Solved: Sendmail - question re: hp fix

jmb · ‎03-05-2003

I've just installed the 893.11.11 sendmail file onto a couple of HP servers, as per the instructions in the SSRT3469 instructions. I also came across a little check routine, originally from sendmail.org, that checks for certain strings in the sendmail executable to see if the new version is installed. When I run this on an updated Sun box, the output is "patched". When I run it on the HP's that I just changed, I get "not patched".

This is the command: "strings $PATH_TO_SENDMAIL/sendmail | grep 'Dropped invalid comments from header address' > /dev/null && echo Patched || echo Not Patched"

Shouldn't the HP version of sendmail reflect these changes from sendmail.org, or did HP just set them up differently?

Christopher Caldwell · ‎03-05-2003

I believe that HP doesn't follow the same "what" conventions as software directly ported from sendmail.org.

e.g. what /usr/sbin/sendmail gives an HP'ish answer.

I imagine that this is because they're doing some version containment and other things to reduce their support costs (and impact on customers).

Generally, you will see HP patch information in the what header (e.g. a PHNE_*).

Steven E. Protter · ‎03-05-2003

For reasons not revealed to the user community, HP is providing binary files which you can use to replace your sendmail binary on your system.

This is contrary to their normal practice of providing Software Distributor patches, PHNE_#####

I imagine the SD version will come out, but you don't need to wait.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Robin Wakefield · ‎03-06-2003

Hi:

Works ok with me. Are you setting the PATH_TO_SENDMAIL variable before running the command?

rgds, Robin

Berlene Herren · ‎03-06-2003

Pete Randall posted an excellent article from SANS with a great explanation:

--Sendmail Vulnerability Demonstrates New DHS Capabilities
(3 March 2003)
A vulnerability was reported in Sendmail that allows root access simply
by sending a specially crafted email. Action by the Department of
Homeland Security and affected vendors led to a coordinated program for
patch development, early warning for critical infrastructure industries
and government agencies, and broad information dissemination, while
maintaining secrecy until the SANS web broadcast features people from sendmail.com, ISS, SourceFire, and the SANS faculty experts answering questions about the
vulnerability, what systems are vulnerable, and what can be done to
protect Sendmail beyond patching.

Thanks again, Pete.

Berlene

http://www.mindspring.com/~bkherren/dobes/index.htm

jmb · ‎03-06-2003

Robin,

Yes, I replaced the pathname appropriately. Are you saying that you actually have the "invalid comments" line contained within your HP patch?

someone_4 · ‎03-06-2003

hello,
try

strings /usr/sbin/sendmail | grep -i dropped

Richard

someone_4 · ‎03-06-2003

hello,
try

strings /usr/sbin/sendmail | grep -i dropped

/# strings /usr/sbin/sendmail | grep -i dropped
Dropped invalid comments from header address

Richard

jmb · ‎03-06-2003

I am using the correct syntax. I do not have the "dropped invalid comments" in my file. It appears that at least some of you do. I do not understand why some appear to have a different file than I do, unless I've installed it incorrectly. Did HP include those lines in the new sendmail, or didn't they?

The only thing different after the patch install, is when I run the little "-d0.1" command, and it shows the long PHNE_26305.....58098) value.

I need to be able to verify with confidence that the patch has been installed.

Berlene Herren · ‎03-06-2003

I have the lines...

# strings /usr/sbin/sendmail | grep -i dropped
Dropped invalid comments from header address

What do you show when you do

#what /usr/sbin/sendmail?

Berlene

http://www.mindspring.com/~bkherren/dobes/index.htm

Pete Randall · ‎03-06-2003

I don't know as this will assure you any but I have the same situation. My 8.9.3 sendmails on 11.11 machines do not show the "dropped" text. However, my 8.9.3 on an 11.0 machine does. It seems like they were left out in the 11.11 version.

Pete

Pete

jmb · ‎03-06-2003

This is my output: (hope it wraps okay here)

# what /usr/sbin/sendmail
/usr/sbin/sendmail:
Copyright (c) 1998 HEWLETT PACKARD COMPANY and its licensors,
including Sendmail, Inc., and the Regents of the
University of California. All rights reserved.
version.c 8.9.3.1 (Berkeley) 4/10/2002 (PHNE_26305+JAGae58098)
#

Pete Randall · ‎03-06-2003

That matches mine:

what /usr/sbin/sendmail
/usr/sbin/sendmail:
Copyright (c) 1998 HEWLETT PACKARD COMPANY and its licensors,
including Sendmail, Inc., and the Regents of the
University of California. All rights reserved.
version.c 8.9.3.1 (Berkeley) 4/10/2002 (PHNE_26305+JAGae58098)

Berlene said in another thread that the JAG (58098) is the key so I'm assuming that this is patched.

Pete

Pete

jmb · ‎03-06-2003

Ok, Pete. Thanks for your assistance and research. I will take this as being patched, and that indeed HP "dropped" some text from that particular file.

Pete Randall · ‎03-06-2003

Berlene's mention of the JAG number are well down in this thread:

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x82599c196a4bd71190080090279cd0f9,00.html

Pete

And, you're welcome!

Pete

Berlene Herren · ‎03-06-2003

try this on 11.11

root@klyde-/>grep -i dropped /usr/sbin/sendmail
Dropped invalid comments from header addresscrackaddr=>`'

OR

root@>strings -a sendmail.811.11.11 | grep Dropped

Dropped invalid comments from header address

Berlene

http://www.mindspring.com/~bkherren/dobes/index.htm

Pete Randall · ‎03-06-2003

Well, I'll be darned:

$ sendmail -d0.1 < /dev/null | grep -i version
Version 8.9.3 (PHNE_26305+JAGae58098)
$ uname -a
HP-UX tsws1 B.11.11 U 9000/785 2006482480 unlimited-user license
$ grep -i dropped /usr/sbin/sendmail
Dropped invalid comments from header addresscrackaddr=>`'
$ strings /usr/sbin/sendmail |grep -i dropped

Pete

Pete

jmb · ‎03-06-2003

Gee, why didn't I try that sooner? Guess this will go into the bag of tricks for the next time "strings" doesn't appear to be working right...

Sendmail - question re: hp fix

Sendmail - question re: hp fix

Re: Sendmail - question re: hp fix

Re: Sendmail - question re: hp fix

Re: Sendmail - question re: hp fix

Re: Sendmail - question re: hp fix

Re: Sendmail - question re: hp fix

Re: Sendmail - question re: hp fix

Re: Sendmail - question re: hp fix

Re: Sendmail - question re: hp fix

Re: Sendmail - question re: hp fix

Re: Sendmail - question re: hp fix

Re: Sendmail - question re: hp fix

Re: Sendmail - question re: hp fix

Re: Sendmail - question re: hp fix

Re: Sendmail - question re: hp fix

Re: Sendmail - question re: hp fix

Re: Sendmail - question re: hp fix

Re: Sendmail - question re: hp fix