[3359] in WWW Security List Archive
Re: www web security !
daemon@ATHENA.MIT.EDU (Wolfgang Ley)
Thu Oct 24 04:38:19 1996
From: Wolfgang Ley <ley@cert.dfn.de>
To: alexf@iss.net (Alex Filacchione)
Date: Thu, 24 Oct 1996 08:31:38 +0200 (MET DST)
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <01BBC108.EEA35000@alexf.iss.net> from "Alex Filacchione" at Oct 23, 96 05:37:57 pm
Errors-To: owner-www-security@ns2.rutgers.edu
-----BEGIN PGP SIGNED MESSAGE-----
Alex Filacchione wrote:
>
>
> >Re: Sendmail. The latest, 8.8, is vulnerable. The vulnerability was
> >posted to bugtraq and BoS on the 17th.
>
> Re sendmail, just do not use this piece of incompetent software. If
> you must have a mailer on the machine at all run one that was
> written by someone who is marginaly competent.
...and has the time and money to write good software :)
Apropos "marginaly competent":
> There are solutions. TIS (Trusted Information Systems) has the FWTK
> (FireWall Toll Kit) which can be downloaded for free. Even if you don't
> use the firewall itself, it comes with two programs, smap and smapd. These
> interact with sendmail and act as a front end. This disallows any direct
> contact with sendmail, making attacks such as the recent buffer overflow
> attacks essentailly useless from the hacker's point of view. Smap is what
> the outsider talks to, and you can't really get any info from it. It takes
> the mail and stores it somewhere on the machine. Then smapd comes along
> (from the inside net) and grabs the mail from smap, and passes it to
> sendmail on the inside, which distributes it. You are essentially proxying
> the email before it gets to sendmail. This only leaves you open to mail
> reader specific types of attacks. Products like MIMESweeper may help check
> MIME encoded mail, but I really don't know enough about MIMESweeper to
> comment on it further. I don't know if it is freeware, shareware, or a
> commercial product, or who makes it or anything. I just know that it
> exists. If someone else knows more about it maybe they can post some info?
Completly wrong. I don't know why people are trusting smap/smapd to protect
you against sendmail errors. As you already said: that software is just the
frontend that talks to the user - it then happily passes the mail to sendmail.
The buffer overflow bug/exploit in sendmail 8.8.0 worked just fine with smap
as "protection"... For those of you who are interested: the problem could
be exploited (for example) by sending a quoted printable encoded mail and
sendmail merged several lines to one big line while decoding - smap forwards
the exploit mail to sendmail where the buffer overflow happens.
> Alex F
> alexf@iss.net
> webmaster/security training
Please recheck your security tips to ensure that they will actually help
people to protect themself. I also don't think that sendmail problems (like
a whole bunch of other topics in the past) should be discussed on a
*www*-security mailing list.
Bye,
Wolfgang Ley (DFN-CERT)
- --
Wolfgang Ley, DFN-CERT, Vogt-Koelln-Str. 30, 22527 Hamburg, Germany
Email: ley@cert.dfn.de Phone: +49 40 5494-2262 Fax: +49 40 5494-2241
PGP-Key available via finger ley@ftp.cert.dfn.de any key-server or via
WWW from http://www.cert.dfn.de/~ley/ ...have a nice day
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
iQCVAwUBMm8NRwQmfXmOCknRAQHKbwP/ctQUb5RkhPsyB5TrWTudHdkMG+SGv29q
OPrqMwd4CGI0mMtFdSAI/znAXcDNddgbsVBIbfh6Wv7yK4m2ejK9NDvNrzpxK0eE
vzyv4gSq3JDciTE42P9ki30lZy1k17O3ALQctVNSgiBFOnukSpsaoIODu1KP7F6P
BuuG5ej8Yrc=
=jxB6
-----END PGP SIGNATURE-----
