OpenBSD Journal

y Patch fixes Sendmail Buffer Overflow: 3.1, 3.2

Contributed by jose on from the lingering-bugs dept.

Wow, huge security hole in Sendmail found by ISS' X-Force . This one's been present in Sendmail versions from 5.79 to 8.12.7, including what has been shipping in OpenBSD. Miod and Todd have been working hard to correct the problem. Two patches are available, Patch 022 for OpenBSD 3.1-stable and Patch 009 for OpenBSD 3.2-stable. For OpenBSD-current the problem has been fixed by importing Sendmail 8.12.8, available from your local OpenBSD tree source or Sendmail's website . From Claus Assmann at Sendmail:
There is a bug fix for ident parsing in 8.12.8. While this is not believed to be exploitable, if you are not upgrading to 8.12.8, you may want to turn off ident checking
At least this made it in before the tree freeze ... Mail to security-announce is on its way out now, and the website will be updated shortly. Big thanks to Todd and Miod for their info and fixing this.

(Comments are closed)


Comments
  1. By jose () on http://monkey.org/~jose/

    Date: Mon, 03 Mar 2003 10:49:33 -0700
    From: Todd C. Miller
    To: security-announce@openbsd.org
    Subject: remote buffer overflow in sendmail

    A buffer overflow has been found in sendmail's envelope comment
    processing code which may allow an attacker to gain root privileges.
    The bug was discovered by Mark Dowd of ISS X-Force.

    For more information, see:
    http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950
    http://www.sendmail.org/8.12.8.html

    As shipped, OpenBSD runs a sendmail that binds only to localhost,
    making this a localhost-only hole in the default configuration.
    However, any sendmail configuration that accepts incoming mail may
    potentially be exploited.

    The sendmail in OpenBSD-current has been updated to version 8.12.8.
    The 3.1 and 3.2 -stable branches have had a patch applied that fixes
    the buffer overflow. However, because the -stable branches have
    the specific vulnerability patched (as opposed to the full 8.12.8
    distribution), sendmail on -stable will report the old sendmail version.

    Patch for OpenBSD 3.1:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/022_sendmail.patch

    Patch for OpenBSD 3.2:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/009_sendmail.patch

    Patches for older versions of sendmail may be found at
    ftp://ftp.sendmail.org/pub/sendmail/

  2. By Anonymous Coward () on

    Maybe now, we'll consider moving to another MTA? Like qmail or postfix.

    Yes, I'm aware of the 'war' between Theo and djb, but I think they are both intelligent enough to find a common ground to talk & integrate what is probably the best MTA into the best Operating System; a war is not always the answer to solve problems.

    Comments
    1. By Anonymous Coward () on

      I think that license issues are a greater concern hear. Postfix's IBM license is pretty huge (huge enough that I've never read the whole thing) and while people say it's very permissive, I doubt it's enough in line with BSD to make it coincide with the www.openbsd.org/goals.html

      Qmail has similar issues - again while it focuses on security, DJB's "license" is somewhat in conflict with BSD license oriented goals.

      Specifically, I guess I should be referring to: http://www.openbsd.org/policy.html which outlines a bit more of the niggling points of licenses and copyright.

      MTA advocacy is full of enough flames, but it's easy enough to not face the issue when the viable competitors don't even use a license that is compatible with the intentions of the project - then you don't worry about the technical details so much.

      I think most OpenBSD users would love something other than BIND or sendmail - and it seems that most who needs those services, tend to run something else (postfix is very popular with most OBSD users I've met, qmail slightly less so... but djbdns tends to get heavy utilization all around). Maybe one day we'll see an OpenNamed or OpenMTA; but I kinda doubt it - there are alternatives out there that work well, but they can't always go into the base install for other reasons.

      Comments
      1. By Noob () on

        I guess I'm not most OpenBSD users. I like BIND and Sendmail.

      2. By Postfix fan () on

        It's unfortunate that IBM has clouded this issue unnecessarily. I mean, they've used a license that appears to contradict itself, and which may not actually give them any legal standing if I decide to distribute "OpenMTA" based on it.

        There are actually two issues at play here:

        1. If you download Postfix from postfix.org, you skirt any obvious licenses references.
        2. The LICENSE file as installed by the ports system (and likely in any source) clearly indicates you can redistribute any "software derivatives", as long as the copyright is maintained and you pass these same rights on

        They do state that they can protect themselves from an IP claim by revoking your license, but this appears to only apply to the "software", not any derivatives of it.

        This is sloppy and confusing, and is the reason that IBM may not be able to use the "Open Source" trademark (anyone? is this accurate?). It still shouldn't keep OBSD from adopting it as the default MTA.

        In a quote I grabbed from the web:

        So, while PostFix may have some unpleasant legal strings attached, I can't really see how this stops anyone from repackaging the entire thing with a different license.

        Unfortunately, when you have to consult a lawyer to make sense of all this, with the chance s/he might be wrong, there is little incentive to do so.

      3. By kremlyn () on

        There seems to be a growing number of people who think the Postfix license is workable within the OpenBSD goals. Time will tell.

        Until then, I will continue to use DJBDNS and Postfix and hope that one day, the two are integrated into OpenBSD.

        Who cares if they are called what they currently are, or OpenDNS and OpenMTA. The point is, it'd rock!

        DJB/Theo - Please get over your differences, you're on the same team here (but only for DJBDNS, Postfix 0wnz Qmail!) ;-)

        //kremlyn

        Comments
        1. By Anonymous Coward () on

          since when do you allow your neighbors to change the placement of your home furniture?

      4. By Xenotrope () on

        I believe that the problem with replacing sendmail on OpenBSD is that any potential alternatives exist with incompatible licenses, which are much harder to fix than incompatible coding.

        Postfix is released under the IBM Public License, which is definitely not the GPL, nor is it the BSD license. My guess is that it is just barely strict enough to eliminate it as a possible sendmail replacement.

        qmail is right out.

        For all the various MTAs out there I've seen, there's something wrong with the license of each and every one. Sendmail might be old and broken in places, but its license is proper enough to warrant its continued use.

        In a slightly off-topic thread, I'd like to suggest someone on the OpenBSD team consider the possibility of using MaraDNS instead of BIND. Yeah, saying that is craziness, I know. But MaraDNS is tiny, and has a BSD-style license (http://www.maradns.org/faq.html#license ). It's just a thought. I simply want to illustrate that there exist BIND alternatives other than djbdns, which is invalidated; once more, because of licensing issues.

      5. By Anonymous Coward () on

        Something that nobody has mentioned so far is that Bind and Sendmail are the standard Unix daemons for their services. They work in a well-known way; any competent Unix administrator should be able to walk right up to a root terminal and starting hacking on a Bind or Sendmail configuration.

        Postfix, Qmail, and djbdns are all different. If you don't take the extra time to learn how to use their configuration files, they'll confuse you. While it may be worth it for lots of individual administrators to install and learn alternative name servers and mail servers, it's not worth it to the OpenBSD project to force everyone to use something else: It's just too confusing.

        (This is why, I think, OpenBSD has integrated Bind 9 rather than another name server: While it is different from Bind 4 and 8 in a lot of ways, in many ways its configuration is still the same (in comparison to Bind 8, it's mostly the same), so that it's possible for most people to use it right away with only minimal perusing of the documentation.)

      6. By djm () on

        I have been using postfix since its first public release and it has been nothing short of perfectly reliable and very performant (it has never been a bottleneck in any of my mail systems).

        Unfortunately, its license precludes it from being integrated into OpenBSD. For a start it is very long and verbose for what it says. Additionally, clause 3.iv which is a viral GPL-like source disclosure requirement. Also, section 4 is appalling legalese which seeks to insulate contributors from 3rd-party claims, but which is fairly reasonable (one one reads the example).

        This license is good enough for me, but OpenBSD sets a higher bar for new code than this license meets.

    2. By Anonymous Coward () on

      ACK

      Unfortunately I fear there will not be much chance...

      What a shame...

    3. By Anonymous Coward () on

      Too bad Qmail doesn't scale, huh? If someone wants to be an anti-Sendmail zealot, Postfix is a better alternative to suggest.

      Comments
      1. By Anonymous Coward () on

        It scales for Yahoo

        Comments
        1. By Anonymous Coward () on

          Exchange will "scale" if you throw enough machines at it.

          Comments
          1. By Anonymous Coward () on

            And that is why all the large email shops use Exchange, right? Don't tell me, MCSE?

            Comments
            1. By Anonymous Coward () on

              There's a reason "scale" was in quotes, asshat.

      2. By Anonymous Coward () on

        Which planet are you from? qmail scales a whole lot more than Sendmail! And as a bonus it works!

      3. By Anonymous Coward () on

        better post an argument (read: proof) for that statement. Does Hotmail ring a bell? nofi

    4. By atomkraft () on

      I've been using exim for a while now, seems like a fine product. AFAIK there has not yet been a remote exploit, it scales well, is easy to configure and best of all, its GPL. It may not be as popular as postfix or qmail, but it must be better than sendmail. Is there a reason why it has not been considered as a replacement?

      Comments
      1. By Anonymous Coward () on

        I figure the reason is that Exim is GPL'ed.

  3. By Noob () on

    I would just like to comment at what wonderful work has been done to address this security issue. Stable branch update, patch files, and a security email all came out very fast. Thanks very much!

    Comments
    1. By Anonymous Coward () on

      Wonderful job would be to prevent primitive holes like this according to the project goals and proclamations. Correctness, my ass.

      Comments
      1. By Noob () on

        Right on! You have the solution I've been looking for. Where can I download your source?

        Comments
        1. By Anonymous Coward () on

          file:///dev/null

      2. By Gimlet () on

        Hey troll, go check the default install. Oh my, looks like you should have checked to see if sendmail were actually listening on port 25 before posting. Funny how you trolls can use computers to complain but never to do anything useful.

        Comments
        1. By Xesus () on

          It does seem more and more that the code audit and default (read unusable) installation security claims are not able to hold any water any more. Btw, what happened to the claims of Department of Justice and Amnesty International running running their DBs on thousands of OpenBSD boxes? Fools are in denial and can not overcome creativity dead-walls beyond calling any dissenter a troll? The project could supplement its revenue by implementing a betting service and selling derivative contracts on next vulnerabilities' timing.

    2. By Jedi/Sector One () j@pureftpd.org on http://www.pureftpd.org/

      That's actually nice. The delay between the bug discovery and the patch release (even for the previous release) was very fast, and OpenBSD was the first vendor to provide an official fix for that issue. Moreover OpenBSD is not vulnerable in the default configuration and no exploit is available in the wild AFAIK.

      When bugs are discovered in Windows, have you already seen any service pack released the same half-day?

      Anyway, this bug is not trivial to exploit. As I see, what you can inject is restricted to a very small charset of control characters, it's hard to get a valid address with that (+ harder to copy something to that address).

  4. By Troll () on

    Only $counter holes in the default install in $years

    Comments
    1. By Noob () on

      Default install only has sendmail listening on 127.0.0.1 If you can remotely exploit something on 127.0.0.1 then you have a special gift, otherwise you might be incorrect to increment.

      The "Secure by Default" phrase is well defined at http://www.openbsd.org/security.html

      I also have a Commodore 64 that has not had one remote exploit in the unplugged install in 15 years.

      Comments
      1. By Troll () on

        Thanks for sharing, now im moving my production enviroment of webservers to the C64/C128 platform for a totally secure alternative.

        Comments
        1. By Anonymous Coward () on


          $ dig @lemniscate.net lemniscate.net hinfo

          ; > DiG 2.2 > @lemniscate.net lemniscate.net hinfo
          ; (1 server found)
          ;; res options: init recurs defnam dnsrch
          ;; got answer:
          ;; ->>HEADER

        2. By Anonymous Coward () on

          Whoops, let's try that again.


          $ dig @lemniscate.net lemniscate.net hinfo

          ; > DiG 2.2 > @lemniscate.net lemniscate.net hinfo
          ; (1 server found)
          ;; res options: init recurs defnam dnsrch
          ;; got answer:
          ;; ->>HEADER

        3. By Anonymous Coward () on

          Oh, I get it. This should work. (I feel like a moron) <br> <br> <tt> <br> $ dig @lemniscate.net lemniscate.net hinfo <br> <br> ; > DiG 2.2 > @lemniscate.net lemniscate.net hinfo <br> ; (1 server found) <br> ;; res options: init recurs defnam dnsrch <br> ;; got answer: <br> ;; ->>HEADER

        4. By Anonymous Coward () on

          This is strange behavior. It seems that > and < don't interact well with deadly.org's comment box.

          Let's try a fourth time:


          $ dig @lemniscate.net lemniscate.net hinfo

          ; <<>> DiG 2.2 <<>> @lemniscate.net lemniscate.net hinfo
          ; (1 server found)
          ;; res options: init recurs defnam dnsrch
          ;; got answer:
          ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52481
          ;; flags: qr aa rd ra; Ques: 1, Ans: 1, Auth: 3, Addit: 1
          ;; QUESTIONS:
          ;; lemniscate.net, type = HINFO, class = IN

          ;; ANSWERS:
          lemniscate.net. 86400 HINFO "TRS-80" "FORTH"

          ;; AUTHORITY RECORDS:
          lemniscate.net. 86400 NS ns1.mib.org.
          lemniscate.net. 86400 NS ns7.gandi.net.
          lemniscate.net. 86400 NS lemniscate.net.

          ;; ADDITIONAL RECORDS:
          lemniscate.net. 86400 A 204.210.34.84

          ;; Total query time: 63 msec
          ;; FROM: klaus.lemniscate.net to SERVER: lemniscate.net 204.210.34.84
          ;; WHEN: Tue Mar 4 10:37:18 2003
          ;; MSG SIZE sent: 32 rcvd: 136

          $

      2. By Anonymous Coward () on

        And how many people use Sendmail for inbound SMTP on 127/8 ? Don't be fooled by the secure default install shit.

        Comments
        1. By Anonymous Coward () on

          I do.

        2. By Anonymous Coward () on

          Comments
          1. By MicroBSD Troll () on

            Narf!

        3. By Anonymous Coward () on

          How many people do use Sendmail @ OpenBSD anyways? Who uses the default install anyways?

          Comments
        4. By OBSD User () on

          Me.

        5. By Anonymous Coward () on

          *raises hand*

        6. By djm () on

          You are right, lots of people use postfix, exim or another MTA and are therefore not vulnerable at all.

    2. By Anonymous Coward () on

      this is not a remote problem for OpenBSD. learn to read.

  5. By Noob () on

    Has anyone made a systrace policy for sendmail?

    Comments
    1. By Skull Crusher () on

      This is, I think, the right response. The "lets change the base MTA" is, after some consideration, not. And I used to be in this camp.

      But after some reflection, putting on the smoking jacket, and smoking the pipe a bit, it seems to me that we don't abandon OpenBSD simply because it has security holes from time to time. Why should we abandon Sendmail because *it* has holes?

      Patching is, unfortunately, a way of life. Even if Theo et al switched to Qmail and sent Bernstein a big box of chocolates and a long "We're sorry" letter, there is no guarantee that it won't, at some time, need to be patched.

      Are we simply going to start evaluating application software by it's need to be patched?

      And if you care about good licensing (maybe I should say "correct" licensing) then it makes more sense to work on keeping a widely used, well respected and powerful piece of correctly licensed software up to date than to throw it out and start over with bad (or "incorrectly") licensed software which might be a little more secure and need less patching.

      Basically the "alternatives" have *licenses* which need to be patched, and can't be.

      I've used qmail and considered postfix, but I think I'm going to start using sendmail exclusively from now on.

      -SC

      Comments
      1. By Anonymous Coward () on

        You are forgotting the 'broken by default' and 'broken by design' ancients. Qmail and DJBDNS had in their existence never any remote holes.

        However BIND and Sendmail had. Yet we who use that software and who did not chose an alternative need to patch our systems every now and then.

        How can you say that you are certain that we need to patch our systems when there are no holes in it found? How can you be so sure that there will be holes found in *FOR EXAMPLE* Qmail and DJBDNS -who have a secure record- if they were in OpenBSD default install? And how do you know that the numbers there will be need to patch will be similair or more then the current software OpenBSD uses?

        It's that simple: you can't. Or do you have knowledge that i don't have? You know of holes in that software? Or in other DNS/MTA's? If so, please share that with the security team of that software i'm sure they would be happy with that. You can even earn a nice dinner if you find one in Qmail/DJBDNS :-)

        When we look back to the past of some software we can make conclusions out of that. Concluding that Qmail will have 1 security patch in each -let's say 3 months- is unlikely. Not impossible; unlikely. That said, it would be -apart from the license problem- wise to change to Qmail -if you'd care for these patching headaches, ofcourse-. Because if you'd ask me, software is more then patching every now and then. Features and system usage are also important. Let's not judge a book by it's cover and ditch A *only* because product B has 'a good security history'. That's rather *not* an objective point of view...

        Comments
        1. By Noob () on

          So I guess you don't have a systrace policy for Sendmail?

          Comments
          1. By Anonymous Coward () on

            It's actually very easy, you don't even need to be a wizard to do it yourself. Simply start sendmail with systrace -A as a prefix and with the same arguments as defined in /etc/rc.conf. Then use sendmail in all possible ways, kill it and sift through the newly created policy file and correct if needed.

            It's all described in the recent two articles mentioned on this site.

            Comments
            1. By Anonymous Coward () on

              That easy, huh? Try it and reassess the difficulty rating.

    2. By Skull Crusher () on

      This is, I think, the right response. The "lets change the base MTA" is, after some consideration, not. And I used to be in this camp.

      But after some reflection, putting on the smoking jacket, and smoking the pipe a bit, it seems to me that we don't abandon OpenBSD simply because it has security holes from time to time. Why should we abandon Sendmail because *it* has holes?

      Patching is, unfortunately, a way of life. Even if Theo et al switched to Qmail and sent Bernstein a big box of chocolates and a long "We're sorry" letter, there is no guarantee that it won't, at some time, need to be patched.

      Are we simply going to start evaluating application software by it's need to be patched?

      And if you care about good licensing (maybe I should say "correct" licensing) then it makes more sense to work on keeping a widely used, well respected and powerful piece of correctly licensed software up to date than to throw it out and start over with bad (or "incorrectly") licensed software which might be a little more secure and need less patching.

      Basically the "alternatives" have *licenses* which need to be patched, and can't be.

      I've used qmail and considered postfix, but I think I'm going to start using sendmail exclusively from now on.

      -SC

  6. By Anonymous Coward () on

    Just downloaded a snapshot and it's dated Mon Mar 3 08:07:11 MST 2003, and the sendmail reads 8.12.7, opps, the fix went in after 10. I'll wait for the next one, hopefully there will be one more before everything freezes.

    :)

    Comments
    1. By tedu () on

      theo said snapshots dated march 3 and later have the fix applied.

      Comments
      1. By cabal () on

        The snapshot on ftp.openbsd.org is now dated Mar 4, mirrors should catch up. Whew!

  7. By Wubba () on

    I patched a 3.2 system on the same day the patch was released (Excellent work on the speedy patch, guys).

    Since then, I have much disk thrashing and up to 50 percent disk utilization when mail comes in. I'd never noticed this before, so thought I might ask if anyone else is seeing this, or am I just smoking crack?

    Comments
    1. By Wubba () on

      Sorry, cpu utilization, not disk utilization.

  8. By Gecko () on

    Someone stop me pls, i just couldn't help laffing.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]