As a security researcher, one sometimes runs into difficult issues. In this recent blog post, I referenced Sendmail and the comment about me finding the last remote heap overflow (that I know of) prompted a couple of questions, so I thought I'd throw this out there.

The Bug

It was 2004, and I (quite by accident) found a problem in Sendmail. I used Sendmail for my main domain (nmrc.org), and for whatever reason I was creating large “X-” header values and seeing what would happen. Actually, I did this with all of the headers I could think of, but only the “X-” headers seemed to do anything.

Nonetheless, I found something and started getting somewhat predictable crashes. The crashes looked really good. At the same time, I was in the process of experimenting with various IDS/ISP stuff for the home network, and my employer at the time wasn’t too interested in my bug, so I figured I’d at least report it and maybe write up an advisory if I got time.

I had contacted the Sendmail people with a bug report, said it looked like a heap overflow. They agreed, and we all thought exploitation was pretty hard to pull off in this instance, but possible. The fix went in with Sendmail 8.13.2 which was released in December of 2004. I decided not to release anything on it, Sendmail gave me a credit in the release notes that was somewhat vague, I deemed it done, and never wrote an advisory.

The Controversy

Fast forward to 2009, and I had a blog post on nmrc.org (blog long gone) where I talked about unreported or under-reported bugs, and I mentioned the Sendmail thing. No big deal. (A copy of the old blog post is now here. -ML)

Well, good old Red Hat had a fit over it. Apparently they never patched and so all of the sudden there is a remote heap overflow on their platform which has been there for five years. Then they disputed it and said I made it up because they could not reproduce it. The Red Hat complaint did a few things: it drew a ton of attention to the issue which got it a CVE assigned, Security Focus did some of their own research and had it on their website, and a bunch of people argued about it.

What Happened?

Why couldn’t Red Hat reproduce it? For the same reason I could not reproduce it five years later - advances in ASLR (PaX for example was released for Linux in 2005), improved libraries, and other security improvements outside of Sendmail that were a part of the underlying OS.

Why wasn’t Red Hat patched up to begin with? Well at that time they would not just replace an existing package with a new one, they would examine a new package and apply the patches by hand to an older version. Sometimes they would not apply every patch either through neglect, or because they deemed them not needed.

But Now….

When people ask me why I prefer Ubuntu to other distributions including Red Hat, it does come down to security. This was not the first time this had happened with a vulnerability with Red Hat. When I worked at MITRE, I actually worked on the CVE project for a short while, and a few of us did an informal assessment of how fast each Linux distribution got a patch out. Ubuntu beat everyone hands down, and that works for me.

This is just a flavor of a single bug that I had researched, waited five damn years before I said anything, and I still managed to piss someone off. But I’ll continue to try to do good.