Fwd: Hackers' code exploits Sendmail flaw

Thu Mar 6 03:28:45 GMT 2003

In case you haven't been keeping up on the news, it looks like there
are already working exploits of the sendmail vulnerability announced
monday. The one discussed below will basically open a remote terminal
on the attacked system - presumably as root.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - -
 From http://zdnet.com.com/2100-1105-991041.html

Hackers' code exploits Sendmail flaw
By Robert Lemos
CNET News.com
March 5, 2003, 4:31 AM PT

A group of four Polish hackers published code to an open security
mailing list on Tuesday that can take advantage of a major
vulnerability in the Sendmail mail server.

The code, released less than a day after the Sendmail flaw's public
announcement, allows an attacker to remotely exploit a Red Hat or
Slackware Linux computer running a vulnerable version of the mail
server, the group--known as the Last Stage of Delirium--stated in the
analysis that accompanied the code.

While the limited number of platforms affected by the program seems to
be good news, the group warned that its quick analysis might have
missed other ways of exploiting the problem.

"We do not claim that our way of exploitation is the only one," one of
the group's members said in an e-mail with CNET News.com. "What we did
was to perform the series of experiments aimed at actual verification
of (the) vulnerability's impact. According to our results, this impact
is much less significant that it might seem."

The flaw in Sendmail--in one of the mail server's security functions
that parses mail headers--was found by network protection firm Internet
Security Systems and announced on Monday. Companies shipping versions
of Sendmail affected by the flaw--believed to be more the 15 years
old--include IBM, Hewlett-Packard, Apple Computer, Sun Microsystems,
Red Hat and other Linux vendors, according to advisories posted Monday
by the Sendmail Consortium open-source project.

The LSD group's research questioned whether as many types of servers
running Sendmail are as vulnerable as previously thought.

That's a moot point, said Eric Allman, founder of the Sendmail
Consortium and chief technology officer for Sendmail Inc., a company
that has created a commercial version of Sendmail.

"I don't think anyone should be complacent," he said, stressing that
other ways to exploit the flaw may exist. "Just get the patch."

Allman wasn't sure how he felt about the security group publishing such
extensive details about exploiting the vulnerability so soon after it
was announced. For many years, security researchers and hackers have
argued whether releasing detailed information about how a software flaw
can be abused helps or hinders security.

The Sendmail founder had expected that code would be released soon, but
not within 24 hours. Moreover, the functional nature of the posted
code--the script returns a terminal prompt with which an attacker could
issue commands to the compromised host--was overkill, he said.

"I would have preferred that they would have done a proof of concept,"
Allman said. Proof-of-concept code only illustrates how to exploit a
vulnerability without actually doing anything overly useful.

The LSD group--whose four members claim to be graduates of the Poznan
University of Technology--say that releasing such code enhances the
community's overall security.

"We do believe that open and free information is the best for improving
security," the group said in its e-mail to CNET News.com. "In our
opinion, publishing the details is the only way to...determine the
impact. The lack of appropriate information on the issue can be...even
more damaging."

--
This message checked for dangerous content by MailScanner on StrongBox.