March 4, 2003 3:55 PM PST
Hackers' code exploits Sendmail flaw
The code, released less than a day after the
CNET White Papers
While the limited number of platforms affected by the program seems to be good news, the group warned that its quick analysis might have missed other ways of exploiting the problem.
"We do not claim that our way of exploitation is the only one," one of the group's members said in an e-mail with CNET News.com. "What we did was to perform the series of experiments aimed at actual verification of (the) vulnerability's impact. According to our results, this impact is much less significant that it might seem."
The flaw in Sendmail--in one of the mail server's security functions that parses mail headers--was found by network protection firm Internet Security Systems and announced on Monday. Companies shipping versions of Sendmail affected by the flaw--believed to be more the 15 years old--include IBM, Hewlett-Packard, Apple Computer, Sun Microsystems, Red Hat and other Linux vendors, according to advisories posted Monday by the Sendmail Consortium open-source project.
The LSD group's research questioned whether as many types of servers running Sendmail are as vulnerable as previously thought.
That's a moot point, said Eric Allman, founder of the Sendmail Consortium and chief technology officer for Sendmail Inc., a company that has created a commercial version of Sendmail.
"I don't think anyone should be complacent," he said, stressing that other ways to exploit the flaw may exist. "Just get the patch."
Allman wasn't sure how he felt about the security group publishing such extensive details about exploiting the vulnerability so soon after it was announced. For many years, security researchers and hackers have argued whether releasing detailed information about how a software flaw can be abused helps or hinders security.
The Sendmail founder had expected that code would be released soon, but not within 24 hours. Moreover, the functional nature of the posted code--the script returns a terminal prompt with which an attacker could issue commands to the compromised host--was overkill, he said.
"I would have preferred that they would have done a proof of concept," Allman said. Proof-of-concept code only illustrates how to exploit a vulnerability without actually doing anything overly useful.
The LSD group--whose four members claim to be graduates of the Poznan University of Technology--say that releasing such code enhances the community's overall security.
"We do believe that open and free information is the best for improving security," the group said in its e-mail to CNET News.com. "In our opinion, publishing the details is the only way to...determine the impact. The lack of appropriate information on the issue can be...even more damaging."