> toon @
> >Some1 told me that 'I have to filter out VERIFY and EXPAND when letting
> >mail through my firewall'. Can some1 explain me what this means?
> >BACKGROUND: The vulnerability is exploited through the use of the SMTP
> >"EXPN" and "VRFY" commands offered by all versions of "sendmail." A
> >buffer-overrun problem is present in the implementation of these
> >commands that allows the executable code of the "sendmail" process to
> >be overwritten. This executable code can do anything the author
> >wants, and is run with super-user permissions.
> This can be fixed by patching the sendmail binary; the CIAC bulletin
> has directions on how to do this. Alternatively, use an appropriate
> (8.6.10 or later) version of sendmail.
Until the next time they add some creeping featureism that
is implemented sloppily so you can overrun a buffer. Hmm.. that can't
happen that often with sendmail can it? ;-)
Seriously though the point is that VRFY and EXPAND can be used
by an attacker to get potentially useful information. Run a
store-forward proxy like smtpd/smtpfwdd or smapd/smap upstream of your
"real" sendmail/Big-Honking-MTA-of-The-Week. Then you have much less
concern about either problem.
Bob Beck Obtuse Systems Corporation
True Evil hides its real intentions in its street address. Search and you
shall find it, and the truth shall set you free.