Sendmail Information
CAN 1999-0531
Impact
By exploiting the sendmail
vulnerability, a malicious user may be able to gather information, such
as user names, about user accounts located on the system on which
sendmail resides. Using this information, it would then be a relatively simple task
for the malicious user to gain access to the system. If the user is able
to gain access to the system through an administrative (or root)
account, the results could be catastrophic indeed. The malicious user,
or hacker, could decide to overwrite important system files, delete file
systems altogether or use the compromised system as a base from which to
compromise other systems on the network. A secondary issue is that the
hacker may also be able to access any mailing lists used by
sendmail. This means, of course, that the hacker would have the email addresses of
any person found on these mailing lists.
Background
Sendmail, first
released circa 1983, is a mail router program, and was designed to route
email between peers on a network and also to route mail between networks.
Note that sendmail
is a routing program, and not an application that an ordinary user
would use to format and send messages. Instead,
sendmail
accepts formatted messages from an email program (such as
Outlook
Express, Eudora or
Pegasus),
and then sends them to the appropriate recipients. The message is sent
using the Simple
Mail Transfer Protocol (SMTP), which was designed to be a reliable
and effective transport for mail messages.
The Problem
While sendmail and the SMTP protocol have proven very
useful in everyday life, they have presented us with a security problem. A malicious
user able to connect to a machine running sendmail may be able to acquire
information about user accounts on that system. As discussed earlier in this briefing, after
getting this information, the hacker may be able to do some dreadful things indeed.
You might be asking how a malicious user could get this account information. The answer is
through the use of special SMTP commands. These SMTP commands
allow for the distribution of certain user account data to anyone who knows how to
request it. Basically, the hacker has to do nothing more than connect to a remote system and
simply ask for the account data. The example below shows the steps a hacker would take to
get this account data:
telnet <hostname> 25
220 <hostname> ESMTP Sendmail 8.8.7/8.8.7; Tues 27 Apr 1999
11:11:20 -0400
EXPN root
250 root <root@hostname>
EXPN guest
250 guest <guest@hostname>
EXPN lpr
250 lpr <lpr@hostname>
QUIT
Before we continue our discussion, let us examine exactly what is happening in the example
above. First, the hacker connects to port 25 on the remote system running sendmail.
Port 25 is the default port on which SMTP runs (remember that sendmail
and SMTP work in conjunction to process email messages). After connection, the
hacker will get back a line of text. Contained in this text will be the version number of the
sendmail program running on the remote system, as well as the current date and time.
At this point, the malicious user may start requesting user account information using special
SMTP commands. In the above example, the hacker uses the EXPN command,
followed by an account name common to most systems (at this point, the hacker is engaging in
educated guesswork). If that account is indeed on the remote system, information will be
returned about that account. Another command that could be used for this purpose is the
VRFY command. In the above example, the hacker guessed, correctly as it turns out, that
the root, guest, lpr would
exist on the system.
The malicious user now knows that a guest account exists on the
system (this is a default account included, and left, on most systems.) Also, there seems
to be a printer account, an account used by the printer to talk to the server, which could be
used to access the system (this is the lpr account in the above
example). Armed with this information, the malicious user can now begin his or her
break-in attempts in earnest (using such tools as
telnet, ssh
or FTP). As such, it is always a good
idea to disable the EXPN and VRFY commands (another good reason is that
version 8.6.10, and earlier versions, built with sendmail version 5.x as
their base are susceptible to buffer overflow attacks).
Resolution
To eliminate the vulnerability discussed above, we will want to disable
disable the EXPN and VRFY commands (as discussed above). To do so, you
will need to modify the sendmail configuration file
(sendmail.cf). The example
below shows how to do this:
#privacy flags
O PrivacyOptions=authwarnings
O PrivacyOptions=noexpn
O PrivacyOptions=novrfy
the "noexp" text in the above example disables the EXPN command, while the
"novrfy" text will disable the VRFY command.
Where can I read more about this?
Email Protocols
gives a look at all the different protocols including sendmail. Connected:
An Internet Encyclopedia
also has some information on the EXPN & VRFY commands.