Operating System - HP-UX
1748169 Members
4094 Online
108758 Solutions
New Discussion юеВ

Re: PLEASE PATCH YOUR SENDMAIL!

 
SOLVED
Go to solution
Steven E. Protter
Exalted Contributor

Re: PLEASE PATCH YOUR SENDMAIL!

Okay Berlene that actually makes me feel better.

Our email infrastructure is exchange oriented with a smtp relay server to route and handle inbound/outbound traffic. The smtp server is programmed under no circumstances to send any mail messages to our HP-UX servers.

When I send out a message off one of my UX servers and its to a bad address, I can't get the bounce, because of the configuration.

Obviously someone could mess with the Exchange or SMTP servers, but if they can't send mail to the UX boxes, is there a problem?

This has btw been a fascinating discussion. I've learned a lot.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Berlene Herren
Honored Contributor

Re: PLEASE PATCH YOUR SENDMAIL!

Steven, you sound like you have the HPUX boxes covered. If they do not receive mail, then they cannot be exploited by this vulnerability.

And it has been fun, hasn't it? :-)

Berlene
http://www.mindspring.com/~bkherren/dobes/index.htm
Jeff Schussele
Honored Contributor

Re: PLEASE PATCH YOUR SENDMAIL!

Hi Berlene,

I've done as Patrick & just stopped accepting mail on servers that don't need to.

But I have a question.
I understand that the exploit is message-oriented and MTAs will just merrily pass it along to its destination. But if the affected server resides behind solid firewalls, how does the system get exploited by the sender AFTER the buffer overflow? Can this thing capture files on internal servers & send them out to be examined or cracked?
I don't see this exploit as being able to affect FWs as well, or am I missing something here?
I guess the vulnerability could be exploited by internal personnel.....

I see the major, urgent problems on I-net facing & DMZ systems more so than well protected, internal systems.
Would you agree?

I don't wish to make light of the situation at all, but at the same time I don't want a "chicken little" syndrome spawning unnecessary fear levels. We're being subjected to far too much of this fear-mongering already outside of our work environments, wouldn't you think?

Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
Steven E. Protter
Exalted Contributor

Re: PLEASE PATCH YOUR SENDMAIL!

I've just run a telnet 25 test.

My servers can accept mail directed at them from any workstation on my network.

This means I am vulnerable.

The good news is outside our department there are no users in the organization with near enough knowledge to exploit the problem.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Robert Gamble
Respected Contributor

Re: PLEASE PATCH YOUR SENDMAIL!

For visibilty, bouncing this back to the top!

Everyone, please make sure you are not vulnerable.
John J Read
Frequent Advisor

Re: PLEASE PATCH YOUR SENDMAIL!

Thanks everyone! I've installed the fix on all of my servers and feel better. Made me look good to mgmt too!

I haven't seen an answer to this question in the documentation. In what manner is the priveleged access exploited. Is the intruder coming in via telnet after you've been hit or are they executing code as root via the received email message.

For instance, would there be a root entry in wtmp assuming the intruder didn't mess with this file? I understand all of the implications of a root level intruder covering up their trail. Just wondering if they are logging in or executing code. Either way, scary stuff.
Pete Randall
Outstanding Contributor
Solution

Re: PLEASE PATCH YOUR SENDMAIL!

John,

I was just reading my SANS Newsbites about this. Here's what they had to say:

--Sendmail Vulnerability Demonstrates New DHS Capabilities
(3 March 2003)
A vulnerability was reported in Sendmail that allows root access simply
by sending a specially crafted email. Action by the Department of
Homeland Security and affected vendors led to a coordinated program for
patch development, early warning for critical infrastructure industries
and government agencies, and broad information dissemination, while
maintaining secrecy until the
http://www.washingtonpost.com/wp-dyn/articles/A41859-2003Mar4.html http://www.cert.org/advisories/CA-2003-07.html
http://www.msnbc.com/news/880094.asp?0cv=CB10
http://www.computerworld.com/securitytopics/security/holes/story/0,10801,78991,00.html
http://news.com.com/2100-1009-990802.html
SANS web broadcast features people from sendmail.com, ISS,
SourceFire, and the SANS faculty experts answering questions about the
vulnerability, what systems are vulnerable, and what can be done to
protect Sendmail beyond patching. Also includes a brief discussion
of the new Snort vulnerability.
http://www.sans.org/webcasts/030303.php
Free, requires registration


I apologise for the truncation right before the list of URL's. That's the way SANS published it.

Pete

Pete
Berlene Herren
Honored Contributor

Re: PLEASE PATCH YOUR SENDMAIL!

Excellent information, Pete! Thanks so much for sharing this with the community.

Berlene
http://www.mindspring.com/~bkherren/dobes/index.htm
Pete Randall
Outstanding Contributor

Re: PLEASE PATCH YOUR SENDMAIL!

Berlene,

Glad to - this thing scares me!

Pete

Pete
Edmund Ng
New Member

Re: PLEASE PATCH YOUR SENDMAIL!

JP: From my experience, the only way to tell if you have the patched binary running is to run the following:

strings /usr/lib/sendmail | grep Dropped

You should get the following output:

Dropped invalid comments from header address

If your sendmail binary is not patched, you won't get any output.

This is true for patched sendmail binaries on all platforms (from what I can tell).

-- Edmund.