yep. i was just thinking last week how it's about time for a juicy bug in sendmail to appear. guess my wish has been granted. check archives for how to update yoself before the worms appear.
Remote Sendmail Header Processing Vulnerability
Synopsis:
ISS X-Force has discovered a buffer overflow vulnerability in the Sendmail
Mail Transfer Agent (MTA). Sendmail is the most common MTA and has been
documented to handle between 50% and 75% of all Internet email traffic.
Impact:
Attackers may remotely exploit this vulnerability to gain "root" or superuser
control of any vulnerable Sendmail server. Sendmail and all other email
servers are typically exposed to the Internet in order to send and receive
Internet email. Vulnerable Sendmail servers will not be protected by legacy
security devices such as firewalls and/or packet filters. This vulnerability
is especially dangerous because the exploit can be delivered within an email
message and the attacker doesn't need any specific knowledge of the target to
launch a successful attack.
Affected Versions:
Sendmail versions from 5.79 to 8.12.7 are vulnerable
Note: The affected versions of Sendmail commercial, Sendmail open source
running on all platforms are known to be vulnerable.
Description:
The Sendmail remote vulnerability occurs when processing and evaluating
header fields in email collected during an SMTP transaction. Specifically,
when fields are encountered that contain addresses or lists of addresses
(such as the "From" field, "To" field and "CC" field), Sendmail attempts
to semantically evaluate whether the supplied address (or list of addresses)
are valid. This is accomplished using the crackaddr() function, which is
located in the headers.c file in the Sendmail source tree.
A static buffer is used to store data that has been processed. Sendmail
detects when this buffer becomes full and stops adding characters, although
it continues processing. Sendmail implements several security checks to
ensure that characters are parsed correctly. One such security check is
flawed, making it possible for a remote attacker to send an email with a
specially crafted address field that triggers a buffer overflow.
X-Force has demonstrated that this vulnerability is exploitable in real-
world conditions on production Sendmail installations. This vulnerability is
readily exploitable on x86 architecture systems, and may be exploitable on
others as well.
Protection mechanisms such as implementation of a non-executable stack do not
offer any protection from exploitation of this vulnerability. Successful
exploitation of this vulnerability does not generate any log entries.
Recommendations:
For identification of potentially vulnerable systems, Internet Security
Systems has provided the following assessment checks:
Internet Scanner XPU 6.24
MtaDiscovery - (< http://www.iss.net/security_center/static/10961.php >)
Internet Scanner XPU 6.26
SendmailRunning - (< http://www.iss.net/security_center/static/2938.php >)
System Scanner SR 3.13
sendmail-header-processing-bo –
(< http://www.iss.net/security_center/static/10748.php >)
For Dynamic Threat Protection, Internet Security Systems recommends applying a
Virtual Patch for the Sendmail vulnerability. Employ the following protection
techniques through ISS’ Dynamic Threat Protection platform.
RealSecure Network Sensor XPU 20.9 and 5.8:
SMTP_Sendmail_Header_Parse_Overflow -
( http://www.iss.net/security_center/static/10748.php )
All updates listed above are available from the ISS Download center
( http://www.iss.net/download )
For Manual Protection, the affected vendor has offered the following
recommendations:
Sendmail urges all users to either upgrade to Sendmail 8.12.8 or apply a patch
for 8.12.x (or for older versions). Updates can be downloaded from
ftp.sendmail.org or any of its mirrors (try a mirror near to you first), see http://www.sendmail.org / for details. Remember to check the PGP signatures of
patches or releases obtained. For those not running the open source version,
check with your vendor for a patch. Sendmail, Inc., the commercial provider of
the sendmail MTA, is providing a binary patch for their commercial customers.
The patch can be downloaded from Sendmail's Web site at: http://www.sendmail.com /
Sendmail versions that are patched will record the following log entry when
exploitation is attempted: "Dropped invalid comments from header address".
Vendor Notification Schedule:
Initial vendor notification: 1/13/2003
Initial vendor confirmation: 1/13/2003
Final release schedule confirmation: 1/31/2003
GOOOOOOOOOOOOOOOOOBBBBBBBBBBBBBBBBLLLLLLLLLLLLEEEEEEEEEEEEEEESSSSSSSSSSSSSSS!!!!!!
Bahahhahahaa, sup Skip? Juts rooting through old email, thought i'd drop you a line.
-Chris
Posted by: Chris on março 6, 2003 02:13 PMhah sweet surf mov's... dood you should show up at my wedding next weekend if you got nothing going on.
Posted by: skp on março 13, 2003 11:32 AM