The sendmail overflow bug -- full analysis

By John McCormick, TechRepublic, 17 March, 2003 11:11

Mitigating factors As I mentioned above, there is an ongoing debate about whether this Sendmail vulnerability is a widespread threat or, because of various mitigating factors, it can be exploited on only a few systems. The Last Stage of Delirium says that its preliminary test of this exploit showed it wasn't as dangerous as first thought: "Due to the nature of the discussed Sendmail vulnerability it seems that it is unexploitable on most of commercially available Unix systems. It also doesn't seem to be exploitable on most of the default SMTP installations of x86 based open source systems. This leads to the conclusion that the overall impact of the vulnerability is rather limited and not so significant as it might be thought." However, the group's analysis covered only one possible exploit mechanism on Unix and Linux (Slackwave and Red Hat) servers. In a BugTraq message, Sendmail's Eric Allman responded to the Last Stage of Delirium's downplaying of this vulnerability by saying, "Besides direct execution path exploits, there are other variables that are not pointers that have security implications; finding one of them within range will be more difficult, but probably not impossible ... Everyone should patch as soon as possible, regardless of platform." Fix--patch or update to Sendmail version 8.12.8. Sendmail.org has produced patches for versions 8.9, 8.10, 8.11, and 8.12, but the vulnerability is also found in earlier versions. For those who are using earlier versions of the software, Sendmail.org recommends open source users of versions prior to 8.9 take the opportunity to update to the latest version. Sendmail Inc. is also making a binary patch available for commercial customers. ISS has developed a "virtual" patch for the Sendmail vulnerability using the security company's Dynamic Threat Protection platform. Updates are available from the ISS Download center. Final word ISS reports that it notified Sendmail on Jan. 13, 2003, and received confirmation from the vendor on the same day. ISS worked with the vendor and reports good cooperation. It did not make a public announcement of the threat until March 3, 2003. Still, I have to wonder why the Last Stage of Delirium hackers felt it was necessary to publish a detailed proof of concept for this Sendmail bug, which no one was denying existed. The first group to discover a vulnerability (ISS, in this instance) may have a good reason to publish proof of concept showing how to engineer an attack, especially if vendors are ignoring them. However, what legitimate purpose is served by doing so after everyone admits there is a problem and moves to fix it? The usefulness of this posting would be more obvious if the Last Stage of Delirium had completely explored the vulnerability and was demonstrating that it really wasn't very dangerous. But its BugTraq report began, "We did not perform full analysis of this issue," and ended, "However, we cannot exclude that there does not exist another execution path in the Sendmail code that could lead to the program counter overwrite." On the other hand, according to the report, the exploit doesn't really work very well. In that light, I guess there was little harm in publishing the exploit unless someone uses it to explore other ways to take advantage of the flaw.

For a weekly round-up of the enterprise IT news, sign up for the Enterpise newsletter. Tell us what you think in the Enterprise Mailroom.

« Previous
1
2
Next »

Post your comment

In order to post a comment you need to be registered and logged in.

You can also log in with Facebook. Log in or create your ZDNet UK account below

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Community FAQ

ZDNet UK Live

Good I love Yahoo! Their search engine is getting better than Google as of late. I find more of what I want on the first page, and usually within...

10 minutes ago by Chris Wortman via Facebook on Linux Mint 13 ramps up for KDE release

openhgs has made the point for Windows 8 multiple monitors without realising it! With Windows 7 you have to switch the mouse and so your focus...

2 hours ago by PatrickG on Windows 8 could speed multi-monitor uptake

Mozilla has threatened to stop supporting Linux. I guess that UBUNTU is going with another browser. I indicated that if Mozilla stops supporting...

3 hours ago by Leslie Satenstein via Facebook on Firefox rapid release improves Fedora Linux

Much as I abhor Microsoft's licensing practices, this is almost certainly down to purchasing IT equipment via 3rd party consultants - you get the...

4 hours ago by Andy Bolstridge via Facebook on 6 million wasted licences and £1,200 PCs: welcome to government IT

@openhgs Windows users have had multiple desktops since Linus started writing Linux. They just haven't shipped as standard because not enough...

20 hours ago by Jack Schofield on Windows 8 could speed multi-monitor uptake

@Phil at Cloud4 What, Microsoft gets £1,200 per PC and £1,622 per server? Gosh, I'm amazed....

20 hours ago by Jack Schofield on 6 million wasted licences and £1,200 PCs: welcome to government IT

You guys have no idea what is going on at Autonomy. Autonomy could have been a much more profitable organization. The sales operations at Autonomy...

22 hours ago by craigsc on HP cuts 27,000 staff as Autonomy chief Lynch leaves

How does this impact on dual or multi booting? Seems to me to more or less prohibit this, from Windows 8 anyway. Will Grub 2 recognise Windows 8,...

22 hours ago by Moley on Windows 8 start-up speed forces USB boot workaround

I don't understand why there cannot be a slight pause during the boot process so the user can press a key. Many operating systems do this, even if...

23 hours ago by apexwm on Windows 8 start-up speed forces USB boot workaround

You can now buy the Xi3 modular computer in the UK at http://www.ocdistribution.com . This can be bought with the Tand3m software, pricing and...

24 hours ago by Gavin Goodman on CES 2012: Xi3 microSERV3R

I agree: Mike Lynch can clearly build a business and manage strategy. I suspect the exit of Mike is more likely the end of a planned handover...

1 day ago by Phil at Cloud4 on HP cuts 27,000 staff as Autonomy chief Lynch leaves

This is unbeleivable government wastage with only one winner... Microsoft 1 - Tax payer Nil!

1 day ago by Phil at Cloud4 on 6 million wasted licences and £1,200 PCs: welcome to government IT

So what do you do when you can't boot into windows? Why can't I just hold Shift while I power up instead of having to boot into windows and click a...

1 day ago by Mispam on Windows 8 start-up speed forces USB boot workaround

I've also seen that Mac OS X for Intel machines is supposed to run in VirtualBox, which would also be a nice solution. I've never tried it though.

1 day ago by apexwm on xTreme Triple Booting: Linux, Mac & Windows

What I wonder is why when companies are caught bang to rights in not providing contracted services, people bend over to smear the customers? Surely...

1 day ago by dave heasman on Virgin throttles broadband for high-speed customers

Strange statement from HP regarding Mike Lynch and not capable of scaling a company. Autonomy was a $7bn purchase which started as a small company...

1 day ago by pjc158 on HP cuts 27,000 staff as Autonomy chief Lynch leaves

Or - possibly, they will destroy business by ensuring people do not invest where there is no return. Another socialist idea, well beyond it's...

1 day ago by lojolondon on Open Data Institute will act as biz incubator