|FROM ||From: "Adam Kosmin"
|SUBJECT ||Subject: [hangout] (fwd) SANS Alert - Critical Vulnerability in Sendmail and a Snort Vulnerability
|From owner-hangout-desteny-at-mrbrklyn.com Mon Mar 3 14:26:16 2003
Received: from www2.mrbrklyn.com (localhost [127.0.0.1])
by mrbrklyn.com (8.12.3/8.11.2/SuSE Linux 8.11.1-0.5) with ESMTP id h23JQG8X018089
for ; Mon, 3 Mar 2003 14:26:16 -0500
Received: (from mdom-at-localhost)
by www2.mrbrklyn.com (8.12.3/8.12.3/Submit) id h23JQGD3018088
for hangout-desteny; Mon, 3 Mar 2003 14:26:16 -0500
X-Authentication-Warning: www2.mrbrklyn.com: mdom set sender to owner-hangout-at-www2.mrbrklyn.com using -f
Received: from www2.mrbrklyn.com (localhost [127.0.0.1])
by mrbrklyn.com (8.12.3/8.11.2/SuSE Linux 8.11.1-0.5) with ESMTP id h23JQG8X018083
for ; Mon, 3 Mar 2003 14:26:16 -0500
Received: (from ruben-at-localhost)
by www2.mrbrklyn.com (8.12.3/8.12.3/Submit) id h23JQG3S018082
for hangout-at-www2.mrbrklyn.com; Mon, 3 Mar 2003 14:26:16 -0500
Received: from mail.med.cornell.edu (mail.med.cornell.edu [22.214.171.124])
by mrbrklyn.com (8.12.3/8.11.2/SuSE Linux 8.11.1-0.5) with ESMTP id h23JNc8X018032
for ; Mon, 3 Mar 2003 14:23:38 -0500
Received: from koz ([126.96.36.199]) by mail.med.cornell.edu
(Netscape Messaging Server 3.6) with ESMTP id AAA3F2C2
for ; Mon, 3 Mar 2003 14:25:53 -0500
Received: from akosmin by koz with local (Exim 3.36 #1 (Debian))
for ; Mon, 03 Mar 2003 14:17:25 -0500
Date: Mon, 3 Mar 2003 14:17:25 -0500
Subject: [hangout] (fwd) SANS Alert - Critical Vulnerability in Sendmail and a Snort Vulnerability
Content-Type: multipart/signed; micalg=pgp-sha1;
From: "Adam Kosmin"
Reply-To: "Adam Kosmin"
List: New Yorkers Linux Scene
Admin: To unsubscribe send unsubscribename-at-domian.com to hangout-request-at-www2.mrbrklyn.com
Content-Type: text/plain; charset=unknown-8bit
----- Forwarded message from The SANS Institute -----
Subject: SANS Alert - Critical Vulnerability in Sendmail and a Snort Vulner=
=46rom: The SANS Institute
To: Adam Kosmin (SD646867)
-----BEGIN PGP SIGNED MESSAGE-----
SANS Alert 2003-03-03
Critical vulnerability in all versions of SENDMAIL
Plus a Snort Vulnerability
And an invitation to a web broadcast on the vulnerabilities (SANS
Alumni get a two hour window to register before the Invitation goes
The Sendmail Vulnerability
What systems are affected? UNIX and Linux Systems running sendmail -
probably even those that are not mail servers.
Level: CRITICAL - affords root or superuser access
A new critical vulnerability has been discovered in Sendmail. The UNIX
and Linux vendors have been working feverishly to get a patch ready and
most are available now. Sendmail is too big a target for attackers to
ignore, so it makes sense to act immediately to protect your systems.
In this note you will find:
(1) The invitation to the webcast (SANS alumni get a two hour head
start for registering and only 2,000 people can be accommodated)
covering both vulnerabilities
(2) The ISS advisory on the new vulnerability and where to find patches
(3) A description of what government and industry did to try to
mitigate damage from this newly discovered vulnerability.
(4) The Department of Homeland Security Alert on the Snort
SANS Web Broadcast (free) on the Sendmail Vulnerability and the Snort=20
Date: March 3, 2003 (today)
Time: 7 PM EST (0000 UTC)
Register at: http://www.sans.org/webcasts/030303.php=20
There is an absolute limit of 2,000 people on the live program to
ensure quality audio, but the archive will be available about 5 hours
later for anyone who does not get a reservation.
Featuring the ISS X-Force folks (ISS discovered the vulnerability),
Hal Pomeranz (sendmail expert) and Marty Roesch, author of Sendmail,
will brief you on the Snort vulnerability.
Below you'll find the ISS advisory followed by a brief description
of what happened behind the scenes inside the Department of Homeland
Here=92s the ISS advisory
Internet Security Systems Security Advisory
March 3, 2003
Remote Sendmail Header Processing Vulnerability
ISS X-Force has discovered a buffer overflow vulnerability in the
Sendmail Mail Transfer Agent (MTA). Sendmail is the most common MTA
and has been documented to handle between 50% and 75% of all Internet
Attackers may remotely exploit this vulnerability to gain "root" or
superuser control of any vulnerable Sendmail server. Sendmail and all
other email servers are typically exposed to the Internet in order to
send and receive Internet email. Vulnerable Sendmail servers will not
be protected by legacy security devices such as firewalls and/or packet
filters. This vulnerability is especially dangerous because the exploit
can be delivered within an email message and the attacker doesn't need
any specific knowledge of the target to launch a successful attack.
Sendmail versions from 5.79 to 8.12.7 are vulnerable
Note: The affected versions of Sendmail commercial, Sendmail open
source running on all platforms are known to be vulnerable.
The Sendmail remote vulnerability occurs when processing and
evaluating header fields in email collected during an SMTP
transaction. Specifically, when fields are encountered that contain
addresses or lists of addresses (such as the "From" field, "To"
field and "CC" field), Sendmail attempts to semantically evaluate
whether the supplied address (or list of addresses) are valid. This
is accomplished using the crackaddr() function, which is located in
the headers.c file in the Sendmail source tree.
A static buffer is used to store data that has been processed. Sendmail
detects when this buffer becomes full and stops adding characters,
although it continues processing. Sendmail implements several security
checks to ensure that characters are parsed correctly. One such
security check is flawed, making it possible for a remote attacker
to send an email with a specially crafted address field that triggers
a buffer overflow.
X-Force has demonstrated that this vulnerability is exploitable in
real- world conditions on production Sendmail installations. This
vulnerability is readily exploitable on x86 architecture systems,
and may be exploitable on others as well.
Protection mechanisms such as implementation of a non-executable
stack do not offer any protection from exploitation of this
vulnerability. Successful exploitation of this vulnerability does
not generate any log entries.
[removed ISS product-specific information which may be found at
For Manual Protection, the affected vendor has offered the following
Sendmail urges all users to either upgrade to Sendmail 8.12.8 or apply
a patch for 8.12.x (or for older versions). Updates can be downloaded
=66rom ftp.sendmail.org or any of its mirrors (try a mirror near to
you first), see http://www.sendmail.org/ for details. Remember to
check the PGP signatures of patches or releases obtained. For those
not running the open source version, check with your vendor for a
patch. Sendmail, Inc., the commercial provider of the sendmail MTA,
is providing a binary patch for their commercial customers. The patch
can be downloaded from Sendmail's Web site at: http://www.sendmail.com/
Sendmail versions that are patched will record the following log
entry when exploitation is attempted: "Dropped invalid comments from
Vendor Notification Schedule:
Initial vendor notification: 1/13/2003
Initial vendor confirmation: 1/13/2003
Final release schedule confirmation: 1/31/2003
ISS X-Force worked with Sendmail throughout the notification and
release process. X-Force would like to thank Sendmail for their
cooperation as well as the National Infrastructure Protection Center
(NIPC) for coordinating this issue with elements of National critical
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2002-1337 to this issue. This is a candidate for inclusion
in the CVE list http://cve.mitre.org), which standardizes names for
If you are a RealSecure Server Sensor customer, please email
Support-at-iss.net for additional protection information. Please enter
the words "Server Sensor - Sendmail" in the subject line of your email.
For more information on ISS methodology and procedures
involved in Security Advisory publication, please review
the X-Force Vulnerability Disclosure Guidelines document:
This vulnerability was discovered and researched by Mark Dowd of the
Background on government/industry cooperation to mitigate damage
The Sendmail Vulnerability Announced Today, March 3, 2003
How Well Did The Cyber Defense Community Do?
Today, hundreds of thousands of people learned of a vulnerability in
the sendmail program which is widely used for Internet mail handling.
A vulnerability in such a widely used open source software program
presents difficult challenges for the cyber defense community -
including the need to get more than twenty different software
organizations to act quickly and silently to develop patches.
Three primary actions are required to respond effectively to such
1. Verify that the vulnerability exists and is important.
2. Contact the key technical personnel at each of the software
companies and other groups that distribute sendmail (either alone or
with other software) and ensure that they develop and test patches
and make them ready for widespread distribution.
3. Plan and execute an early warning and distribution strategy
that enables critical infrastructure organizations in the US and in
partner countries to be prepared for rapid deployment of the patches
once they are ready.=A0 This must be accomplished without leaking data
about the vulnerability to the black hat community that exploits such
vulnerabilities by creating worms like Code Red, Slapper, and Slammer.
When possible, several other actions may be appropriate:=20
4. Provide military and other very sensitive organizations with early
access to the patches so their systems can be protected even before
public disclosure of the vulnerability.
5. Use sensor networks with smart filters to test for exploitation.
6. Develop and distribute filters that can block the offending packets
to protect systems that cannot or will not install patches immediately.
On Saturday, March 1, 2003, the US Department of Homeland Security
became fully operational, although the elements of the new department
had been working together for several weeks.=A0 In cybersecurity, the new
Department brings together four highly visible cybersecurity agencies:
(1) The National Infrastructure Protection Center from the FBI, (2)
FedCIRC from the General Services Administration, (3) the National
Communications System program from the US Department of Defense, and
(4) the Critical Infrastructure Assurance Office from the Department
Today's disclosure of a vulnerability in sendmail offers the
opportunity to see how quickly and effectively the cyber defense
community, led by this new Department, can respond to important
Sendmail's vulnerability offers a legitimate test because sendmail
handles a large amount of Internet mail traffic and is installed on
at least 1.5 million Internet-connected systems. More than half of
the large ISPs and Fortune 500 companies use sendmail, as do tens of
thousands of other organizations. A security hole in sendmail affects
a lot of people and demands their immediate attention.
You can draw your own conclusion on how well the problem is being
handled. Here are the facts:
1. On Friday, February 14, telephone calls to the Department of
Homeland Security (DHS) and the White House Office of Cyberspace
Security alerted the US government to a suspected sendmail
vulnerability. The source of the data was Internet Security
Systems (ISS), a well-respected security firm with solid security
research credentials, giving the data an initial base level of
credibility. However, to be more certain, DHS technical experts
reviewed the details of the vulnerability and especially the
tests that ISS had run to prove the existence and severity of the
vulnerability. They were convinced.
2. Almost immediately the DHS/White House team, working with ISS,
contacted vendors that distribute sendmail, including Sun, IBM,
HP, and SGI, as well as the Sendmail Consortium, the organization
that develops the open source version of sendmail that is the core
of sendmail distributed with both free and commercial operating
systems. Partially because of government involvement, but primarily
because the vulnerability involved the widely used sendmail package,
the vendors immediately started working together on patches.
3. The DHS/White House staff contacted and shared what they knew with
the US Department of Defense and the Federal CIO Council. Through the
Federal CIO Council, the US FedCIRC and US Office of Management and
Budget were added to the coordinating team. Together the government
planners, ISS, and the vendors developing patches worked out a plan
for public dissemination of the vulnerability information and patch
4. To help ensure that the open source LINUX and BSD distributions
(Red Hat, SUSE, OpenBSD, etc.) developed patches, the Computer
Emergency Response Team at Carnegie Mellon University (CERT/CC) was
brought into the project. CERT/CC deployed its formalized process to
inform the LINUX and BSD distribution developers and to assist them
in getting the corrected source code and any additional knowledge
needed to create the patch. CERT/CC (which is funded, in part, by two
organizations being merged into DHS and by the DoD) also created an
advisory to educate system administrators and the security community
in general on the vulnerability, on which systems are affected,
and on where to get the patches for each affected system.
5. Some of the large commercial vendors developed the patches very
quickly, but the delayed notice to smaller sources of sendmail
distributions and limited resources at those organizations meant
that not all the patches would be ready by early in the week of
February 23. The coordinating group faced a decision of whether to
release data about the exploit before most patches were ready or to
wait. The answer depended on whether they had reason to believe an
exploit was already being used by attackers. They had two sources
of information that led them to conclude waiting an extra week was
acceptable. First, people who monitored the hacker discussion groups
reported that this vulnerability did not seem to be one that was being
discussed. Second, the organization that discovered the vulnerability,
ISS, had deployed sensors for the exploit in a number of places
around the world. Those sensors were showing no exploits. Based on
both sets of data, the coordination group decided to schedule the
announcement for Monday, March 3. A second-order reason to schedule
a Monday announcement was that some members of the team believed
that Monday-Tuesday announcements generate more rapid and complete
patching than announcements made late in the week.
6. Since some of the patches were ready, the coordination group
decided to provide what was available to the US DoD so that military
sites could have the protection as early as possible. The military
distributions took place on or around February 25 and 26.
7. On February 27 and 28, government groups in the US and in several
other countries were given early warnings, without details about how
the vulnerability could be exploited, to help them plan for rapid
deployment of the patches when they were released on March 3. In
addition to the Chief Information Officers of US Cabinet level
departments, and the directors or deputy directors of national
cyber security offices in several other countries, the officers of
the critical infrastructure Information Sharing And Analysis Centers
(ISACs) were also briefed so they could be ready for rapid information
distribution to commercial organizations such as banks and utilities,
that comprise the critical infrastructure.
8. On March 3, beginning about 10 am EST, alerts began flowing to
federal agencies from FedCIRC and to the critical infrastructure
companies from the ISACs. At noon, ISS released their advisory,
followed by CERT/CC's general release. Once the data was public,
the SANS Institute also issued a release and scheduled free web-based
DHS/NIPC Advisory 03-003 Snort Buffer Overflow Vulnerability=20
The Department of Homeland Security (DHS), National Infrastructure
Protection Center (NIPC) has been informed of a recently discovered
serious vulnerability in Snort, a widely used Intrusion Detection
System, IDS. DHS/NIPC has been working closely with the Internet
security industry on vulnerability awareness and is issuing this
advisory in conjunction with public announcements.
Snort is available in open source and commercial versions form
Sourcefire, a privately held company headquartered in Columbia, MD.
Details are available from Sourcefire. See Snort Vulnerability
Advisory [SNORT-2003-001]. The affected Snort versions include all
version of Snort from version 1.8 through current. Snort 1.9.1 has
been released to resolve this issue.
The vulnerability was discovered by Internet Security Systems (ISS),
and is a buffer overflow in the Snort Remote Procedure Call, RPC,
normalization routines. This buffer overflow can cause snort to
execute arbitrary code embedded within sniffed network packets.
Depending upon the particular implementation of Snort this may give
local and remote users almost complete control of a vulnerable machine.
The vulnerability is enabled by default. Mitigation instructions
for immediate protections prior to installing patches or upgrading
are described in the Snort Vulnerability Advisory.
Due to the seriousness of this vulnerability, the DHS/NIPC strongly
recommends that system administrators or security managers who employ
Snort take this opportunity to review their security procedures and
patch or upgrade software with known vulnerabilities.
Sourcefire has acquired additional bandwidth and hosting to aid users
wishing to upgrade their Snort implementation. Future information
can be found at:
As always, computer users are advised to keep their anti-virus
and systems software current by checking their vendor's web sites
frequently for new updates and to check for alerts put out by the
DHS/NIPC, CERT/CC, ISS and other cognizant organizations. The DHS/NIPC
encourages recipients of this advisory to report computer intrusions to
their local FBI office (http://www.fbi.gov/contact/fo/fo.htm) and other
appropriate authorities. Recipients may report incidents online to
http://www.nipc.gov/incident/cirr.htm. The DHS/NIPC Watch and Warning
Unit can be reached at (202) 323-3204/3205/3206 or nipc.watch-at-fbi.gov.
=3D=3D end =3D=3D
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
-----END PGP SIGNATURE-----
----- End forwarded message -----
"Silly hacker, root is for administrators"
GnuPG Key : 11C2 79F6 BD3D 3A86 5640 3DA0 3860 B30E 711D 3B66
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
-----END PGP SIGNATURE-----
NYLXS: New Yorker Free Software Users Scene
Fair Use -
because it's either fair use or useless....
NYLXS is a trademark of NYLXS, Inc