I just got this from one of my servers at rackspace..

quote: The second is a vulnerability in sendmail that may allow remote attackers to gain the privileges of the sendmail daemon, typically root. This affects sendmail versions prior to 8.12.10. The successful exploitation of this bug can lead to heap and stack structure overflows. Although there is no exploit that currently exists, this issue is locally exploitable and may also be remotely exploitable.

This is the third security alert these people have posted within the last six months about sendmail. Its like whenever there is a security alert I know its either sendmail or BIND related!? I had my systems upgraded with qmail many months ago because of these constant security alerts about sendmail and I have never recd. anything concerning to that (at least so far). Also if my knowledge is correct then I even getting higher delivery rates with the latter software (as it can do simultaneous mailings). So, what’s up with using sendmail the most? Maybe there are any subtle advantages of the first that I'm missing here? Why do people still continue to use sendmail when its so full of exploits and on the other hand we have this other software that has security guarantee that has never been exploited once (IIRC)? Is it because sendmail is more user friendly like Microsoft Windows, that it compensate the exploits? Or maybe its more programmable? I don't know since I never did learn how to use sendmail. But somebody who has used both these, can you please maybe enlighten me a little here? thanks, san edit: formatting [edited by - cyanide on September 19, 2003 1:18:08 AM]

The licensing terms for qmail are fairly restrictive. That''s one reason it doesn''t get included in many distributions.

How appropriate. You fight like a cow.

How I''ve read it: Sendmail came about during an era of many mail protocols (compared to now, where''s it''s basically just SMTP) and it supported all of them by being very generic. Why it''s so exploitable is probably derived from that in part, but generally I think it just wasn''t written with security in mind as much as other MTAs were. I''ve never used Sendmail, so I can''t verify much of that from personal experience, but it sounds reasonable .

As for other (non-Qmail alternatives): there''s always Postfix, and Exim (Debian''s "favorite" MTA).

I guess so Sneftel, since I too remember that precompiled distros of qmail are also prohibited by the author.. so installing that with the OS setup is out of question, maybe that’s one reason.. the other one (after some thinking could be that many scripts (or at least the old ones) may be used to some obscure switches that sendmail may have but others don''t..

anyway, if however sendmail was not made with security in mind as N&V pointed out, then maybe its time for them to rewrite it from scratch and something rather than just issue yet another patch to cover your ass everytime ;-) I mean, if its not such a big task (as they seem to have a huge following), and we know from qmail that fail safe software can be build, so why not work on it for once if you''re one the most popular one MTA... just my $.02

just because you don''t ever hear about security vulnerabilities in qmail (or whatever software your using for that matter) doesn''t mean that it doesn''t contain any. The reason you see so many exploits for sendmail is because its known that many people use it and it is included in many Distros. So the malicious (and non-malicious) users out there are actually trying to find vulnerabilities to exploit. They know that many people will have that software there to exploit.

I mean I could go find some DOS(or some other hardly ever used software) exploit now...but why would I want to? Nobody is running DOS right now anyways, wouldn''t do me much good eh?

quote: Original post by Drek82
They know that many people will have that software there to exploit.

I mean I could go find some DOS(or some other hardly ever used software) exploit now...but why would I want to? Nobody is running DOS right now anyways, wouldn't do me much good eh?

Not that I'm trying to contradict you as you do have a valid point too (the no. of attacks does matter too), but just that you know there was a reward of $500 and then a subsequent reward of $1000 (I guess there still is) on qmail site for anyone who can find any vulnerabilities in the software (one of the reasons why I got it instead). Both of these have been unclaimed since 1997 or donated to GNU because nobody was able to make any such claims.

edit: Link

[edited by - cyanide on September 19, 2003 1:54:12 PM]

quote: Original post by Null and Void
How I''ve read it: Sendmail came about during an era of many mail protocols (compared to now, where''s it''s basically just SMTP) and it supported all of them by being very generic. Why it''s so exploitable is probably derived from that in part, but generally I think it just wasn''t written with security in mind as much as other MTAs were. I''ve never used Sendmail, so I can''t verify much of that from personal experience, but it sounds reasonable .

As for other (non-Qmail alternatives): there''s always Postfix, and Exim (Debian''s "favorite" MTA).

However that''s not the case here. The lastest Sendmail vulnerability is a buffer overflow vulnerability. This is just one more example in my argument that the "many eyes" concept of open source software is nothing more then an unsupported theory, more wishful thinking than solid fact.

Sendmail is an open source program that has been around for 2 decades. Yet people still find things as simple and obvious as a buffer overflow bug in it. The fact is that while many people use open source software, very few of them look at the source code, and a mere handful actually look at older existing modules close enough to find flaws (do *you* read your distros source code line by line looking for bugs? huh, punk?). I would submit that normal "closed source" development is just as effective as the larger open source projects in terms of code integrity, provided that management is not pushing release dates and that there are regular code reviews. The true advantage to open source integrity is that it''s typically not commercial, and hence there are no such things as deadlines, and features are usually limited to those the programmers want. This means more time to develop less. When open source is pushed to work in the commercial world you get stuff like Redhat, an OS far less secure than other Linux distros (even NASA''s own secured Redhat systems where taken down by Redhat specific worms like Lion), buggy, and generally unfinished (as evidenced by the fact that dialogs contain spelling mistakes and obvious errors like "press Next to continue" when there is no Next button)

quote: Original post by Michalson
However that''s not the case here. The lastest Sendmail vulnerability is a buffer overflow vulnerability. This is just one more example in my argument that the "many eyes" concept of open source software is nothing more then an unsupported theory, more wishful thinking than solid fact.

A single non-core developer found the last few buffer overflows in Sendmail. As far as I''m aware he hasn''t said anything publically about the bugs, what''s to say the source didn''t help him find the holes and get them patched? I''m not going to debate that "all open source projects are inherently completely screened for buffer overflows" because that''s absurd, but surely you''re not trying to say that no or few bugs/exploits have been fixed by non-core developers in open source projects? The code being viewable by non-core developers certainly doesn''t hurt the chances of bugs being fixed ...

quote: Original post by Michalson
Sendmail is an open source program that has been around for 2 decades. Yet people still find things as simple and obvious as a buffer overflow bug in it.

Maybe because it was just very poorly written and while many bugs have been fixed, their abundance has allowed a number to slip by ("wasn''t written with security in mind")? Maybe this bug was caused by recent not-wholly-correctly-done modifications to that area of the code (that''s basically what caused the last OpenSSH problem)?

I can''t say if either of those cases are true, but you can''t say they''re not what happened. Perhaps "a buffer overflow surviving two decades of code reviews" may not have been what actually happened. (Actually, one could probably check the latter, but I''m too lazy since all of this has no particular importance to me .)

quote: Original post by Michalson
The true advantage to open source integrity is that it''s typically not commercial, and hence there are no such things as deadlines, and features are usually limited to those the programmers want.

Sendmail has been commercial (but still open source) since 1998. Whether that actually matters or not in this case is debatable, of course .