[8lgm]-Advisory-17.UNIX.sendmail and Sun's lack of urgency

[andy () btc uwe ac uk (andy () btc uwe ac uk)]

Hi there SUN,
IS THERE ANYONE IN ???

Please find below a copy of the [8lgm]-Advisory-17.UNIX.sendmailV5-2-May-1995
of 17/18 May. 

I opened call no 5094255 (UK) on 18th May. My engineer is Kimberley
Brown. Sun bug no 1026859. I also contacted Karl Strickland at [8lgm]. 
His reply is appended. The exploit script/info was sent to CERT and 
passed to Sun before May 20th.

I'm told that someone unnamed in Suns security dept. is sitting on the exploit 
script for this bug and refusing to pass it to the engineer who is responsible 
for sendmail.

This just is not good enough. I want an explanation of why it takes you weeks
to get started on this one.

I hope [8lgm] will now see that giving people like you (Sun) time to get a fix 
together is a waste of time and effort. The only thing that will light a 
fire under your asses is to publish the exploit script without a grace period.

I feel that Sun is not fulfilling its support contract with us and I mean to 
find out why.

Andy Cowley
----- Begin Included Message -----

< header deleted .... >

This advisory has been sent to:

        comp.security.unix
        CERT/CC                 <cert () cert org>

===========================================================================
                [8lgm]-Advisory-17.UNIX.sendmailV5-2-May-1995


PROGRAM:

        sendmail(8)        (Version 5.*)

KNOWN VULNERABLE VERSIONS:

        SunOS 4.1.* up to and including patch 100377-19
        Sendmail V5.*
        IDA Sendmail V5.*
        (Likely that any sendmail based on V5 is also vulnerable).
        
DESCRIPTION:

        A flaw exists in versions of sendmail based on V5, which allows
        users to run programs and/or append to files remotely.

        The user does not require an account on that system.

IMPACT:

        Systems running V5 based sendmail are exploitable remotely.

REPEAT BY:

        At this time, exploit details are not available.  Exploit
        details will be provided on the 8lgm fileserver, at some
        point in the future.

DISCUSSION:

        Details have been provided to ecd () cert org, in order to speed
        up availability of exploit information to vulnerable vendors.

WORKAROUND & FIX:

        1) Install V8 sendmail.

        2) Obtain patch from vendor.

FEEDBACK AND CONTACT INFORMATION:

        majordomo () 8lgm org        (Mailing list requests - try 'help'
                                   for details)

        8lgm () 8lgm org                  (Everything else)

8LGM FILESERVER:

        All [8LGM] advisories may be obtained via the [8LGM] fileserver.
        For details, 'echo help | mail 8lgm-fileserver () 8lgm org'
===========================================================================


----- End Included Message -----

Karl Strickland (karl () bagpuss demon co uk) wrote on May 20th.---


The exploit details have been sent to CERT who are dealing entirely
with the affected vendors, including SUN.  CERT have better contacts
with more vendors than we do and are able to spend more time dealing
with them than we are.  SUN should have had exploit details passed to
it from CERT by now.