Tutorial - Sendmail Information

Sendmail Information

CAN 1999-0531

Impact

By exploiting the sendmail vulnerability, a malicious user may be able to gather information, such as user names, about user accounts located on the system on which sendmail resides. Using this information, it would then be a relatively simple task for the malicious user to gain access to the system. If the user is able to gain access to the system through an administrative (or root) account, the results could be catastrophic indeed. The malicious user, or hacker, could decide to overwrite important system files, delete file systems altogether or use the compromised system as a base from which to compromise other systems on the network. A secondary issue is that the hacker may also be able to access any mailing lists used by sendmail. This means, of course, that the hacker would have the email addresses of any person found on these mailing lists.

Background

Sendmail, first released circa 1983, is a mail router program, and was designed to route email between peers on a network and also to route mail between networks. Note that sendmail is a routing program, and not an application that an ordinary user would use to format and send messages. Instead, sendmail accepts formatted messages from an email program (such as Outlook Express, Eudora or Pegasus), and then sends them to the appropriate recipients. The message is sent using the Simple Mail Transfer Protocol (SMTP), which was designed to be a reliable and effective transport for mail messages.

The Problem

While sendmail and the SMTP protocol have proven very useful in everyday life, they have presented us with a security problem. A malicious user able to connect to a machine running sendmail may be able to acquire information about user accounts on that system. As discussed earlier in this briefing, after getting this information, the hacker may be able to do some dreadful things indeed.

You might be asking how a malicious user could get this account information. The answer is through the use of special SMTP commands. These SMTP commands allow for the distribution of certain user account data to anyone who knows how to request it. Basically, the hacker has to do nothing more than connect to a remote system and simply ask for the account data. The example below shows the steps a hacker would take to get this account data:

telnet <hostname> 25
220 <hostname> ESMTP Sendmail 8.8.7/8.8.7; Tues 27 Apr 1999 11:11:20 -0400
EXPN root
250 root <root@hostname>
EXPN guest
250 guest <guest@hostname>
EXPN lpr
250 lpr <lpr@hostname>
QUIT

Before we continue our discussion, let us examine exactly what is happening in the example above. First, the hacker connects to port 25 on the remote system running sendmail. Port 25 is the default port on which SMTP runs (remember that sendmail and SMTP work in conjunction to process email messages). After connection, the hacker will get back a line of text. Contained in this text will be the version number of the sendmail program running on the remote system, as well as the current date and time. At this point, the malicious user may start requesting user account information using special SMTP commands. In the above example, the hacker uses the EXPN command, followed by an account name common to most systems (at this point, the hacker is engaging in educated guesswork). If that account is indeed on the remote system, information will be returned about that account. Another command that could be used for this purpose is the VRFY command. In the above example, the hacker guessed, correctly as it turns out, that the root, guest, lpr would exist on the system.

The malicious user now knows that a guest account exists on the system (this is a default account included, and left, on most systems.) Also, there seems to be a printer account, an account used by the printer to talk to the server, which could be used to access the system (this is the lpr account in the above example). Armed with this information, the malicious user can now begin his or her break-in attempts in earnest (using such tools as telnet, ssh or FTP). As such, it is always a good idea to disable the EXPN and VRFY commands (another good reason is that version 8.6.10, and earlier versions, built with sendmail version 5.x as their base are susceptible to buffer overflow attacks).

Resolution

To eliminate the vulnerability discussed above, we will want to disable disable the EXPN and VRFY commands (as discussed above). To do so, you will need to modify the sendmail configuration file (sendmail.cf). The example below shows how to do this:

#privacy flags
O PrivacyOptions=authwarnings
O PrivacyOptions=noexpn
O PrivacyOptions=novrfy

the "noexp" text in the above example disables the EXPN command, while the "novrfy" text will disable the VRFY command.

Where can I read more about this?

Email Protocols gives a look at all the different protocols including sendmail. Connected: An Internet Encyclopedia
also has some information on the EXPN & VRFY commands.