-----BEGIN PGP SIGNED MESSAGE----- - --ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT-- - ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE--- ======= ============ ====== ====== ======= ============== ======= ======= === === ==== ====== ====== === =========== ======= ======= === =========== === ======= === === === ==== === ===== === ======= ============== ===== === ===== ======= ============ ===== = ===== EMERGENCY RESPONSE SERVICE SECURITY VULNERABILITY ALERT 16 January 1996 18:30 GMT Number: ERS-SVA-E01-1996:001.1 =============================================================================== VULNERABILITY SUMMARY VULNERABILITY: The UNIX "sendmail" program contains a programming error that allows an attacker to gain super-user permissions on the host. PLATFORMS: All versions of "sendmail" prior to Version 8.6.10, including Sendmail 5.67+IDA-1.5 and most vendor versions. SOLUTION: Install Sendmail Version 8.7.3, or install "smap" and "smapd," or disable the "VRFY" and "EXPN" commands. THREAT: This vulnerability is being actively exploited. =============================================================================== THREAT SUMMARY [CUSTOMER CONFIDENTIAL] =============================================================================== DETAILED INFORMATION I. Description The "sendmail" program is used on UNIX systems to send and receive electronic mail. On most systems, "sendmail" is not only responsible for the delivery of mail on the local host, but also for delivery of mail between hosts. It uses the Simple Mail Transfer Protocol (SMTP), an Internet standard protocol, to send mail to remote hosts. "Sendmail" also implements an SMTP server to allow remote hosts (i.e., those on the Internet) to deliver electronic mail to local users. IBM-ERS has learned of a vulnerability in the "sendmail" program that can be exploited from the Internet. The vulnerability is exploited through the use of the SMTP "EXPN" and "VRFY" commands offered by all versions of "sendmail." A buffer-overrun problem is present in the implementation of these commands that allows an attacker to overwrite the executable code of the "sendmail" process, replacing it with his own executable code. This executable code can do anything the attacker wants, and is run with super-user permissions. This vulnerability was fixed in Sendmail Version 8.6.10, which was released on 21 February 1995. The current version of Sendmail is 8.7.3, which was released on 3 December 1995. Unfortunately, the versions of "sendmail" provided by most UNIX workstation vendors are based on Versions 5.64, 5.65, or 5.67. Unless the vendor has taken considerable care to "bullet-proof" their version of "sendmail" (most vendors have not), these versions are vulnerable to this problem. The only known vendor version of "sendmail" that is not vulnerable to this problem is the one shipped with Solaris 2.5 (but not earlier versions) from Sun Micros- ystems; this version is based on "sendmail" 8.6.12. The "IDA" version of "sendmail," a popular public-domain version that offers enhanced mail delivery and user database features, is based on Version 5.67, and is thus vulnerable to this problem. II. Impact Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the local system with super-user ("root") permissions. The end result of this is that an attacker can gain unrestricted access to your system via this vulnerability. This vulnerability is being actively exploited on the Internet. III. Platform-Specific Threats [CUSTOMER CONFIDENTIAL] IV. Solutions There are four possible solutions to this problem: 1. Install Sendmail Version 8.7.3. This version of "sendmail" is under active development, and offers major improvements, especially in the area of security. Sendmail 8.7.3 is available via the Internet by anonymous FTP from the host ftp.cs.berkeley.edu in the "/ucb/sendmail" directory. You need one of "sendmail.8.7.3.tar.Z" or "sendmail.8.7.3.tar.gz". Sendmail is dicussed in the "comp.mail.sendmail" USENET newsgroup. It is also described in the book "Sendmail," by Bryan Costales, Eric Allman, and Neil Rickert, published by O'Reilly & Associates (http://www.ora.com). NOTE: Sendmail is one of the most complex UNIX subsystems, and one of the most vital. While compiling and installing a new version of the program itself is not difficult, modifying the configuration file (the file that specifies how mail is to be delivered) to work with the new version of the program is often non-trivial. In some cases, a complete rewrite of the existing configuration file may be required; this is a process that requires several days at a minimum. This solution is not recommended unless you have extensive UNIX system administration experience. 2. Install the "smap" and "smapd" programs on all UNIX systems directly reachable from the Internet. The "smap" program provides a minimal SMTP implementation that accepts mail messages from the network and stores them for later delivery. The "smapd" program periodically runs "sendmail" on these stored messages. Because "sendmail" is no longer reachable directly from the network, its security vulnerabilities can no longer be exploited. The "smap" and "smapd" programs are part of the freely-available TIS Firewall Toolkit, from Trusted Information Systems, Inc. The TIS Firewall Toolkit is available via the Internet by anonymous FTP from the host ftp.tis.com in the "/pub/firewalls/toolkit" directory. You will need the files "fwtk.tar.Z" and "fwtk-doc-only.tar.Z". NOTE: Installation of "smap" and "smapd" is relatively simple, but it does represent a major change in the way electronic mail will be handled at your site. Careful consideration of installation options, and even more careful testing prior to site-wide deployment, are recommended. 3. Disable the "EXPN" and "VRFY" commands in your current version of the "sendmail" command. This will prohibit an attacker from exercising the vulnerability. A. If you are running Sendmail 8.6.x or 8.7.x: Sendmail Version 8 provides the "p" configuration file option that allows you to configure the privacy and security features of your "sendmail" process. The format of the option is: Opwhat,what,what where "what" is one of several keywords that enable the various features. By listing the "noexpn" and "novrfy" keywords in this list, you can disable access to the "EXPN" and "VRFY" commands. After adding (or changing) this line in your configuration file, you must kill and restart the "sendmail" daemon. B. If you are not running Sendmail 8.6.x or 8.7.x: Prior to Version 8, there is no way to disable these commands through the configuration file or the command line. However, you can disable the commands by patching the "sendmail" binary: 1. MAKE A BACKUP COPY OF THE SENDMAIL BINARY: # cp -p /usr/lib/sendmail /usr/lib/sendmail.save # chmod 700 /usr/lib/sendmail.save Patching binary files is not always successful (the result may no longer run), and you need to be able to recover from this. 2. Use the "strings" command to find the addresses of the "vrfy" and "expn" command name strings: # strings -o /usr/lib/sendmail | grep vrfy 240248 novrfy 240264 needvrfyhelo 276648 vrfy # strings -o /usr/lib/sendmail | grep expn 240256 noexpn 240280 needexpnhelo 276640 expn 280328 expn NOTE: The output you see may be different. You want the numbers in front of the "expn" and "vrfy" strings (but not the other lines). 3. Use "adb" to write a null byte on each of these commands: # adb -w - /usr/lib/sendmail not core file = /usr/lib/sendmail a$d <-- converts to decimal addresses 276648/w 0 <-- writes zero byte on "vrfy" 0x438a8: 30322 = 0 276640/w 0 <-- writes zero byte on first "expn" 0x438a0: 25976 = 0 280328/w 0 <-- writes zero byte on second "expn" 0x44708: 25976 = 0 ^D <-- CTRL-D exits adb NOTE: Use the addresses output by the "strings" command in step 2 in the "/w" commands above, do not use the numbers in this example. 4. Check that you successfully removed the strings: # strings -o /usr/lib/sendmail | grep vrfy 240248 novrfy 240264 needvrfyhelo # strings -o /usr/lib/sendmail | grep expn 240256 noexpn 240280 needexpnhelo 5. Kill and restart the "sendmail" daemon. NOTE: Some mail user agents (the programs that users use to read and send mail) rely on the presence of the "VRFY" command which you just disabled. After performing the above steps, test all of the mail programs in use at your site to insure that they still operate correctly. 4. Install the appropriate "sendmail" patch from your vendor. Unfortunately, at this time, there are no vendors offering patches to fix this problem. As vendors release patches for this problem, IBM-ERS will issue updates to this alert. =============================================================================== IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based Internet security response service that includes incident management, periodic electronic verification of gateways, and tailored security alerts. IBM-ERS functions as an extension of your own Internet security team, and is there for you when you need help. IBM-ERS is a member of the Forum of Incident Response and Security Teams (FIRST), a global organization established to foster cooperation and coordination among computer security teams worldwide. IBM-ERS may be contacted via electronic mail at "ers@vnet.ibm.com". This is a non-secure channel that is generally only monitored during normal business hours. For more information on subscribing to IBM-ERS, call 1-800-742-2493, and choose prompt 4. IBM-ERS will contract with new customers under active attack and begin providing service immediately for an additional fee. Copyright 1996 Integrated Systems Solutions Corporation. This material may be reproduced and distributed without permission provided it is used for non-commercial purposes and the above copyright statement is kept intact. - ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE--- - --ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT-- -----BEGIN PGP SIGNATURE----- Version: 2.7.1 iQCVAwUBMbbrPvWDLGpfj4rlAQHIJQP/c4DwZJwjm2zv1VzrN9jpJKaDUn49fx4d OBxscDxASIaGjyVRJhVYLKUpdl8WQ7nfTg+ogDTVxECn1jPu4RlS0hKFB4fGxgHb H9guV/3nlEn3sXN5CaTzRF0C+PA4IUU97gI+GRtxKSVZtq9ehtOKDugmDmT3Rv/w XFrkHVV59mc= =cYKN -----END PGP SIGNATURE-----