topic Re: Verifying Sendmail Patch Level in Operating System - HP-UX

Verifying Sendmail Patch Level

Gus Larsson — Mon, 18 Aug 2003 13:31:32 GMT

Hello all,
Is there a foolproof way to determine whether a version of Sendmail is fully patched? I'm fairly certain I applied the "manual updates" in March and April 2003 when several vulnerabilities were published, but how can I be sure? How can I convince the IS department around here that I am protected against various specific exploits? (Namely, remote buffer overflows, DNS handling overflow, smrsh error, "-bt overflow attack", local buffer overlow, etc...the list goes on).

I am running HP-UX 11.0 on a J5600 workstation. Telnetting to port 25 shows 8.11.1/8.11.1. The date of /usr/contrib/sendmail/usr/sbin/sendmail is April 4, 2003. Even if I were to download the July 2003 "special release" version from software.hp.com, how can I know for certain that the above vulnerabilities have been patched?

Thanks for any assistance,
Gus

Re: Verifying Sendmail Patch Level

Steven E. Protter — Mon, 18 Aug 2003 13:36:02 GMT

swlist -l product |grep -i sendmail

It will show all patches.

To do more, you are going to have to download some hacking instructions(I will not post that stuff here) and demonstrate to your management/auditors that you can withstand attack.

You also might want to set up httpd and dns in a chroot jail where users other than root start and own the daemons.

The best way to keep up is to get itrc security updates, and watch here for posts by Berlene Herren, she posts the warnings for HP the minute they are ready.

SEP

Re: Verifying Sendmail Patch Level

Pete Randall — Mon, 18 Aug 2003 13:38:46 GMT

Gus,

There was some discussion after the initial announcement of the vulnerabilities and the associated fix about how to tell if your version was OK:

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x5c669c196a4bd71190080090279cd0f9,00.html

Pete

Re: Verifying Sendmail Patch Level

Massimo Bianchi — Mon, 18 Aug 2003 13:40:28 GMT

what /usr/sbin/sendmail

Massimo

Re: Verifying Sendmail Patch Level

Gus Larsson — Mon, 18 Aug 2003 14:51:17 GMT

Thanks for the replys. I'm not sure that any of the proposed methods will prove to the corporate IT folks that my version is not vulnerable, but at least the "what /usr/sbin/sendmail" shows a revision number. That way at least I'll be assured that I am protected, and I'll be able to evaluate my other systems similarly.

BTW, I don't see any of that "JAG" stuff when I run the "what ...sendmail" command, even though I just loaded the July 2003 special release. Here is what I get:

/etc/mail> what /usr/sbin/sendmail
/usr/sbin/sendmail:
Copyright (c) 1998 HEWLETT PACKARD COMPANY and its licensors,
including Sendmail, Inc., and the Regents of the
University of California. All rights reserved.
version.c 8.11.1 (Berkeley) - Revision 1.4 - 2003/05/05

I guess that maybe the JAG identifier (?) isn't included in all releases.

Gus

Re: Verifying Sendmail Patch Level

Geoff Wild — Tue, 19 Aug 2003 18:17:17 GMT

Try this:

echo \$Z | /usr/sbin/sendmail -bt -d

Rgds...Geoff