Bugtraq mailing list archives

Re: [8lgm]-Advisory-17.UNIX.sendmail

From: Mark.Graff () Eng Sun COM ( Mark Graff )
Date: Thu, 1 Jun 1995 18:00:13 -0700


Andy,

As the person at Sun who is primarily responsible for handling security
bugs, I got several copies of your message today. In a private e-mail
exchange tomorrow I will explain what progress we have made on the bug
you reported.

I am not going to debate your other points here. I don't think most
readers would be interested in my opinion (or my problems). That's not
what this list is for. I did feel I had to make some public response.

You are the customer; and you are right, I think, to expect the best
from us. I am sorry if you have been disappointed. I will try harder.

-mg-

      /\         
     \\ \        Mark G. Graff
    \ \\ /       Sun Security Coordinator
   / \/ / /      MS MPK3
  / /   \//\     2550 Garcia Avenue
  \//\   / /     Mountain View, CA 94043-1100
   / / /\ /      Phone: 415-688-9151
    / \\ \       Email: mark.graff () Sun COM
     \ \\               security-alert () sun com
      \/
 


 From owner-bugtraq () fc net  Thu Jun  1 10:12:42 1995
 Date: Thu, 1 Jun 95 17:07:43 BST
 To: security-alert () Sun COM
 Subject: [8lgm]-Advisory-17.UNIX.sendmail and Sun's lack of urgency
 Cc: Kimberley.Brown () sun co uk, 8lgm () 8lgm org, bugtraq () fc net, cert () cert org,
         karl () bagpuss demon co uk
 Precedence: queue
 
 Hi there SUN,
 IS THERE ANYONE IN ???
 
 Please find below a copy of the [8lgm]-Advisory-17.UNIX.sendmailV5-2-May-1995
 of 17/18 May. 
 
 I opened call no 5094255 (UK) on 18th May. My engineer is Kimberley
 Brown. Sun bug no 1026859. I also contacted Karl Strickland at [8lgm]. 
 His reply is appended. The exploit script/info was sent to CERT and 
 passed to Sun before May 20th.
 
 I'm told that someone unnamed in Suns security dept. is sitting on the exploit 
 script for this bug and refusing to pass it to the engineer who is responsible 
 for sendmail.
 
 This just is not good enough. I want an explanation of why it takes you weeks
 to get started on this one.
 
 I hope [8lgm] will now see that giving people like you (Sun) time to get a fix 
 together is a waste of time and effort. The only thing that will light a 
 fire under your asses is to publish the exploit script without a grace period.
 
 I feel that Sun is not fulfilling its support contract with us and I mean to 
 find out why.
 
 Andy Cowley
 ----- Begin Included Message -----
 
 < header deleted .... >
 
 This advisory has been sent to:
 
         comp.security.unix
         CERT/CC                 <cert () cert org>
 
 ===========================================================================
                 [8lgm]-Advisory-17.UNIX.sendmailV5-2-May-1995
 
 
 PROGRAM:
 
         sendmail(8)        (Version 5.*)
 
 KNOWN VULNERABLE VERSIONS:
 
         SunOS 4.1.* up to and including patch 100377-19
        Sendmail V5.*
        IDA Sendmail V5.*
        (Likely that any sendmail based on V5 is also vulnerable).
        
 DESCRIPTION:
 
        A flaw exists in versions of sendmail based on V5, which allows
        users to run programs and/or append to files remotely.
 
        The user does not require an account on that system.
 
 IMPACT:
 
         Systems running V5 based sendmail are exploitable remotely.
 
 REPEAT BY:
 
        At this time, exploit details are not available.  Exploit
        details will be provided on the 8lgm fileserver, at some
        point in the future.
 
 DISCUSSION:
 
        Details have been provided to ecd () cert org, in order to speed
        up availability of exploit information to vulnerable vendors.
 
 WORKAROUND & FIX:
 
        1) Install V8 sendmail.
 
        2) Obtain patch from vendor.
 
 FEEDBACK AND CONTACT INFORMATION:
 
         majordomo () 8lgm org        (Mailing list requests - try 'help'
                                   for details)
 
         8lgm () 8lgm org                 (Everything else)
 
 8LGM FILESERVER:
 
        All [8LGM] advisories may be obtained via the [8LGM] fileserver.
        For details, 'echo help | mail 8lgm-fileserver () 8lgm org'
 ===========================================================================
 
 
 ----- End Included Message -----
 
 Karl Strickland (karl () bagpuss demon co uk) wrote on May 20th.---
 
 
 The exploit details have been sent to CERT who are dealing entirely
 with the affected vendors, including SUN.  CERT have better contacts
 with more vendors than we do and are able to spend more time dealing
 with them than we are.  SUN should have had exploit details passed to
 it from CERT by now.

Current thread:

Re: [8lgm]-Advisory-17.UNIX.sendmail Mark Graff (Jun 01)
- login can be used to hide from finger under SunOS 4.13u1 David Sacerdote (Jun 01)
  - Re: login can be used to hide from finger under SunOS 4.13u1 Casper Dik (Jun 02)
  - rlogin can be used to change finger information Bonfield James (Jun 02)
    - Cisco IP packet filtering vulnerablility Paul Traina (Jun 01)
    - Re: Cisco IP packet filtering vulnerablility Darren Reed (Jun 02)
    - lsof 3.29 -- good news and bad Vic Abell (Jun 02)
    - Re: rlogin can be used to change finger information Casper Dik (Jun 02)
  - Re: login can be used to hide from finger under SunOS 4.13u1 Karl Strickland (Jun 02)
- Re: [8lgm]-Advisory-17.UNIX.sendmail Karl Strickland (Jun 01)