[ISN] Hackers' code exploits Sendmail flaw

From: InfoSec News (isnat_private)
Date: Tue Mar 04 2003 - 23:51:51 PST

  • Next message: InfoSec News: "[ISN] Security board swept out"

    By Robert Lemos 
    Staff Writer, CNET News.com
    March 4, 2003, 3:55 PM PT
    A group of four Polish hackers published code to an open security
    mailing list on Tuesday that can take advantage of a major
    vulnerability in the Sendmail mail server.
    The code, released less than a day after the Sendmail flaw's public
    announcement, allows an attacker to remotely exploit a Red Hat or
    Slackware Linux computer running a vulnerable version of the mail
    server, the group--known as the Last Stage of Delirium--stated in the
    analysis that accompanied the code.
    While the limited number of platforms affected by the program seems to
    be good news, the group warned that its quick analysis might have
    missed other ways of exploiting the problem.
    "We do not claim that our way of exploitation is the only one," one of
    the group's members said in an e-mail with CNET News.com. "What we did
    was to perform the series of experiments aimed at actual verification
    of (the) vulnerability's impact. According to our results, this impact
    is much less significant that it might seem."
    The flaw in Sendmail--in one of the mail server's security functions
    that parses mail headers--was found by network protection firm
    Internet Security Systems and announced on Monday. Companies shipping
    versions of Sendmail affected by the flaw--believed to be more the 15
    years old--include IBM, Hewlett-Packard, Apple Computer, Sun
    Microsystems, Red Hat and other Linux vendors, according to advisories
    posted Monday by the Sendmail Consortium open-source project.
    The LSD group's research questioned whether as many types of servers
    running Sendmail are as vulnerable as previously thought.
    That's a moot point, said Eric Allman, founder of the Sendmail
    Consortium and chief technology officer for Sendmail Inc., a company
    that has created a commercial version of Sendmail.
    "I don't think anyone should be complacent," he said, stressing that
    other ways to exploit the flaw may exist. "Just get the patch."
    Allman wasn't sure how he felt about the security group publishing
    such extensive details about exploiting the vulnerability so soon
    after it was announced. For many years, security researchers and
    hackers have argued whether releasing detailed information about how a
    software flaw can be abused helps or hinders security.
    The Sendmail founder had expected that code would be released soon,
    but not within 24 hours. Moreover, the functional nature of the posted
    code--the script returns a terminal prompt with which an attacker
    could issue commands to the compromised host--was overkill, he said.
    "I would have preferred that they would have done a proof of concept,"  
    Allman said. Proof-of-concept code only illustrates how to exploit a
    vulnerability without actually doing anything overly useful.
    The LSD group--whose four members claim to be graduates of the Poznan
    University of Technology--say that releasing such code enhances the
    community's overall security.
    "We do believe that open and free information is the best for
    improving security," the group said in its e-mail to CNET News.com.  
    "In our opinion, publishing the details is the only way to...determine
    the impact. The lack of appropriate information on the issue can
    be...even more damaging."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Mar 05 2003 - 03:08:37 PST