The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Critical Sendmail Vulnerability!!!

Discussion in 'E-mail Discussions' started by georgiabill, Mar 4, 2003.

  1. georgiabill

    georgiabill Member

    Joined:
    Mar 4, 2003
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
  2. georgiabill

    georgiabill Member

    Joined:
    Mar 4, 2003
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Description of this sendmail exploit

    I. Description
    Researchers at Internet Security Systems (ISS) have discovered a remotely exploitable vulnerability in sendmail. This vulnerability could allow an intruder to gain control of a vulnerable sendmail server.

    Most organizations have a variety of mail transfer agents (MTAs) at various locations within their network, with at least one exposed to the Internet. Since sendmail is the most popular MTA, most medium-sized to large organizations are likely to have at least one vulnerable sendmail server. In addition, many UNIX and Linux workstations provide a sendmail implementation that is enabled and running by default.

    This vulnerability is message-oriented as opposed to connection-oriented. That means that the vulnerability is triggered by the contents of a specially-crafted email message rather than by lower-level network traffic. This is important because an MTA that does not contain the vulnerability will pass the malicious message along to other MTAs that may be protected at the network level. In other words, vulnerable sendmail servers on the interior of a network are still at risk, even if the site's border MTA uses software other than sendmail. Also, messages capable of exploiting this vulnerability may pass undetected through many common packet filters or firewalls.

    Sendmail has indicated to the CERT/CC that this vulnerability has been successfully exploited in a laboratory environment. We do not believe that this exploit is available to the public. However, this vulnerability is likely to draw significant attention from the intruder community, so the probability of a public exploit is high.

    A successful attack against an unpatched sendmail system will not leave any messages in the system log. However, on a patched system, an attempt to exploit this vulnerability will leave the following log message:

    Dropped invalid comments from header address

    Although this does not represent conclusive evidence of an attack, it may be useful as an indicator.

    A patched sendmail server will drop invalid headers, thus preventing downstream servers from receiving them.

    The CERT/CC is tracking this issue as VU#398025. This reference number corresponds to CVE candidate CAN-2002-1337.

    For more information, please see

    http://www.sendmail.org
    http://www.sendmail.org/8.12.8.html
    http://www.sendmail.com/security/
    http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950
    http://www.kb.cert.org/vuls/id/398025


    II. Impact
    Successful exploitation of this vulnerability may allow an attacker to gain the privileges of the sendmail daemon, typically root. Even vulnerable sendmail servers on the interior of a given network may be at risk since the vulnerability is triggered from the contents of a malicious email message.
     
  3. Annette

    Annette Well-Known Member
    PartnerNOC

    Joined:
    Aug 12, 2001
    Messages:
    445
    Likes Received:
    0
    Trophy Points:
    16
    Probably nothing, since cPanel boxes by default do not run sendmail.
     
  4. georgiabill

    georgiabill Member

    Joined:
    Mar 4, 2003
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    You may want to actually read the alert before you decide whether Cpanel servers are vulnerable.

    https://rhn.redhat.com/errata/RHSA-2003-073.html

    "Since this is a message-based vulnerability, MTAs other than Sendmail may pass on the carefully crafted message. This means that unpatched versions of Sendmail inside a network could still be at risk even if they do not accept external connections directly."
     
  5. Curious Too

    Curious Too Well-Known Member

    Joined:
    Aug 31, 2001
    Messages:
    427
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    None of my cpanel server have sendmail installed -- how does this affect me?
     
  6. xnull

    xnull Well-Known Member

    Joined:
    Sep 9, 2001
    Messages:
    156
    Likes Received:
    0
    Trophy Points:
    16
    I wouldn't say Cpanel servers don't come with sendmail.. That is false, as my server has always had sendmail and our sendmail is used by a lot of perl scripts on the server.

    My university is beginning to patch all unix and linux machines today with the fixed copies of sendmail. I can only hope we are provided with the same (if not having to do it manually).
     
  7. georgiabill

    georgiabill Member

    Joined:
    Mar 4, 2003
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    I ran a pstree command to view all processes and it shows a process for sendmail. This IS a Cpanel server.

    [root@ns log]# pstree -p
    init(1)-+-antirelayd(14674)
    |-chkservd(1791)
    |-cpaneld(1822)
    |-cpaneld(16234)---cpanel(16402)
    |-cpaneld(16372)
    |-cpaneld(16530)
    |-cpaneld(16550)
    |-cpaneld(16570)
    |-cpanellogd(1820)
    |-cppop(1840)
    |-crond(1714)---crond(18656)-+-java(18662)---java(18692)-+-java(18693)
    | | |-java(18694)
    | | |-java(18695)
    | | `-java(18711)
    | `-sendmail(18710)
    |-dsmcad(2310)---dsmcad(2312)-+-dsmcad(2313)
    | `-dsmcad(2314)
    |-entropychat(1850)
    |-exim(2042)-+-exim(9234)---exim(16533)
    | `-exim(16535)
     
  8. Juanra

    Juanra Well-Known Member

    Joined:
    Sep 22, 2001
    Messages:
    777
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Spain
    Try this:

    # ls -o /usr/sbin/sendmail /usr/lib/sendmail

    What does it say?
     
  9. georgiabill

    georgiabill Member

    Joined:
    Mar 4, 2003
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    lrwxrwxrwx 1 root 12 Jan 2 2002 /usr/lib/sendmail -> ../sbin/exim
    lrwxrwxrwx 1 root 4 Jan 2 2002 /usr/sbin/sendmail -> exim
     
  10. Annette

    Annette Well-Known Member
    PartnerNOC

    Joined:
    Aug 12, 2001
    Messages:
    445
    Likes Received:
    0
    Trophy Points:
    16
    I did read the announcement. Did you? This doesn't say that other MTAs are vulnerable. It says that other MTAs may very well pass on crafted messages of the sort that exploit servers running unpatched versions of sendmail. And while it is true that there is a remote possiblity that exim itself might, possibly, maybe, somehow be affected by this - although no one has shown a proof of concept on this exploit since last December on anything other than sendmail - the problematic issue here is not with exim's ability to pass along those messages. The problematic issue here is that the possibility exists that an exim (or other) MTA will pass along a message to an unsecured sendmail box that would result in that box being exploited.

    If you look for sendmail on your system, you'll find that it's merely a symlink to exim itself, assuming that you have made no alterations to the MTA in use on that machine.

    lrwxrwxrwx 1 root 4 Jan 2 2002 /usr/sbin/sendmail -> exim*

    And my answer stands: DarkOrb won't do anything, because basic cPanel boxes do not run sendmail by default. Anyone who knows enough to set up sendmail on a cPanel box should know well enough how to run a few rpms.
     
  11. georgiabill

    georgiabill Member

    Joined:
    Mar 4, 2003
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    I ran the RPMs minutes after I heard about the exploit seeing as my CPanel server has a sendmail process running. Amazing how Cpanel does not have sendmail running, yet it seems to have its own PID. Go figure that one, Barbie. :eek:

    [root@ns log]# pstree -p
    init(1)-+-antirelayd(14674)
    |-chkservd(1791)
    |-cpaneld(1822)
    |-cpaneld(16234)---cpanel(16402)
    |-cpaneld(16372)
    |-cpaneld(16530)
    |-cpaneld(16550)
    |-cpaneld(16570)
    |-cpanellogd(1820)
    |-cppop(1840)
    |-crond(1714)---crond(18656)-+-java(18662)---java(18692)-+-java(18693)
    | | |-java(18694)
    | | |-java(18695)
    | | `-java(18711)
    | `-sendmail(18710)
    |-dsmcad(2310)---dsmcad(2312)-+-dsmcad(2313)
    | `-dsmcad(2314)
    |-entropychat(1850)
    |-exim(2042)-+-exim(9234)---exim(16533)
    | `-exim(16535)
    |-httpd(27890)-+-httpd(15564)
    | |-httpd(15567)
    | |-httpd(15568)
    | |-httpd(15569)
    | |-httpd(15570)
     
  12. MarlboroMan

    MarlboroMan Well-Known Member

    Joined:
    Dec 7, 2001
    Messages:
    64
    Likes Received:
    0
    Trophy Points:
    6
    When Exim is called by its sendmail link (as a LOT of perl scripts do), it's process name in your process listing WILL be sendmail.

    Remember, sendmail is used for command-line mailing.
     
  13. Annette

    Annette Well-Known Member
    PartnerNOC

    Joined:
    Aug 12, 2001
    Messages:
    445
    Likes Received:
    0
    Trophy Points:
    16


    Unbelievable. Good thing you're not looking for a sysadmin job. Perhaps you'd care to show all of us - many of whom can see sendmail processes running, btw, but understand what they really are - just where you think sendmail exists on a non-MTA modified cPanel box. I'm sure Nick would be most interested as well, since he, too, has told you exactly the same thing as everyone else.
     
Loading...

Share This Page