Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11929
HistoryMar 24, 2006 - 12:00 a.m.

[Full-disclosure] sendmail stuff2

2006-03-2400:00:00
vulners.com
11
JSON

written in a rush, pardon the mess ;]

not that ive gotten that far but here is my (confirmed by mark to be close, thanks) attack…

NOTE: ive just been informed that i need to fix something to makethis
work, stand by.
ALSO NOTE: the default timeout in collect is 1 hour, that means this exploit
will take about 2 hours to run (plus it doesnt work yet), so you might want
to look into changing the Timeout.datablock parameter in sendmail.cf first ;]

OK, ANOTHER NOTE:
we now belive that a syntactically invalid mail header is the key
that means:
something that passes isheader() and throws syserr inside chompheader
is the racer for the timeout (with unprintable characters inside of it
of course). integer promotion caused us quite a pain inside isheader ;]

step 1)
connect to sendmail server say something like
helo me\r\n
mail from: [email protected]
rcpt to: root
data

step 2)
wait for server to say go ahead
send about 32767 characters inside a header
note what time it is

step 3)
wait until you get:
451 4.4.1 timeout waiting for input during message collect

step 4)
note what time it was when that message happened

step 5)
youll be dropped back into smtp command mode, now there is a static pointer inside sm_syslog thats your attack vector, youll need to recreate the collect timeout and race into sm_syslog
resend the helo crap

step 6)
wait for server to say go ahead
send about 32767 characters inside a header
and wait the time delta from the earlier 2 measurements

step7)
send more header data (so that its now greater than 32768 bytes)

hopefully sendmail will now race and crash inside sm_syslog because:
a) we just sent sendmail into sm_syslog due to the fact that we sent > the max amount of header data
b) we have a timeout (SIGALARM, longjmp thingy) that should be pending about the same exact time that
we entered sm_syslog

this doesnt really work well yet, but it should
oh and btw, this program runs on linux, anything else …
THIS IS THE FILE YOU WANT

run it like:

$ while (true)
> do
> (./sendtest X.X.X.X &)
> sleep 1
> done

JSON