Re: Sendmail 8.8.x/8.9.x bugware

[stevev () HEXADECIMAL UOREGON EDU (Steve VanDevender)]

Michal Zalewski writes:
> On Mon, 18 Jan 1999, Olaf Seibert wrote:
>
> > 550 <rhialto () hacker some place else@victim.some.where>... Relaying denied
>
> As you noticed, relaying is denied in your configuration ;P This attack is
> possible if relaying is enabled, and it allows multiple redirections
> trough protected or external networks, which shouldn't be allowed.
>
> For clearance - this problem IS PRESENT FOR SURE in 8.9.2, as well as DoS
> attack described in previous mail... If Sendmail developers don't believe
> me, I can post an exploit here, but iyt isn't really necessary, imho....

If you configure unrestricted relaying in sendmail 8.9, then
you've done something stupid anyway (and overridden the default
behavior).

You claim that this will fix the problem:

> Simple fix - in /etc/sendmail.cf, at the top of ruleset 98, insert
> following line:

> R$*@$*@$*       $#error $@ 5.7.1 $: "551 Sorry, no redirections."

Unfortunately RFC 822 (and its followups) specify two kinds of
problematic accepted address formats:

user%host@relay

@relay:user@host

which both indicate that mail to user@host should be redirected
through relay (which may actually be a sequence of relays,
i.e. user%host%relay2@relay1 or @relay1,relay2:user@host).
Your "fix" would break at least the second format.

In any case, I can't perform the redirection that you claim is
possible in sendmail 8.9.2 configured with FEATURE(access_db); I
get the expected "550 Relaying denied" in a RCPT containing two
'@'s where the relaying would be through a domain not permitted
in the access file.  Are you claiming this is possible in 8.9.2's
default configuration (which still limits relaying)?