---

Home Security

Bugs discovered in Sendmail 8.8.x/8.9.x

By

For the security conscience reader, here are some bugs (and
fixes) discovered by Michal Zalewski, posted to BUGTRAQ.

    From: Michal Zalewski 
      To: BUGTRAQ@netspace.org

Bottoms up! Two bugs (and fixes) - Sendmail 8.8.x/8.9.x.

1. Redirection attack

Due to strange address parsing policy [briefly: if address ends with local
hostname, trim it and parse as any other (even if after this operation
address isn't 'local' anymore], specific message routing (eg. through
internal, protected or external networks) can be forced, giving an
occasion to perform anonymous scanning (or fakemailing). You could call it
'feature' instead of 'bug', but it seems to be Sendmail-specific ;>

Simple fix - in /etc/sendmail.cf, at the top of ruleset 98, insert
following line:

R$*@$*@$*       $#error $@ 5.7.1 $: "551 Sorry, no redirections."

2. 'Headers prescan' DoS

There are possible DoS attacks due to ineffective headers prescan
algorithm. Two or three medium-size (200 kb) mail messages may render
system unusable for quite long period of time (as headers are parsed at
least twice, on message collection and in queue). Exploit sold separately
:-)

Simple patch for Sendmail 8.8.x source tree:

--- collect.c.orig      Thu Dec 10 18:38:51 1998
+++ collect.c   Thu Dec 10 18:53:02 1998
@@ -32,6 +32,8 @@
  * SUCH DAMAGE.
  */

+#define MAXHDRZ 512
+
 #ifndef lint
 static char sccsid[] = "@(#)collect.c  8.72 (Berkeley) 10/6/97";
 #endif /* not lint */
@@ -87,6 +89,7 @@
        HDR **hdrp;
        register ENVELOPE *e;
 {
+       int hdrz=0;
        register FILE *volatile tf;
        volatile bool ignrdot = smtpmode ? FALSE : IgnrDot;
        volatile time_t dbto = smtpmode ? TimeOuts.to_datablock : 0;
@@ -355,6 +358,17 @@
                                mstate = MS_BODY;
                                goto nextstate;
                        }
+
+                       if (hdrz++>MAXHDRZ)
+                       {
+                          sm_syslog(LOG_NOTICE, e->e_id,
+                                    "excessive headers from %s during message collect",
+                                    CurHostName ? CurHostName : "");
+                          errno = 0;
+                          usrerr("451 Stop this. You are lame.");
+                          goto readerr;
+                       }
+

                        /* check for possible continuation line */
                        do

_______________________________________________________________________
Michal Zalewski [lcamtuf@ids.pl] [ENSI / marchew] [dione.ids.pl SYSADM]
[http://linux.lepszy.od.kobiety.pl/~lcamtuf/] <=--=> bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
Complete Story
Previous article
Next article

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis

Must Read

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Our Brands

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.