Bugtraq mailing list archives

Sendmail 8.8.x/8.9.x bugware

From: lcamtuf () IDS PL (Michal Zalewski)
Date: Sat, 12 Dec 1998 02:22:10 +0100


Bottoms up! Two bugs (and fixes) - Sendmail 8.8.x/8.9.x.

1. Redirection attack

Due to strange address parsing policy [briefly: if address ends with local
hostname, trim it and parse as any other (even if after this operation
address isn't 'local' anymore], specific message routing (eg. through
internal, protected or external networks) can be forced, giving an
occasion to perform anonymous scanning (or fakemailing). You could call it
'feature' instead of 'bug', but it seems to be Sendmail-specific ;>

Simple fix - in /etc/sendmail.cf, at the top of ruleset 98, insert
following line:

R$*@$*@$*       $#error $@ 5.7.1 $: "551 Sorry, no redirections."

2. 'Headers prescan' DoS

There are possible DoS attacks due to ineffective headers prescan
algorithm. Two or three medium-size (200 kb) mail messages may render
system unusable for quite long period of time (as headers are parsed at
least twice, on message collection and in queue). Exploit sold separately
:-)

Simple patch for Sendmail 8.8.x source tree:

--- collect.c.orig      Thu Dec 10 18:38:51 1998
+++ collect.c   Thu Dec 10 18:53:02 1998
@@ -32,6 +32,8 @@
  * SUCH DAMAGE.
  */

+#define MAXHDRZ 512
+
 #ifndef lint
 static char sccsid[] = "@(#)collect.c  8.72 (Berkeley) 10/6/97";
 #endif /* not lint */
@@ -87,6 +89,7 @@
        HDR **hdrp;
        register ENVELOPE *e;
 {
+       int hdrz=0;
        register FILE *volatile tf;
        volatile bool ignrdot = smtpmode ? FALSE : IgnrDot;
        volatile time_t dbto = smtpmode ? TimeOuts.to_datablock : 0;
@@ -355,6 +358,17 @@
                                mstate = MS_BODY;
                                goto nextstate;
                        }
+
+                       if (hdrz++>MAXHDRZ)
+                       {
+                          sm_syslog(LOG_NOTICE, e->e_id,
+                                    "excessive headers from %s during message collect",
+                                    CurHostName ? CurHostName : "<local machine>");
+                          errno = 0;
+                          usrerr("451 Stop this. You are lame.");
+                          goto readerr;
+                       }
+

                        /* check for possible continuation line */
                        do

_______________________________________________________________________
Michal Zalewski [lcamtuf () ids pl] [ENSI / marchew] [dione.ids.pl SYSADM]
[http://linux.lepszy.od.kobiety.pl/~lcamtuf/] <=--=> bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]

Current thread:

Sendmail 8.8.x/8.9.x bugware Michal Zalewski (Dec 11)
- Re: Sendmail 8.8.x/8.9.x bugware Alan Brown (Jan 16)
  - Re: Sendmail 8.8.x/8.9.x bugware Michal Zalewski (Dec 12)
    - Re: Sendmail 8.8.x/8.9.x bugware Frank Louwers (Jan 18)
    - Win95/98 SMB Authentication Vulnerability (fwd) tschweik () FIDUCIA DE (Jan 18)
  - [SECURITY] ftpwatch package has major security problems Jamie Fifield (Jan 17)
  - Michal's report and sendmail-8.9.2 GvS (Jan 18)
- Re: Sendmail 8.8.x/8.9.x bugware Jens Hoffmann (Jan 16)
  - Re: Sendmail 8.8.x/8.9.x bugware Alan Brown (Jan 17)
- Re: Sendmail 8.8.x/8.9.x bugware John Mizzi (Jan 17)
  - Personal web server kiborg (Jan 17)

(Thread continues...)