Sendmail Vulnerabilities and smad attack(sendmail accept dos).
Versions
of sendmail
prior
to version 8.8.5 have a variety of vulnerabilities. Older
versions of sendmail may also run in DEBUG
mode
which could allow access from a malicious user.
Impact
Malicious
users exploiting these vulnerabilities are able to gain unauthorized
access, possibly even root access, to a target system.
Background
sendmail,
first released circa 1983, is a mail router program, and was designed
to route email between peers on a network and also to route mail
between networks. Note that sendmail
is a routing
program, and not an application that an ordinary user would use to
format and send messages. Instead, sendmail
accepts formatted messages from an email program (such as Outlook
Express, Eudora or Pegasus), and then sends them to the appropriate
recipients. The message is sent using the Simple Mail Transfer
Protocol (SMTP), which was designed to be a reliable and effective
transport for mail messages.
The Problems
Versions
8.8.3 and 8.8.4 of sendmail
have a serious security vulnerability that allows remote users to
execute arbitrary commands on the local system with root privileges.
By sending a carefully crafted email message to a system running a
vulnerable version of sendmail,
intruders may be able to force sendmail
to
execute arbitrary commands with root privileges. Those commands are
run on the same system where the vulnerable sendmail
is
running. This vulnerability may be exploited on systems despite
firewalls and other network boundary protective measures. A hacker
does not have to be
a local user to exploit this vulnerability. This vulnerability is
described in CERT Advisory CA-97.05.
An
older vulnerability which keeps showing up from time to time is when
sendmail runs in DEBUG mode. The DEBUG mode can allow a malicious
user to gain access through sendmail.
Very
old versions of sendmail,
such as version 5.x and earlier, allow a remote attacker to specify
commands after a pipe (|) character in certain fields in the e-mail.
This could result in arbitrary commands being executed on the server
with root privileges. This vulnerability was described in an X-Force
Alert.
Version
8 of sendmail
(version
8.x.x up to and including 8.8.3) has a vulnerability that can be
exploited by a local user to run programs with group permissions of
other users. For the exploitation to be successful, group-writable
files must be available on the same file system as a file that the
attacker can convince sendmail
to
trust. This vulnerability can only be exploited by local users (i.e.,
users who have accounts on the target machine). This vulnerability is
described in CERT Advisory CA-96.25.
Versions
8.7 through 8.8.2 of sendmail have a vulnerability that can be used
to gain root access. sendmail is often run in daemon mode so it can
"listen" for incoming mail connections on the standard SMTP
networking port (usually port 25). The root user is the only user
allowed to start sendmail in this way, and sendmail contains code
intended to enforce this restriction. Due to a coding error, sendmail
can be invoked in daemon mode in a way that bypasses the built-in
check, and any local user is able to start sendmail in daemon mode.
By manipulating the sendmail mail environment, the user can then have
sendmail execute an arbitrary program with root privileges. This
vulnerability can only be exploited by local users (i.e., users who
have accounts on the target machine). This vulnerability is described
in CERT Advisory CA-96.24. CERT Advisory CA-96.24 also describes
additional vulnerabilities in versions 8.8.0 and 8.8.1 of sendmail.
There
are two vulnerabilities in versions of sendmail
up
to and including version 8.7.5. By exploiting the first of these
vulnerabilities, users who have local accounts can gain access to the
default user, which is often daemon. By exploiting the second
vulnerability, any local user can gain root access. Both of these
vulnerabilities can only be exploited by local users (i.e., users who
have accounts on the target machine). This vulnerability is described
in CERT Advisory CA-96.20.
Versions 5 through 8.6.9 of sendmail have a vulnerability which could allow an intruder to execute commands on the server with root privileges. This vulnerability is described in CERT Advisory CA-95.08.
There is a buffer overflow condition in version 8.6.9 of sendmail in the processing of the response from the ident service. sendmail makes a connection to the ident service on the client host in order to log information about the user who is making the connection. A properly formatted response from the ident service is expected. An attacker could instead send a very long response, thereby overflowing the buffer, enabling the attacker to execute arbitrary commands on the server. This vulnerability was described in an X-Force alert.
Versions
8.8.0 and 8.8.1 of sendmail have a buffer overflow condition in the
MIME processing code. A remote attacker could exploit the condition
to gain root access on the server. This vulnerability is described in
an X-Force Alert.
Smad
Attack
Smad
prevents sendmail from accepting legitimate connections. A cracker
may use this flaw to prevent you from receiving any email, thus
lowering the interest of being connected to internet. This attack is
specific to some versions of the Linux kernel. There are various
security bugs in the implementation of this service which can be used
by an intruder to gain a root account rather easily.
Resolution
To
correct these vulnerabilities, replace
sendmail
with
the most recent version.
Another solution would be to obtain the latest fixed version or
patches for sendmail
from
the vendor.
Where can u read more about this?
To
read more about the sendmail
vulnerabilities,
read CERT Advisories CA-95.08,
CA-97.05,
CA-96.25,
CA-96.24,
and CA-96.20.
Comments
Post a Comment