written in a rush, pardon the mess ;]
not that ive gotten that far but here is my (confirmed by mark to be close, thanks) attackβ¦
NOTE: ive just been informed that i need to fix something to makethis
work, stand by.
ALSO NOTE: the default timeout in collect is 1 hour, that means this exploit
will take about 2 hours to run (plus it doesnt work yet), so you might want
to look into changing the Timeout.datablock parameter in sendmail.cf first ;]
OK, ANOTHER NOTE:
we now belive that a syntactically invalid mail header is the key
that means:
something that passes isheader() and throws syserr inside chompheader
is the racer for the timeout (with unprintable characters inside of it
of course). integer promotion caused us quite a pain inside isheader ;]
step 1)
connect to sendmail server say something like
helo me\r\n
mail from: [email protected]
rcpt to: root
data
step 2)
wait for server to say go ahead
send about 32767 characters inside a header
note what time it is
step 3)
wait until you get:
451 4.4.1 timeout waiting for input during message collect
step 4)
note what time it was when that message happened
step 5)
youll be dropped back into smtp command mode, now there is a static pointer inside sm_syslog thats your attack vector, youll need to recreate the collect timeout and race into sm_syslog
resend the helo crap
step 6)
wait for server to say go ahead
send about 32767 characters inside a header
and wait the time delta from the earlier 2 measurements
step7)
send more header data (so that its now greater than 32768 bytes)
hopefully sendmail will now race and crash inside sm_syslog because:
a) we just sent sendmail into sm_syslog due to the fact that we sent > the max amount of header data
b) we have a timeout (SIGALARM, longjmp thingy) that should be pending about the same exact time that
we entered sm_syslog
this doesnt really work well yet, but it should
oh and btw, this program runs on linux, anything else β¦
THIS IS THE FILE YOU WANT
run it like:
$ while (true)
> do
> (./sendtest X.X.X.X &)
> sleep 1
> done