[89566] in North American Network Operators' Group
Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Sat Mar 25 21:05:06 2006
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
Cc: Gadi Evron <ge@linuxbox.org>, nanog@merit.edu
In-Reply-To: Your message of "Sat, 25 Mar 2006 00:57:31 EST."
<20060325005731.8d4d5414.smb@cs.columbia.edu>
From: Valdis.Kletnieks@vt.edu
Date: Sat, 25 Mar 2006 21:04:30 -0500
Errors-To: owner-nanog@merit.edu
--==_Exmh_1143338669_4291P
Content-Type: text/plain; charset=us-ascii
On Sat, 25 Mar 2006 00:57:31 EST, "Steven M. Bellovin" said:
> On Sat, 25 Mar 2006 04:39:11 +0200, Gadi Evron <ge@linuxbox.org> wrote:
>
> >
> > Valdis.Kletnieks@vt.edu wrote:
> > > Well, it *is* mostly a theoretical overflow - for it to work, a site woul
d have to:
> >
> > Exploit is out there. How long did that take?
> >
> Is the exploit actually effective in the wild? The conditions Valdis
> spoke of are improbable -- are there actually vulnerable sites? Or is
> the attack much easier than he had indicated?
The race condition is easily winnable in the wild.
The integer overflow is essentially unexploitable in the wild, as it involves
*two* buffers, one of which is a compile-time constant bigger than the other.
The compile time constant is 1024 by default.
To trigger the overflow, the first buffer has to be *under* 2G (2**31) in size,
and the second is (by default) 1024 bigger and *over* 2**31 in size. At this point,
the attacker has sent 2 gigabytes of data over the wire, and the victim has
grown a buffer by 1024 bytes, copied, grown, copied, grown, copied, a total of
2,097,152 or so times. Oh, and you need to fit those almost 2G buffers,
*plus* 500K or so of Sendmail binary, in 1 4 gigabyte address space. That's
if you're on a 32-bit machine.
Oh dear, you seem to be about 497K short. At least.
I suppose some idiot site *could* have recompiled their sendmail to allocate
in 8 megabyte chunks rather than 1K. But performance would suck eggs.
Oh, and on a 64-bit machine, it's not any better. You *still* have to fit
2 buffers plus the 500K in under the 2**64 line. And you need to send
that much data too.
--==_Exmh_1143338669_4291P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFEJfatcC3lWbTT17ARAmEPAJ99muAX/eYVLuM+xFo5F1YGx+0UjACeNIUe
pF49X0cCoU5Ih5sTZZW8tpQ=
=0Q/a
-----END PGP SIGNATURE-----
--==_Exmh_1143338669_4291P--
