Hackers' code exploits Sendmail flaw

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1002-991041.html?tag=fd_top

By Robert Lemos 
Staff Writer, CNET News.com
March 4, 2003, 3:55 PM PT

A group of four Polish hackers published code to an open security
mailing list on Tuesday that can take advantage of a major
vulnerability in the Sendmail mail server.

The code, released less than a day after the Sendmail flaw's public
announcement, allows an attacker to remotely exploit a Red Hat or
Slackware Linux computer running a vulnerable version of the mail
server, the group--known as the Last Stage of Delirium--stated in the
analysis that accompanied the code.

While the limited number of platforms affected by the program seems to
be good news, the group warned that its quick analysis might have
missed other ways of exploiting the problem.

"We do not claim that our way of exploitation is the only one," one of
the group's members said in an e-mail with CNET News.com. "What we did
was to perform the series of experiments aimed at actual verification
of (the) vulnerability's impact. According to our results, this impact
is much less significant that it might seem."

The flaw in Sendmail--in one of the mail server's security functions
that parses mail headers--was found by network protection firm
Internet Security Systems and announced on Monday. Companies shipping
versions of Sendmail affected by the flaw--believed to be more the 15
years old--include IBM, Hewlett-Packard, Apple Computer, Sun
Microsystems, Red Hat and other Linux vendors, according to advisories
posted Monday by the Sendmail Consortium open-source project.

The LSD group's research questioned whether as many types of servers
running Sendmail are as vulnerable as previously thought.

That's a moot point, said Eric Allman, founder of the Sendmail
Consortium and chief technology officer for Sendmail Inc., a company
that has created a commercial version of Sendmail.

"I don't think anyone should be complacent," he said, stressing that
other ways to exploit the flaw may exist. "Just get the patch."

Allman wasn't sure how he felt about the security group publishing
such extensive details about exploiting the vulnerability so soon
after it was announced. For many years, security researchers and
hackers have argued whether releasing detailed information about how a
software flaw can be abused helps or hinders security.

The Sendmail founder had expected that code would be released soon,
but not within 24 hours. Moreover, the functional nature of the posted
code--the script returns a terminal prompt with which an attacker
could issue commands to the compromised host--was overkill, he said.

"I would have preferred that they would have done a proof of concept,"  
Allman said. Proof-of-concept code only illustrates how to exploit a
vulnerability without actually doing anything overly useful.

The LSD group--whose four members claim to be graduates of the Poznan
University of Technology--say that releasing such code enhances the
community's overall security.

"We do believe that open and free information is the best for
improving security," the group said in its e-mail to CNET News.com.  
"In our opinion, publishing the details is the only way to...determine
the impact. The lack of appropriate information on the issue can
be...even more damaging."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.