Full Disclosure mailing list archives
Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
From: Gadi Evron <ge () linuxbox org>
Date: Fri, 24 Mar 2006 11:44:03 -0600 (CST)
On Thu, 23 Mar 2006, Dragos Ruiu wrote:
On March 23, 2006 01:41 am, Gadi Evron wrote:Here's what ISS releasing the Race Condition vulnerability has to say: http://xforce.iss.net/xforce/alerts/id/216 They say it's a remote code execution. They say it's a race condition. No real data available to speak of. I can't see how it's remotely exploitable, but well, no details, remember? From what we can see it seems like a DoS.ISS's Mark Dowd is very clever guy. And if duke says it's exploitable I would believe him :-). It's an interesting new vector anyway.
Indeed, which is why I said I can't see how and asked for details, as well as in the next paragraoph that I would be happy to be enlightened. :)
But like all timing related attacks, the question is reliability. Though gossip has it, this one is repeatable with sub-100 attempts and you get infinite shots at it because even if the process does die it's a child of the parent listener. (So it is not really a DoS per se in any case.)Bottom line ----------- What they did behind the smoke-screen is replace a lot of setjmp() and longjmp() functions (not very secure ones at that) with goto's (interesting choice).Smoke screen seems like unfarily loaded terminology to use. OpenBSD fixed (removed) many setjmp/longjmp functions in their tree a long time ago as a class of bugs. (Though this sendmail exploitable collecttimeout() longjmp one is new and they patched it yesterday with everyone else, because as you noted, replacing it was kinda hairy...) I don't think its fair to bitch about people fixing bugs and then not having the time to send out advisories for every little tweak. The important thing is to fix the bug. And often times the developer won't understand the real impact of fixing a bug until someone clever like Mark comes up with some innovative way to exploit an "unexploitable" bug like this one.
I would tend to agree, however, sendmail have been very irresponsible in the past, and with all due respect, if they want to play at being critical internet infrastructure, they should live up to expectations or find a new game.
What will be interesting to see when the PoC exploits are finally released, is if any of the memory/stack protection schemes mitigate it. <humor> Besides, there is only one true mailer to mail them all, and its name is Postfix. </humor>
:)
Now if we could only convince Mr. Venema to switch to a BSD license _everyone_ would switch to Postfix and everything would be much better. If it weren't for that "poison pill" clause in its license, I'm sure most OSes and commercial systems would have swapped out Sendmail for Postfix long ago.
I agree, Postfix is incredibly good.. once you learn to get along with it!
cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Vancouver, Canada April 3-7 2006 http://cansecwest.com pgpkey http://dragos.com/ kyxpgp
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Gadi Evron (Mar 23)
- trusting SMTP [was: SendGate: Sendmail Multiple Vulnerabilities] Gadi Evron (Mar 23)
- Re: trusting SMTP [was: SendGate: Sendmail Multiple Vulnerabilities] Valdis . Kletnieks (Mar 24)
- Re: trusting SMTP [was: SendGate: Sendmail Multiple Vulnerabilities] Gadi Evron (Mar 24)
- Re: trusting SMTP [was: SendGate: Sendmail Multiple Vulnerabilities] Valdis . Kletnieks (Mar 24)
- Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Mike Owen (Mar 23)
- Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Dragos Ruiu (Mar 23)
- Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Gadi Evron (Mar 24)
- Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Theo de Raadt (Mar 23)
- Re: Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) purplebag (Mar 23)
- Re: Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Blue Boar (Mar 23)
- Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Gadi Evron (Mar 24)
- Re: Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Tim (Mar 24)
- RE: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Michael A Fusaro II (Mar 24)
- Re: Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Anders B Jansson (Mar 24)
- Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Casper . Dik (Mar 25)
- Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Coleman Kane (Mar 27)
- Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow) Eric Allman (Mar 24)
(Thread continues...)
- trusting SMTP [was: SendGate: Sendmail Multiple Vulnerabilities] Gadi Evron (Mar 23)