hi everyone Please inform the rest of the guys (gender neutral) -- I am posting this on just [EMAIL PROTECTED] Regards Virindera
Internet Security Systems Security Advisory March 3, 2003 Remote Sendmail Header Processing Vulnerability Synopsis: ISS X-Force has discovered a buffer overflow vulnerability in the Sendmail Mail Transfer Agent (MTA). Sendmail is the most common MTA and has been documented to handle between 50% and 75% of all Internet email traffic. Impact: Attackers may remotely exploit this vulnerability to gain "root" or superuser control of any vulnerable Sendmail server. Sendmail and all other email servers are typically exposed to the Internet in order to send and receive Internet email. Vulnerable Sendmail servers will not be protected by legacy security devices such as firewalls and/or packet filters. This vulnerability is especially dangerous because the exploit can be delivered within an email message and the attacker doesn't need any specific knowledge of the target to launch a successful attack. Affected Versions: Sendmail versions from 5.79 to 8.12.7 are vulnerable Note: The affected versions of Sendmail commercial, Sendmail open source running on all platforms are known to be vulnerable. Description: The Sendmail remote vulnerability occurs when processing and evaluating header fields in email collected during an SMTP transaction. Specifically, when fields are encountered that contain addresses or lists of addresses (such as the "From" field, "To" field and "CC" field), Sendmail attempts to semantically evaluate whether the supplied address (or list of addresses) are valid. This is accomplished using the crackaddr() function, which is located in the headers.c file in the Sendmail source tree. A static buffer is used to store data that has been processed. Sendmail detects when this buffer becomes full and stops adding characters, although it continues processing. Sendmail implements several security checks to ensure that characters are parsed correctly. One such security check is flawed, making it possible for a remote attacker to send an email with a specially crafted address field that triggers a buffer overflow. X-Force has demonstrated that this vulnerability is exploitable in real- world conditions on production Sendmail installations. This vulnerability is readily exploitable on x86 architecture systems, and may be exploitable on others as well. Protection mechanisms such as implementation of a non-executable stack do not offer any protection from exploitation of this vulnerability. Successful exploitation of this vulnerability does not generate any log entries. Recommendations: For identification of potentially vulnerable systems, Internet Security Systems has provided the following assessment checks: Internet Scanner XPU 6.24 MtaDiscovery - (<http://www.iss.net/security_center/static/10961.php>) Internet Scanner XPU 6.26 SendmailRunning - (<http://www.iss.net/security_center/static/2938.php>) System Scanner SR 3.13 sendmail-header-processing-bo – (<http://www.iss.net/security_center/static/10748.php>) For Dynamic Threat Protection, Internet Security Systems recommends applying a Virtual Patch for the Sendmail vulnerability. Employ the following protection techniques through ISS’ Dynamic Threat Protection platform. RealSecure Network Sensor XPU 20.9 and 5.8: SMTP_Sendmail_Header_Parse_Overflow - (http://www.iss.net/security_center/static/10748.php) All updates listed above are available from the ISS Download center (http://www.iss.net/download) For Manual Protection, the affected vendor has offered the following recommendations: Sendmail urges all users to either upgrade to Sendmail 8.12.8 or apply a patch for 8.12.x (or for older versions). Updates can be downloaded from ftp.sendmail.org or any of its mirrors (try a mirror near to you first), see http://www.sendmail.org/ for details. Remember to check the PGP signatures of patches or releases obtained. For those not running the open source version, check with your vendor for a patch. Sendmail, Inc., the commercial provider of the sendmail MTA, is providing a binary patch for their commercial customers. The patch can be downloaded from Sendmail's Web site at: http://www.sendmail.com/ Sendmail versions that are patched will record the following log entry when exploitation is attempted: "Dropped invalid comments from header address". Vendor Notification Schedule: Initial vendor notification: 1/13/2003 Initial vendor confirmation: 1/13/2003 Final release schedule confirmation: 1/31/2003 ISS X-Force worked with Sendmail throughout the notification and release process. X-Force would like to thank Sendmail for their cooperation as well as the National Infrastructure Protection Center (NIPC) for coordinating this issue with elements of National critical infrastructure. Additional Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2002-1337 to this issue. This is a candidate for inclusion in the CVE list http://cve.mitre.org), which standardizes names for security problems. If you are a RealSecure Server Sensor customer, please email [EMAIL PROTECTED] for additional protection information. Please enter the words "Server Sensor - Sendmail" in the subject line of your email. X-Force Database http://www.iss.net/security_center/static/10748.php For more information on ISS methodology and procedures involved in Security Advisory publication, please review the X-Force Vulnerability Disclosure Guidelines document: http://documents.iss.net/literature/vulnerability_guidelines.pdf Credit: This vulnerability was discovered and researched by Mark Dowd of the ISS X-Force. ______ About Internet Security Systems (ISS) Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a pioneer and world leader in software and services that protect critical online resources from an ever-changing spectrum of threats and misuse. Internet Security Systems is headquartered in Atlanta, GA, with additional operations throughout the Americas, Asia, Australia, Europe and the Middle East. Copyright (c) 2003 Internet Security Systems, Inc. All rights reserved worldwide. This document is not to be edited or altered in any way without the express written consent of Internet Security Systems, Inc. If you wish to reprint the whole or any part of this document, please email [EMAIL PROTECTED] for permission. You may provide links to this document from your web site, and you may make copies of this document in accordance with the fair use doctrine of the U.S. copyright laws. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. X-Force PGP Key available on MIT's PGP key server and PGP.com's key server, as well as at http://www.iss.net/security_center/sensitive.php Please send suggestions, updates, and comments to: X-Force [EMAIL PROTECTED] of Internet Security Systems, Inc. -- _______________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup Meet Singles http://corp.mail.com/lavalife ================================================ To unsubscribe, send email to [EMAIL PROTECTED] with unsubscribe in subject header. Check archives at http://www.mail-archive.com/ilugd%40wpaa.org
