Bugs discovered in Sendmail 8.8.x/8.9.x

For the security conscience reader, here are some bugs (and
fixes) discovered by Michal Zalewski, posted to BUGTRAQ.

    From: Michal Zalewski 
      To: BUGTRAQ@netspace.org

Bottoms up! Two bugs (and fixes) - Sendmail 8.8.x/8.9.x.

1. Redirection attack

Due to strange address parsing policy [briefly: if address ends with local
hostname, trim it and parse as any other (even if after this operation
address isn't 'local' anymore], specific message routing (eg. through
internal, protected or external networks) can be forced, giving an
occasion to perform anonymous scanning (or fakemailing). You could call it
'feature' instead of 'bug', but it seems to be Sendmail-specific ;>

Simple fix - in /etc/sendmail.cf, at the top of ruleset 98, insert
following line:

R$*@$*@$*       $#error $@ 5.7.1 $: "551 Sorry, no redirections."

2. 'Headers prescan' DoS

There are possible DoS attacks due to ineffective headers prescan
algorithm. Two or three medium-size (200 kb) mail messages may render
system unusable for quite long period of time (as headers are parsed at
least twice, on message collection and in queue). Exploit sold separately
:-)

Simple patch for Sendmail 8.8.x source tree:

--- collect.c.orig      Thu Dec 10 18:38:51 1998
+++ collect.c   Thu Dec 10 18:53:02 1998
@@ -32,6 +32,8 @@
  * SUCH DAMAGE.
  */

+#define MAXHDRZ 512
+
 #ifndef lint
 static char sccsid[] = "@(#)collect.c  8.72 (Berkeley) 10/6/97";
 #endif /* not lint */
@@ -87,6 +89,7 @@
        HDR **hdrp;
        register ENVELOPE *e;
 {
+       int hdrz=0;
        register FILE *volatile tf;
        volatile bool ignrdot = smtpmode ? FALSE : IgnrDot;
        volatile time_t dbto = smtpmode ? TimeOuts.to_datablock : 0;
@@ -355,6 +358,17 @@
                                mstate = MS_BODY;
                                goto nextstate;
                        }
+
+                       if (hdrz++>MAXHDRZ)
+                       {
+                          sm_syslog(LOG_NOTICE, e->e_id,
+                                    "excessive headers from %s during message collect",
+                                    CurHostName ? CurHostName : "");
+                          errno = 0;
+                          usrerr("451 Stop this. You are lame.");
+                          goto readerr;
+                       }
+

                        /* check for possible continuation line */
                        do

_______________________________________________________________________
Michal Zalewski [lcamtuf@ids.pl] [ENSI / marchew] [dione.ids.pl SYSADM]
[http://linux.lepszy.od.kobiety.pl/~lcamtuf/] <=--=> bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]