Bugtraq mailing list archives
Re: Sendmail 8.8.x/8.9.x bugware
From: stevev () HEXADECIMAL UOREGON EDU (Steve VanDevender)
Date: Tue, 19 Jan 1999 14:02:12 -0800
Michal Zalewski writes:
On Mon, 18 Jan 1999, Olaf Seibert wrote:550 <rhialto () hacker some place else@victim.some.where>... Relaying deniedAs you noticed, relaying is denied in your configuration ;P This attack is possible if relaying is enabled, and it allows multiple redirections trough protected or external networks, which shouldn't be allowed. For clearance - this problem IS PRESENT FOR SURE in 8.9.2, as well as DoS attack described in previous mail... If Sendmail developers don't believe me, I can post an exploit here, but iyt isn't really necessary, imho....
If you configure unrestricted relaying in sendmail 8.9, then you've done something stupid anyway (and overridden the default behavior). You claim that this will fix the problem:
Simple fix - in /etc/sendmail.cf, at the top of ruleset 98, insert following line:
R$*@$*@$* $#error $@ 5.7.1 $: "551 Sorry, no redirections."
Unfortunately RFC 822 (and its followups) specify two kinds of problematic accepted address formats: user%host@relay @relay:user@host which both indicate that mail to user@host should be redirected through relay (which may actually be a sequence of relays, i.e. user%host%relay2@relay1 or @relay1,relay2:user@host). Your "fix" would break at least the second format. In any case, I can't perform the redirection that you claim is possible in sendmail 8.9.2 configured with FEATURE(access_db); I get the expected "550 Relaying denied" in a RCPT containing two '@'s where the relaying would be through a domain not permitted in the access file. Are you claiming this is possible in 8.9.2's default configuration (which still limits relaying)?
Current thread:
- LocalSecure Testing Program, (continued)
- LocalSecure Testing Program NSS SDT (Jan 21)
- Re: backdoored tcp wrapper source code John Stange (Jan 24)
- Advisory: IIS FTP Exploit/DoS Attack Marc (Jan 24)
- Re: Advisory: IIS FTP Exploit/DoS Attack Seth McGann (Jan 24)
- Re: Advisory: IIS FTP Exploit/DoS Attack Matt Conover (Jan 25)
- IIS Advisory Marc (Jan 24)
- Re: Sendmail 8.8.x/8.9.x bugware Brock Rozen (Jan 18)
- Linux 2.0.36 vulnerable to local port/memory DoS attack David Schwartz (Jan 19)
- Re: Sendmail 8.8.x/8.9.x bugware Steve VanDevender (Jan 19)