hack@merkin.cactus.org (Greg Hackney) (11/11/88)
Is the sendmail program distributed with OSx 4.1 vulnerable
to the recent Internet 'virus', if so, recommendations?
--
Greg
pyramid!swbatl!hack
^
|
Lkarl@triceratops.cis.ohio-state.edu (Karl Kleinpaste) (11/12/88)
Try telnet 127.1 smtp [ready message from sendmail in SMTP] debug and if it responds with 200 Debug set then your sendmail is subject to abuse. The particular worm which made the rounds was peculiar to VAXen and Sun3s, because it was carrying around precompiled binaries for those 2 CPUs; but the general problem of invoking debug mode remotely and then delivering to a piped destination exists nonetheless. csg@pyramid announced in the phage mailing list (discussing the worm, its abortion, its consequences) that there exists a PTF to sendmail. --Karl
romain@pyramid.pyramid.com (Romain Kang) (11/12/88)
In article <424@merkin.cactus.org> hack@merkin.cactus.org (Greg Hackney) writes: | Is the sendmail program distributed with OSx 4.1 vulnerable | to the recent Internet 'virus', if so, recommendations? Yes. The same bug/feature that allowed the worm to spread through SMTP is present in all stock OSx releases. You can get a PTF from RTOC to close this hole, as well as related security fixes. If you're in a hurry, the adb patch that came through comp.bugs.4bsd.ucb-fixes will work, as long as you use "ucb strings - -o" instead of just "ucb strings -o". (In OSx 4.1 and later, the SMTP command table is kept in read-only (text) space.)
mechjgh@tness1.UUCP (Greg Hackney 214+464-2771) (11/25/88)
[REPOST, ORIGINAL MUNGED] In article <46784@pyramid.pyramid.com> romain@pyramid.UUCP (Romain Kang) writes: >In article <424@merkin.cactus.org> hack@merkin.cactus.org (Greg Hackney) writes: >| Is the sendmail program distributed with OSx 4.1 vulnerable >| to the recent Internet 'virus', if so, recommendations? > >Yes. The same bug/feature that allowed the worm to spread through SMTP >is present in all stock OSx releases. You can get a PTF from RTOC to >close this hole, as well as related security fixes. > >If you're in a hurry, the adb patch that came through >comp.bugs.4bsd.ucb-fixes will work, as long as you use "ucb strings - -o" >instead of just "ucb strings -o". (In OSx 4.1 and later, the SMTP >command table is kept in read-only (text) space.) I called RTOC, who said a tape would be sent in a couple of days. Meanwhile, the adb fix does not work on my OSx4.1 system, but I was able to edit the binary with GNU Emacs, and changed the characters "debug" and "wiz" to nulls. This closed the hole with no problems noticed. -- Greg -- Greg
romain@pyramid.pyramid.com (Romain Kang) (11/26/88)
In article <788@tness1.UUCP> Greg Hackney writes: | Meanwhile, the adb fix does not work on my OSx4.1 system, but I was | able to edit the binary with GNU Emacs, and changed the characters | "debug" and "wiz" to nulls. This closed the hole with no problems | noticed. Using nulls seem to make a plain carriage return turn on debug. Here's a shell script that uses adb to partly overwrite "debug" with 0xff, which should be safe, since sendmail strips the high bits before decoding SMTP commands. It has been tested under OSx 4.4b, and successfully modifies an OSx 4.1 sendmail binary. #! /bin/ucb /bin/sh PATH=/usr/ucb:/bin:/usr/bin echo "Looking for sendmail \"debug\" command..." DEBUG=`strings - -o /usr/lib/sendmail | grep debug` if [ $? -ne 0 ]; then echo "Your sendmail is safe from the Worm." exit 0 fi set $DEBUG echo "Patching sendmail at location $1"... cp /usr/lib/sendmail sendmail.new adb -w sendmail.new << EoF ?m 0 0xffffffff 0 ?n"Before:" 0t$1?s 0t$1?5b ?n"Patching..." "?w 0xffff 0 ?n"After:" "?5b \$q EoF echo "" echo -n "Do you want to install the fixed binary? (Y|N) [default: N] " read yorn case "$yorn" in Y*|y*) ;; *) echo "OK, we'll leave it alone for now..." exit 0 esac if [ "`whoami`" != "root" ]; then echo "Please run this again as \"root\"." exit 1 fi echo "Looking for sendmail daemon..." daemon=`ps ax | awk '$5 == "/usr/lib/sendmail" && $6 == "-bd" { print }'` if [ ! -n "$daemon" ]; then echo "Can't find a running sendmail daemon, continuing..." set -x else set $daemon echo "This looks like the daemon:" ps u$1 echo "Last chance to interrupt before killing sendmail..." set -x sleep 10 kill $1 fi : : Save old binary mv /usr/lib/sendmail /usr/lib/sendmail.bak chmod 0 /usr/lib/sendmail.bak : : Installing new mv sendmail.new /usr/lib/sendmail chmod 4755 /usr/lib/sendmail : : Re-freeze sendmail configuration /usr/lib/sendmail -bz : : Re-start daemon if needed case "$daemon" in "") : daemon was not running, we are done exit 0 ;; *) set $daemon $5 $6 $7 $8 $9 exit 0 ;; esac
csg@pyramid.pyramid.com (Carl S. Gutekunst) (11/27/88)
In article <788@tness1.UUCP> mechjgh@tness1.UUCP (Greg Hackney 214+464-2771) writes: >I called RTOC, who said a tape would be sent in a couple of days. Yeah, Scott keys pulling Seshadri's chain, and he keeps pulling mine. If we didn't keep finding more security holes, the PTF would have been done sooner. The final PTF includes security fixes for FTP, Sendmail, and UUCP. The fixes for UUCP will be posted to the net, as well. There's some much worse security holes here than what the Internet Worm exploited. If you are running Basic Networking Utilities aka HoneyDanBer UUCP, you should also call RTOC and ask for a fix for Peter's "hdbworm" hole. This will be in a separate PTF, so the first one doesn't get held up. (There aren't that many of you out there running HoneyDanBer anyway, near as I can tell.) >Meanwhile, the adb fix does not work on my OSx4.1 system, but I was able to >edit the binary with GNU Emacs, and changed the characters "debug" and "wiz" >to nulls. See Romain's fix. Actually, the "wiz" command is not a problem in Pyramid's sendmail. Try telnet'ing to the sendmail socket, type "wiz", and see what happens. :-) I didn't do it that way, Eric Allman did; but I didn't feel like ripping it out, either. <csg>
hack@merkin.cactus.org (Greg Hackney) (11/28/88)
In article <48619@pyramid.pyramid.com> romain@pyramid.UUCP (Romain Kang) writes: >Using nulls seem to make a plain carriage return turn on debug. Here's >a shell script that uses adb to partly overwrite "debug" with 0xff Yep, I screwed up. Thanks for the fix. -- Greg
hack@merkin.cactus.org (Greg Hackney) (11/28/88)
In article <48721@pyramid.pyramid.com> csg@pyramid.pyramid.com (Carl S. Gutekunst) writes: >If you are running Basic Networking Utilities aka HoneyDanBer UUCP, you should >also call RTOC and ask for a fix for Peter's "hdbworm" hole. Uh, let's see if I got it straight.... I should call call Pyramid and tell tell them, "I have a problem with Peter's Worm hole?" Okay, I'll ask the new lady clerk to do it. :-) >See Romain's fix. Actually, the "wiz" command is not a problem in Pyramid's >sendmail. Try telnet'ing to the sendmail socket, type "wiz", and see what >happens. :-) I didn't do it that way, Eric Allman did; but I didn't feel like >ripping it out, either. ><csg> Cute. For those of you in suspense, it says ..."You Wascal Wabbit...." -- Greg