Bugtraq mailing list archives
Sendmail 8.8.x/8.9.x bugware
From: lcamtuf () IDS PL (Michal Zalewski)
Date: Sat, 12 Dec 1998 02:22:10 +0100
Bottoms up! Two bugs (and fixes) - Sendmail 8.8.x/8.9.x. 1. Redirection attack Due to strange address parsing policy [briefly: if address ends with local hostname, trim it and parse as any other (even if after this operation address isn't 'local' anymore], specific message routing (eg. through internal, protected or external networks) can be forced, giving an occasion to perform anonymous scanning (or fakemailing). You could call it 'feature' instead of 'bug', but it seems to be Sendmail-specific ;> Simple fix - in /etc/sendmail.cf, at the top of ruleset 98, insert following line: R$*@$*@$* $#error $@ 5.7.1 $: "551 Sorry, no redirections." 2. 'Headers prescan' DoS There are possible DoS attacks due to ineffective headers prescan algorithm. Two or three medium-size (200 kb) mail messages may render system unusable for quite long period of time (as headers are parsed at least twice, on message collection and in queue). Exploit sold separately :-) Simple patch for Sendmail 8.8.x source tree: --- collect.c.orig Thu Dec 10 18:38:51 1998 +++ collect.c Thu Dec 10 18:53:02 1998 @@ -32,6 +32,8 @@ * SUCH DAMAGE. */ +#define MAXHDRZ 512 + #ifndef lint static char sccsid[] = "@(#)collect.c 8.72 (Berkeley) 10/6/97"; #endif /* not lint */ @@ -87,6 +89,7 @@ HDR **hdrp; register ENVELOPE *e; { + int hdrz=0; register FILE *volatile tf; volatile bool ignrdot = smtpmode ? FALSE : IgnrDot; volatile time_t dbto = smtpmode ? TimeOuts.to_datablock : 0; @@ -355,6 +358,17 @@ mstate = MS_BODY; goto nextstate; } + + if (hdrz++>MAXHDRZ) + { + sm_syslog(LOG_NOTICE, e->e_id, + "excessive headers from %s during message collect", + CurHostName ? CurHostName : "<local machine>"); + errno = 0; + usrerr("451 Stop this. You are lame."); + goto readerr; + } + /* check for possible continuation line */ do _______________________________________________________________________ Michal Zalewski [lcamtuf () ids pl] [ENSI / marchew] [dione.ids.pl SYSADM] [http://linux.lepszy.od.kobiety.pl/~lcamtuf/] <=--=> bash$ :(){ :|:&};: [voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813] Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
Current thread:
- Sendmail 8.8.x/8.9.x bugware Michal Zalewski (Dec 11)
- Re: Sendmail 8.8.x/8.9.x bugware Alan Brown (Jan 16)
- Re: Sendmail 8.8.x/8.9.x bugware Michal Zalewski (Dec 12)
- Re: Sendmail 8.8.x/8.9.x bugware Frank Louwers (Jan 18)
- Win95/98 SMB Authentication Vulnerability (fwd) tschweik () FIDUCIA DE (Jan 18)
- [SECURITY] ftpwatch package has major security problems Jamie Fifield (Jan 17)
- Michal's report and sendmail-8.9.2 GvS (Jan 18)
- Re: Sendmail 8.8.x/8.9.x bugware Michal Zalewski (Dec 12)
- Re: Sendmail 8.8.x/8.9.x bugware Jens Hoffmann (Jan 16)
- Re: Sendmail 8.8.x/8.9.x bugware Alan Brown (Jan 17)
- Re: Sendmail 8.8.x/8.9.x bugware John Mizzi (Jan 17)
- Personal web server kiborg (Jan 17)
(Thread continues...)
- Re: Sendmail 8.8.x/8.9.x bugware Alan Brown (Jan 16)