North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
On Sat, 25 Mar 2006 00:57:31 EST, "Steven M. Bellovin" said: > On Sat, 25 Mar 2006 04:39:11 +0200, Gadi Evron <firstname.lastname@example.org> wrote: > > > > > Valdis.Kletnieks@vt.edu wrote: > > > Well, it *is* mostly a theoretical overflow - for it to work, a site woul d have to: > > > > Exploit is out there. How long did that take? > > > Is the exploit actually effective in the wild? The conditions Valdis > spoke of are improbable -- are there actually vulnerable sites? Or is > the attack much easier than he had indicated? The race condition is easily winnable in the wild. The integer overflow is essentially unexploitable in the wild, as it involves *two* buffers, one of which is a compile-time constant bigger than the other. The compile time constant is 1024 by default. To trigger the overflow, the first buffer has to be *under* 2G (2**31) in size, and the second is (by default) 1024 bigger and *over* 2**31 in size. At this point, the attacker has sent 2 gigabytes of data over the wire, and the victim has grown a buffer by 1024 bytes, copied, grown, copied, grown, copied, a total of 2,097,152 or so times. Oh, and you need to fit those almost 2G buffers, *plus* 500K or so of Sendmail binary, in 1 4 gigabyte address space. That's if you're on a 32-bit machine. Oh dear, you seem to be about 497K short. At least. I suppose some idiot site *could* have recompiled their sendmail to allocate in 8 megabyte chunks rather than 1K. But performance would suck eggs. Oh, and on a 64-bit machine, it's not any better. You *still* have to fit 2 buffers plus the 500K in under the 2**64 line. And you need to send that much data too.