Forgot your password?
typodupeerror
Bug

Buffer Overflow in Sendmail 478

Posted by CmdrTaco
from the put-on-your-hardhat-and-rebuild dept.
ChiefArcher writes "On the footsteps of openssh, Sendmail 8.12.10 has just been released due to a buffer overflow in address parsing. Sendmail states this is potentially remotely exploitable. No updates on the Sendmail site yet, but the FTP site has the release notes."
This discussion has been archived. No new comments can be posted.

Buffer Overflow in Sendmail

Comments Filter:
  • by gmuslera (3436) * on Wednesday September 17, 2003 @02:17PM (#6987489) Homepage Journal
    Yesterday was the day of openssh, and today for sendmail (whats next? bind? apache?). More than the usual rant about using alternatives like postfix/qmail/exim/etc instead of sendmail, I see that as a positive thing, could be a signal that more testing, auditing, and usage is being done, and by the open source nature of those tools, that this kind of things will be fixed or the programs will evolve to avoid this kind of things with (really) safer practices.
  • Re:*cough* (Score:3, Insightful)

    by adamruck (638131) on Wednesday September 17, 2003 @02:19PM (#6987518)
    *raises hand*

    The difference is that Microsofts patches take forever to come out and introduce more holes than anything else.

    In linux patches come out the same day... and are well documented.
  • Re:OpenSSH as well (Score:5, Insightful)

    by CausticWindow (632215) on Wednesday September 17, 2003 @02:19PM (#6987519)

    It's a paradox that people who are so paranoid when it comes to security (there are no proof of concept remote exploits for either of these holes), would download patches from where ever and who ever.

    Posts like the parent ("get latest patch from me!") always get moderated up, so there must be somebody downloading and installing them. Maybe I shouldn't give people ideas.

  • by ReelOddeeo (115880) on Wednesday September 17, 2003 @02:21PM (#6987558)
    Before all the Microsoft apologists jump in and point out that any system can have vulnerabilities, and Linux users should not bash Microsoft.

    It is true that any system can have unintentional bugs that lead to security vulnerabilities. This is true of any system and not just Microsoft. Therefore, Microsoft should not be unfairly bashed due to these kinds of bugs, any more than any other system.

    But there is another kind of security problem for which Microsoft is deservedly bashed. The problem Microsoft is bashed for having poor security is when their system is insecure in its design. (It may not have been a design goal.)

    Examples would include, running a webserver under the System or Administrator account so that once it is compromised, the system is rooted. Installing and activating services by default. These problems are all caused by security having a low priority in the past, and Microsoft is deservedly bashed for these. Nimbda or Slammer may be buffer overflows which could happen to anyone, but there is some deserved criticism as to why it was such a huge problem.

    No doubt, sendmail also deserves some criticism.

    I wonder how many Linux/Apache systems get web pages defaced via. SQL injection or other PHP related attacks, but do not lead to the box being rooted? Any numbers?
  • Re:*cough* (Score:3, Insightful)

    by bluGill (862) on Wednesday September 17, 2003 @02:23PM (#6987572)

    Sendmail has never had a good reputation for code quality. MS doesn't either. Whats your point?

  • Re:*cough* (Score:2, Insightful)

    by Anonymous Coward on Wednesday September 17, 2003 @02:23PM (#6987578)
    The difference is that not only is the news of the bug breaking now, nor that it's exploitable, but that IT'S ALREADY FIXED
  • by Anonymous Coward on Wednesday September 17, 2003 @02:23PM (#6987583)
    Creating a string library that automatically ignores everything past the end of the string is easy. Getting programmers to use it is the hard part.
  • Re:*cough* (Score:3, Insightful)

    by mentin (202456) on Wednesday September 17, 2003 @02:24PM (#6987590)
    The question is whether postfix is any better, or simply nobody looked at it yet?

    Maybe the reason MS and sendmail products are so often compromized is that they are both very popular and thus are a good target for security companies? You would not get a big fame (did I say money?) for finding bugs in some obscure product. However finding bug in any Microsoft product or sendmail will bring you to headlines immediately.

  • Re:*cough* (Score:3, Insightful)

    by koreth (409849) * on Wednesday September 17, 2003 @02:24PM (#6987597)
    The difference is that Microsofts patches take forever to come out and introduce more holes than anything else.

    Really? What holes were introduced by, say, the Blaster worm patch? Or any other patches you care to name?

    Can't argue about the speed of patches, exactly, but I'd point out that MS almost always releases a patch before the bug in question is widely exploited -- the problem with the last few worms/viruses was more with unpatched systems than lack of responsiveness on MS's part. MS could come out with a patch within a nanosecond of an exploit's discovery and there would still be millions of people who wouldn't bother applying it. That's hardly a problem that's unique to Windows -- I bet you can still find lots of Apache installations out there with known security holes.

  • by HaeMaker (221642) on Wednesday September 17, 2003 @02:25PM (#6987605) Homepage
    A fix for the "all your misspellings are beloning to us" Verisign hack.
  • by blate (532322) on Wednesday September 17, 2003 @02:26PM (#6987616)
    I'm not sure that "insecure by design" is quite fair to the hard-working folks who developed this near-ubiquitous MTA.

    A fairer assessment is that, when sendmail was designed, security was not as big an issue as it has become today. And in their defense, they do seem quite good about notifying people when vunerabilities arise and releasing fixes as quickly as possible.

    That being said, sendmail is a pain in the ass. You have to remember that when sendmail was developed, there were many different mail protocols (besides SMTP), and sendmail had to support all of them -- this is why sendmail config files are so darned complex and unreadable. The vast majority of those have faded into obscurity, so subsequent products, like Postfix, can be much simpler and less complex and, thus, more likely to be secure. For a long time, sendmail was the only choice for a real MTA, but I think Postfix has proven itself a worthy successor.
  • by mopslik (688435) on Wednesday September 17, 2003 @02:35PM (#6987721)

    ...you must give Microsoft credit. When an exploit is made public, they already have the patch ready.

    You mean when Microsoft publicly discloses the exploit, usually weeks after it was first reported across the Internet?

  • by __past__ (542467) on Wednesday September 17, 2003 @02:37PM (#6987737)
    I'm a happy postfix user myself, but it should be noted for fairness reasons that the last postfix-related advisories [debian.org] are about two weeks old... Face it, some software may be better than others, but no matter what you are running, you'll always have to keep your systems up to date. Looking down on others because the software they run is oh so insecure and yours is perfect is the first step to being rooted.
  • by zapp (201236) on Wednesday September 17, 2003 @02:47PM (#6987821)
    Boy, I sure am glad that my SendmailUpdate notified me automatically that there was a problem and automatically downloaded the patch for me. Windows never does that, right folks?

    Seriously. How many people out there are running sendmail and don't read slashdot (thus never getting notification?). How many people are running a brand-spankin-new linux distro that came set up out of the box with sendmail, and don't even know they're running it? How many know they have it but just don't give a shit?

    Yes, the patch was released quickly. But how easily is it widely distributed? Windows may have buggy software - but so does the rest of the world, atleast MS put automatic WindowsUpdate in XP to help take care of the distribution problem.

    Some people already are saying "well, MS code sucks, and so does sendmail's" ... and you're right, they're both prone to problems along with everyone else's code. The point is DISTRIBUTING A FIX. I don't see much of an open source solution for that.

    So there.
  • Re:OpenSSH as well (Score:4, Insightful)

    by RevMike (632002) <revMike AT gmail DOT com> on Wednesday September 17, 2003 @02:48PM (#6987827) Journal
    It's a paradox that people who are so paranoid when it comes to security (there are no proof of concept remote exploits for either of these holes), would download patches from where ever and who ever.

    One of the pluses of open source is that you have the ability to look at the code and determine exactly what the patch changes. For a small patch most sysadmins, even though they might not be an "elite" programmer, can determine that the code does some extra boundary checking or the like.

    I would hope that sysadmins do this before installing code from an unknown source.

  • by Ninja Programmer (145252) on Wednesday September 17, 2003 @02:57PM (#6987889) Homepage
    Is it perhaps time for a code rewrite in Sendmail, or maybe a quiet, dignified retirement?
    As with most legacy software, there is a large investment in the expertise people have built up in learning how to use/configure it. So retirement won't get rid of it. Rewriting it may just lead to creation of new security flaws (for example, openssh, is a far more modern code which is far more motivated to be secure from the get go, but as recent advisories/exploits have shown that doesn't make it magically bug-free) rather than moving towards the goal of eliminating them.

    The right answer is to embark on a methodology for trying to root out the bugs, and/or use technologies that are intrinsically more resilient in the first place. While a rewrite in Java or Python are problematic ideas from the very get go (either requiring an installed and functional JVM, or being as slow as a post), one can at least address the ANSI C string library weakness (the obvious lowest hanging fruit) by using a substitute [sf.net].

    Look guys -- this is an opportunity. Microsoft thumbs their collective noses at Open Source people because they believe that they are more innovative. If the Linux community is able to put forth mechanisms, ideas, and possibly tools that truly address the "safe programming" issue, then this would be a quick slap in their face.

    Steve Ballmer has started pounding his fist and making prognostications about how Microsoft is going to deal with security via their innovation. Of course its nonsense -- but people will only realize this *if* the Open Source community is able to step up to the plate and *demonstrate* their superior solution.
  • by RevMike (632002) <revMike AT gmail DOT com> on Wednesday September 17, 2003 @02:57PM (#6987896) Journal
    A fairer assessment is that, when sendmail was designed, security was not as big an issue as it has become today.

    Absolutely. In sendmail's heyday, the internet was a collection of several hundred .edu and .mil organizations, with a few .com technology companies thrown in, notably IBM and DEC. The few hundred thousand people on the net tended to be researchers and faculty in technical fields and their students. Security was very lax because it was a relatively small, closed, professional society. People simply didn't worry about security.

    It is probably time to either move to a new MTA or rewrite sendmail form the ground up.

  • by Anonymous Coward on Wednesday September 17, 2003 @03:11PM (#6988037)
    SO QUIT BITCHING AT ME TO SWITCH TO EXIM/QMAIL/MSEXCHANGE/WHATEVER!

    You people are almost as irritating as Christians trying to win converts!
  • by kupci (642531) on Wednesday September 17, 2003 @03:15PM (#6988090)
    Before all the Microsoft apologists jump in and point out that any system can have vulnerabilities, and Linux users should not bash Microsoft.

    Interestingly, *nix users don't seem to howl at Slashdot for publishing every vulnerability that comes along in *nix, rather there are discussions of the best way to patch etc, whereas I've noticed that every time there is an post about the latest Windows/IE/SQL Server/?? hole, there is a deluge of postings from defensive MSFT zealots who loudly complain that the Slashdot world is picking on them. Odd.

  • by rworne (538610) on Wednesday September 17, 2003 @03:21PM (#6988145) Homepage
    Actually it is secure, depending on your needs.

    I need a mail server for non-sensitive e-mails. If someone roots Hotmail's server, I couldn't care less about it. If someone roots my server, then it's a whole different matter. I also use it to prevent handing out my real email address to the myriad of sites that require e-mail registration and for usenet postings.

    So yes, in my case Hotmail is a very secure solution.
  • by gregarican (694358) on Wednesday September 17, 2003 @03:27PM (#6988209) Homepage
    True that about basic fundamental flaws. Reminds me of some project I had to write in college on the old DEC VAX'es. That's about the level of expertise and sophistication exhibited in sendmail.

    People bash Micro$loth because their software has an inherently insecure architecture (e.g. - unnecessary services enabled by default, services running with admin rights, etc.), not just being poorly coded. But then again there are some inherent shortcomings in older *NIX software and sendmail is just one example.

    Even the Internet as a whole. Back when the Internet was exclusively a failsafe/experimental communication backup for military installations and college campuses it was never meant to be secure in the software sense. It was secure more in terms of physical access. For example, there probably wouldn't be a compromise of an Air Force computer room if external "bad guys" couldn't get physical access into the room and room activities were strictly monitored for internal users. There was never the assumption that the general public would all share remote access to the Internet.

    That being said, it will obviously take a massive effort not just to code new software more securely, but to review, patch, or pitch legacy code such as seen in stories like this. Each generation of computer users is savvier and savvier, as most exploits are propagated by kids who toilet paper houses on the weekend. And that is a scary thought if I was Joe Head-up-my-ass PHB too cheap to update/upgrade/migrate software and still running old crap like this.

  • Re:OpenSSH as well (Score:3, Insightful)

    by Politburo (640618) on Wednesday September 17, 2003 @03:31PM (#6988263)
    Posts like the parent ("get latest patch from me!") always get moderated up, so there must be somebody downloading and installing them.

    Considering that a lot of mods don't even seem to READ the posts they mod, I doubt they checked out the link.
  • by autechre (121980) on Wednesday September 17, 2003 @03:58PM (#6988509) Homepage
    Windows Update does not come configured to automatically download and install updates for you. It also does not always work. It has been reported to falsely report that patches are installed, and to prompt to install patches over and over again that are already installed. And how many people, used to an endless barrage of meaningless dialog boxes from Microsoft products (though they are not the only ones who do this), dismissed the auto-updates configuration, and so go unpatched? Additionally, were you aware of the 31 currently unpatched security holes in IE?

    http://www.pivx.com/larholm/unpatched/

    As for being informed, if Slashdot is your only source for notification about security vulnerabilites, you have bigger problems than a single sendmail exploit.

  • by Tet (2721) * <.ku.oc.enydartsa. .ta. .todhsals.> on Wednesday September 17, 2003 @05:02PM (#6989046) Homepage Journal
    apt-get update
    apt-get upgrade

    Stick it in a cronjob.

    Yikes! Remind me to never give you a job as an admin for any of my computers. While that sort of thing might be acceptable for a home desktop, it's suicide on a corporate server...

He who is content with his lot probably has a lot.

Working...