Hours after a serious flaw in Sendmail was announced, a Polish security group has released an exploit that could...
take advantage of the flaw on systems running certain Linux distributions.
The Last Stage of Delirium (LSD) Research Group, an independent network security group established by four Polish computer science students, posted code and analysis on the BugTraq Web site detailing one way it was able to exploit the hole. The group noted that its exploit would only affect machines running the Slackware Linux distribution.
"The exploitation of this vulnerability was quite difficult," LSD said in an e-mail interview this morning. "For sure, it required technical knowledge about operating system internals and vulnerability exploitation tricks."
The flaw is a buffer overflow in the Sendmail mail transfer agent; it could allow remote attackers to gain control of affected systems. Sendmail, which comes in both commercial and open-source versions, is one of the most popular mail transfer agents. The vulnerability is found in many versions, including those running on Linux, Unix and Windows.
In an e-mail interview this morning, Eric Allman, the author of Sendmail and chief technology officer at Sendmail Inc., a company that sells a commercial version of the application, said he hasn't tried out LSD's exploit, but he says the methodology looks sound. "I have no reason to doubt that it would work," he said.
LSD released the exploit code so the vulnerability can be studied properly. Inadequate information can be more damaging than the vulnerability itself. Releasing such information is "the best way to improve security," the group said.
Allman would have preferred that LSD waited a couple of days before releasing the exploit. "But it was inevitable that it would happen, and I'm glad it came from some folks who were willing to spend the time to actually do some serious research and analysis," he said. "And, ultimately, full disclosure is, in my opinion, the best approach. If you don't do full disclosure, the black hats have the code and the white hats don't, and that's a bad situation."
The LSD exploit doesn't work on commercial Unix flavors such as AIX, Solaris and HP-UX. The group also found that the vulnerability "doesn't seem to be exploitable on most of the default SMTP installations of x86-based open-source systems."
"This leads to the conclusion that the overall impact of the vulnerability is rather limited and not so significant as it might be thought," LSD said in its posting.
Allman is a little more cautious. There may be other ways to exploit the vulnerability than LSD's, which was a "fairly direct attack (that is, getting the computer to run your code)." More indirect attacks, such as changing variables, could be a possibility as well, he said.
Internet Security Systems Inc. did test the exploit and found it "worked as advertised" on Slackware systems, said Dan Ingevaldson, team lead for ISS' X-Force R&D. ISS was among the first to issue an advisory on the vulnerability this week.
All a person would have to do is copy and paste the code into a Linux complier and it would work against vulnerable Slackware systems, Ingevaldson said. While the exploit is not very robust, it is a start. There is no telling how long it will take malicious code writers to build upon the exploit LSD created, he said.
The exploit would require some tweaking to work against other platforms. While many systems have the vulnerability, exploiting it will vary from platform to platform and even from version to version of the same operating system, Ingevaldson said. Traditionally, worms that take advantage of vulnerabilities only target a few versions of, say, Windows NT or the Apache Web server, he said.
Both Ingevaldson and Allman stress that patching vulnerable systems would prevent exploits. "As nasty as this problem may seem now, it will be a lot worse if servers don't get patched and someone writes a destructive worm somewhere down the line," Allman said.
"A great many of the 'big' security problems we see result from a continuing, large number of servers out there that haven't had security patches installed," Allman said.
FOR MORE INFORMATION:
- FEEDBACK: How quickly have you patched Sendmail? Can you afford to wait?
Send your thoughts to News Writer Edward Hurley.