Sendmail root exploit

[BlueAdept]

Just wanted to let everyone know that they should use up2date or just update their sendmail rpms. This root expoit affects all linux distros that have versions below 8.12.8.

----------------------------------------------------------------------------------

From Redhat's site:

Updated Sendmail packages are available to fix a vulnerability that may allow remote attackers to gain root privileges by sending a carefully crafted message.

These packages also fix a security bug if sendmail is configured to use smrsh.

Sendmail is a widely used Mail Transport Agent (MTA) which is included in all Red Hat Linux distributions.

During a code audit of Sendmail by ISS, a critical vulnerability was
uncovered that affects unpatched versions of Sendmail prior to version 8.12.8. A remote attacker can send a carefully crafted email message which, when processed by sendmail, causes arbitrary code to be executed as root.

We are advised that a proof-of-concept exploit is known to exist, but is not believed to be in the wild.

Since this is a message-based vulnerability, MTAs other than Sendmail may pass on the carefully crafted message. This means that unpatched versions of Sendmail inside a network could still be at risk even if they do not accept external connections directly.

In addition, the restricted shell (SMRSH) in Sendmail allows attackers to bypass the intended restrictions of smrsh by inserting additional commands after "||" sequences or "/" characters, which are not properly iltered or verified. A sucessful attack would allow an attacker who has a local account on a system which has explicitly enabled smrsh to execute arbitrary
binaries as themselves by utilizing their .forward file.

All users are advised to update to these erratum packages. For Red Hat Linux 8.0 we have included Sendmail version 8.12.8 which is not vulnerable to these issues. For all other distributions we have included a backported patch which corrects these vulnerabilities.

Red Hat would like to thank Eric Allman for his assistance with this
vulnerability.

[casey]

apt-get update
apt-get dist-upgrade

~~

i had new deb packages upgraded before i even got the mail from CERT yesterday, makes me happy.

[Catt]

For the benefit of others running older RH systems (7.0s here) you may see dependency troubles linking back to openssl. The following link explained it best:

http://www.der-keiler.de/Newsgroups/...2-03/0339.html

Just a little RH fun :/

[ThanosOfTitan]

Looks like an exploit has been posted

Hackers' code exploits Sendmail flaw

[throx]

Best solution: Don't run sendmail.

[Catt]

No, THE best solution is unplug the wire.

Sendmail works very well for me, and I can't recall the last security flaw it had. Pretty good record in my book.

If you like Exchange and think it's better (cough) use it.

Otherwise, patch it and move on.

[casey]

he was probably insinuating that postfix is the answer.

sendmail 4ever ~

i hope he didnt mean qmail (ICK) or exim

[throx]

I can't recall the last security flaw it had

I'm guessing you weren't around in the early 90s when sendmail was one of the biggest security flaw generators in existance? Even since then it still generates minor exploits a couple of times a year. If you need to refresh your memory, head on over to ISS:

http://www.iss.net/security_center/s...ay=all&show=30

I'm not entirely sure where you got the idea that Exchange was a drop-in replacement for Sendmail (or vice versa) - it isn't. They do entirely separate things and were built with very different purposes. Sendmail is an MTA. Exchange contains MTAs but is a lot, lot more.

All I was suggesting with Sendmail was that standardizing on a single MTA with a known history of faults isn't a good idea. It's certainly the most flexible MTA out there but a little diversity is always a good thing in limiting the security vulnerabilities your network is open to. Postfix and qmail are both good alternates to introduce this variance.

[Cryonic]

On the same note with sendmail, I'm surprised at the number of companies that standarize on Exchange. It seems to have just as many vulnerabilities as Sendmail (if not more) each year and as we've been discovering here, seems to have real problems if the network connection goes down and then back up (as we found when changing our core from cheap switches to Cisco switches). We had to fully reboot the Exchange system to get it back up.

[wfj5444]

I would say a couple of reasons..

You dont have to be extraordinarly bright to get Exchange up and working well.

And your Admins don't demand 6 figure salaries.

[Ratt]

You guys are all smoking crack. Exim > Sendmail by a long shot...

[throx]

There's no reason to choose Exchange over Sendmail. I'd actually recommend sticking a unix MTA in front of an Exchange server (if that's the groupware solution you wanted) simply because I don't like exposing core business servers to a direct (or proxied) internet connection.

Unix MTAs are a lot faster and more efficient than the Exchance IMC as well.

As for "easy to set up Exchange", I call bullshit on that one. It's just great to install and run in MSCE classes but as soon as you get into the real world and have to deploy a smooth upgrade on a 5,000 employee network where someone's decided to switch to a new Active Directory schema from the one you originally deployed then things get tricky really fast.

Exchange is soooo not worth it if you're just doing email.

[zfod]

Heh,

Can't remember the last time sendmail had a security hole?

I suppose BIND works great for you too, zero holes!


.zfod

[sauron]

Oh my God! Linux isn't a 100% secure OS? Listen to this group and you'd think Windows was the bane of all evil, and Linux was Fort Knox. I'm shocked!

Nice to have a little reality posted in these Linux based forums once in a blue moon.

[BlueAdept]

Originally posted by sauron
Oh my God! Linux isn't a 100% secure OS? Listen to this group and you'd think Windows was the bane of all evil, and Linux was Fort Knox. I'm shocked!

Nice to have a little reality posted in these Linux based forums once in a blue moon.

Yea, but since this was posted, two more severe holes were found in Win2k and one in WinXP.