"%,SFI5&
ML]9(7`VJ5B'G!D<F?J4C$_G-X@L!6$237.376@27Y`:8IT?JDR?2F,G$7YQE
ML3`V&E_AR1^Y=J>`=W=LM]T5/`J&MNN.0A5/NO:O;6_)"SJJ(([3ML%O1T1W
M)M:()(MS_Q[T4JQDFT!H8(M1)S>IAVPQ&$,KS4K,T$IM!1@Z=MLJB?T0IAHU
MC1T5BE_&U,2%JKTK[8W6SN[.M8W6=97P&U7DU5<)3#LXO]W>V=W8W=[>V@%M
M'I;6A]&M*]A<UW2L4]SK;4/3>XNX89GKR*F8T8XY%+>MIL\).3"?*+[?[:,V
MLLLB>+F&?1RR3,=UV.4?R%6'Y313Y4.YK^@&V:26X*G1K-:;E5K$TQ4=>:K7
MTDQ-8I_-T\I*%5G*?WAQA)])1PZX;M?A.3X]@;K,(:A2BF6&+%]OMV]`-L<^
M>BZI9.Q!Q0VR?P54%H&/<\I2Q*GD$@A6?#B82N*+%(@B*<,/O@H=>N%IC-':
MW-S;NGDS#2@&E:4>#:UP\!!HH%^Q'6LP@LB4HN*077V+<!*/<NMI.N?GLO:1
MM^#L^[_EP.Y]Q/=_811RQ_3]WYI>7\[N_SZ.]MK<-\]];&Y=>^^K"U_\PULK
M[I.O/?'$<V^>^^#YN7=N/7UIY\WOM]8W[S0.WOO@2FE^]<]_?^-77UIXI_[#
MI_/?^.3[9N]GHZ^]]=-O_^*OI;4GM7/??>H?OPO7/O7ZI]6O')Q^YWN_N?+\
MC]_[??'-I\J?_?C;VLB[_\3)C_RO?_DS=W_PP2=>>>KMMW_YUC,_#]]9^5.K
M_Y=GWO\C>4,_]^ZOO_7Z^9\X[_[V]@__]G)FF5G+6M:REK6L92UK6<M:UK*6
GM:QE+6M9RUK6LI:UK&4M:UG+6M:REK6L92UKC];^"?7L4,L`4```
`
end
========= end patch ==========
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (OpenBSD)
iQCVAwUBPklPeCGD4bE5bweJAQFhywP+Kn+5RdwephTcApFNsSOWfTjKxP9wv6rE
z0XPVd1ihfdByrXE1Fr8ML9uZm6fhg4vtOfJIXzsO4j0fiAWwyqwq8Mu5YAJVKOi
k/5ncMtvDZI9aRHEGEIRXapOTg/Ui5W5E3Wpep0IYCRf5wkXPqYS6ppVa5urMqKH
x/1/OqBPUCc=
=G4ha
-----END PGP SIGNATURE-----
(92448) /Claus Assmann <ca+bugtraq@sendmail.org>/(Ombruten)
Kommentar i text 92446 av Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
Kommentar i text 92578 av Mordechai T. Abzug <morty@frakir.org>
92446 2003-03-03 18:57 /18 rader/ Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
Importerad: 2003-03-03 18:57 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: vulndiscuss@vulnwatch.org
Mottagare: Bugtraq (import) <3764>
Kommentar till text 92448 av Claus Assmann <ca+bugtraq@sendmail.org>
Sänt: 2003-03-03 19:21
Ärende: Re: sendmail 8.12.8 available
------------------------------------------------------------
Claus Assmann <ca+bugtraq@sendmail.org> writes:
> Sendmail, Inc., and the Sendmail Consortium announce the availability
> of sendmail 8.12.8. It contains a fix for a critical security
> problem discovered by Mark Dowd of ISS X-Force; we thank ISS X-Force
> for bringing this problem to our attention. Sendmail urges all users to
> either upgrade to sendmail 8.12.8 or apply the patch for 8.12 that
> is part of this announcement.
Would people be willing to share filter rules for other MTAs to block
offending messages on relays?
Thanks,
--
Florian Weimer Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT fax +49-711-685-5898
(92446) /Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>/
Kommentar i text 92588 av Nico Erfurth <masta@perlgolf.de>
92578 2003-03-04 18:07 /25 rader/ Mordechai T. Abzug <morty@frakir.org>
Importerad: 2003-03-04 18:07 av Brevbäraren
Extern mottagare: Claus Assmann <ca+bugtraq@sendmail.org>
Mottagare: Bugtraq (import) <3803>
Kommentar till text 92448 av Claus Assmann <ca+bugtraq@sendmail.org>
Ärende: Re: sendmail 8.12.8 available
------------------------------------------------------------
On Mon, Mar 03, 2003 at 09:08:09AM -0800, Claus Assmann wrote:
> 8.12.8/8.12.8 2003/02/11
> SECURITY: Fix a remote buffer overflow in header parsing by
> dropping sender and recipient header comments if the
> comments are too long. Problem noted by Mark Dowd
> of ISS X-Force.
> Fix a potential non-exploitable buffer overflow in parsing the
> .cf queue settings and potential buffer underflow in
> parsing ident responses. Problem noted by Yichen Xie of
> Stanford University Compilation Group.
Question: are the header and ident issues *only* remote overflow
problems, or is this also a local vulnerability? Ie. if one has a
system that doesn't run sendmail in daemon mode (-bd), but does make
sendmail available as an SUID root binary for submission to the local
smarthost and does run sendmail is queue-process mode (ie. -q15m), is
the system still vulnerable? Given that the problem is in the header
parsing, I would expect this to be both a remote and a local problem,
but I'd like to make sure before doing lots of upgrades.
Thanks.
- Morty
(92578) /Mordechai T. Abzug <morty@frakir.org>/-----
92588 2003-03-04 20:44 /40 rader/ Nico Erfurth <masta@perlgolf.de>
Importerad: 2003-03-04 20:44 av Brevbäraren
Extern mottagare: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
Mottagare: Bugtraq (import) <3811>
Kommentar till text 92446 av Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
Ärende: Re: sendmail 8.12.8 available
------------------------------------------------------------
Florian Weimer wrote:
> Claus Assmann <ca+bugtraq@sendmail.org> writes:
>
>
>>Sendmail, Inc., and the Sendmail Consortium announce the availability
>>of sendmail 8.12.8. It contains a fix for a critical security
>>problem discovered by Mark Dowd of ISS X-Force; we thank ISS X-Force
>>for bringing this problem to our attention. Sendmail urges all users to
>>either upgrade to sendmail 8.12.8 or apply the patch for 8.12 that
>>is part of this announcement.
>
>
> Would people be willing to share filter rules for other MTAs to block
> offending messages on relays?
>
> Thanks,
I'm not sure how the exploit works, but if I understood the
LSD-analysis correctly, it uses the comment for the payload, and
needs many <> in a parsed header. With exim4, this ACL should/could
help.
First it checks for the header-syntax, that will reject the <><><><>
used in the LSD-POC-code. The second condition should refuse to accept
comments longer than 20 chars.
acl_data = check_message
check_message:
require message = Invalid header syntax (Maybe sendmail exploit)
verify = header_syntax
deny message = Ohh, this looks like the sendmail-exploit
condition = ${if match {$h_from: $h_cc: $h_bcc: $h_reply_to: \
$h_sender: $h_to:} {\N\(.{21,}?\)\N}{1}{0}}
No warranty ;)
Nico Erfurth
(92588) /Nico Erfurth <masta@perlgolf.de>/(Ombruten)
92598 2003-03-04 21:36 /14 rader/ Eric Allman <eric+bugtraq@sendmail.org>
Importerad: 2003-03-04 21:36 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3817>
Kommentar till text 92537 av Last Stage of Delirium <contact@lsd-pl.net>
Ärende: Re: [LSD] Technical analysis of the remote sendmail vulnerability
------------------------------------------------------------
I want to emphasize one of the last sentences in this posting:
``However, we cannot exclude that there does not exist another
execution path in the sendmail code, that could lead to the program
counter overwrite.'' Please don't breath a sigh of relief because
you are running on one of the "does not crash" systems.
Besides direct execution path exploits, there are other variables
that are not pointers that have security implications; finding one of
them within range will be more difficult, but probably not impossible.
Everyone should patch as soon as possible, regardless of platform.
eric
(92598) /Eric Allman <eric+bugtraq@sendmail.org>/---
92732 2003-03-05 21:26 /25 rader/ Kryptik Logik <kryptiklogik@hushmail.com>
Importerad: 2003-03-05 21:26 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3831>
Ärende: Sendmail exploit released???
------------------------------------------------------------
Folks:
Refer to this article in ComputerWorld
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,79
021,00.html about some Russian Hacker site releasing Sendmail exploit
code. Is it any different than the LSD exploit code or is is a
"security- guru-security-know-all" reporters mistake?!
The reason this caught my attention is that they say that the exploit
has been tested only on Slackware Linux 8.0 dist just like LSD
advisory says
This article claims that the Russian hackers wrote it and released it
on the web first... which kinda irks me off :(
<quote from the article>
... "self-proclaimed security experts located in Nizhny Novgorod, Russia,
actually produced the exploit and posted it on the Web"
<unquote>
Can anybody confirm/deny this?
# klogik
(92732) /Kryptik Logik <kryptiklogik@hushmail.com>/(Ombruten)
92947 2003-03-06 20:01 /33 rader/ Neil W Rickert <rickert+bt@cs.niu.edu>
Importerad: 2003-03-06 20:01 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3858>
Kommentar till text 92578 av Mordechai T. Abzug <morty@frakir.org>
Ärende: Re: sendmail 8.12.8 available
------------------------------------------------------------
"Mordechai T. Abzug" <morty@frakir.org> wrote:
>Question: are the header and ident issues *only* remote overflow
>problems, or is this also a local vulnerability? Ie. if one has a
>system that doesn't run sendmail in daemon mode (-bd), but does make
>sendmail available as an SUID root binary for submission to the local
>smarthost and does run sendmail is queue-process mode (ie. -q15m), is
>the system still vulnerable? Given that the problem is in the header
>parsing, I would expect this to be both a remote and a local problem,
>but I'd like to make sure before doing lots of upgrades.
I don't think there has been a comment on this yet.
Sendmail will only use "ident" when receiving mail on a network
connection. There is no local exploit available there if sendmail is
not listening on the net. Possibly a local user could invoke
"sendmail -bs" with stdin/stdout assigned to a connected socket. In
that case there might be an ident call.
For the header problem, any buffer overflow would occur while sending
the message, not while receiving it. Whether the message originated
locally or over the network will matter. Thus there is a potential
problem for local exploits with an SUID sendmail binary.
In particular, if you have old sendmail binaries left around that you
haven't deleted, you should at least turn off any SUID and SGID
privileges. Incidently that's a good practice for old disused
versions of any program.
-NWR
(92947) /Neil W Rickert <rickert+bt@cs.niu.edu>/----
93141 2003-03-07 21:07 /29 rader/ Bennett Todd <bet@rahul.net>
Importerad: 2003-03-07 21:07 av Brevbäraren
Extern mottagare: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
Mottagare: Bugtraq (import) <3882>
Ärende: Re: sendmail 8.12.8 available
------------------------------------------------------------
On Mon, 3 Mar 2003, Florian Weimer wrote:
> Would people be willing to share filter rules for other MTAs to
> block offending messages on relays?
Wietse Venema offered the following responses for Postfix. First out
of the gate was [1], this regexp-based quick-response; capable of
false-positives, but not as scary as might be feared since it only
looks in the headers (place this in a regexp map, assign that to
header_checks):
/<><><><><><>/ reject possible CA-2003-07 sendmail buffer
overflow exploit
Then he came out with [2], a new release of postfix with
functionality like that of patched sendmail, sanitizing messages
as they pass through and logging when it does so. This enhancement
he then broke out as a light patch [3] to apply against most
versions of postfix that might be in use, for people who'd like the
protection without having to upgrade to a newer version.
To be clear here: Postfix is not itself susceptible to this problem.
The only purpose for this patch is to allow Postfix to mung messages
to protect vulnerable sendmails downstream from it.
-Bennett
[1] <URL:http://archives.neohapsis.com/archives/postfix/2003-03/0254.html>
[2] <URL:http://archives.neohapsis.com/archives/postfix/2003-03/0402.html>
[3] <URL:http://archives.neohapsis.com/archives/postfix/2003-03/0487.html>
(93141) /Bennett Todd <bet@rahul.net>/----(Ombruten)
Bilaga (application/pgp-signature) i text 93142
93142 2003-03-07 21:07 /8 rader/ Bennett Todd <bet@rahul.net>
Importerad: 2003-03-07 21:07 av Brevbäraren
Extern mottagare: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
Mottagare: Bugtraq (import) <3883>
Bilaga (text/plain) till text 93141
Ärende: Bilaga till: Re: sendmail 8.12.8 available
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE+aPfHHZWg9mCTffwRAkilAKDGdcDTBxEuXLsfY8VKZjraidKaUgCgmdyN
6s6HdnpPgd3v4vNd1TRgt7A=
=pQQY
-----END PGP SIGNATURE-----
(93142) /Bennett Todd <bet@rahul.net>/--------------