Under Lab Conditions, Mark Dowd Re-creates 1997

Matasano Team | March 24th, 2006 | Filed Under: Disclosure, New Findings

This is as far as I’d gotten before I gave up, hit “up up down down left right left right B A start” and asked some friends on AIM how the Sendmail signal problem is exploitable.

  • Clue 1: jack@rapturesecurity posted a writeup, which gives us:
    1. In data-mode, while reading headers, Sendmail will log (calling sm_syslog()) when a line exceeds 32k.
    2. While reading from a client, Sendmail will receive SIGALRM if no data is received within an interval. Sendmail timers work like C++ exceptions, unwinding to a guard clause before the timed event.
    3. So, putting (1) and (2) together: you can get the sm_syslog() and the timeout to happen at the same time by sending the “last” byte of the header exactly when you expect the data timeout to fire.
    4. Jack says Sendmail then crashes in sm_syslog.
  • Clue 2: Eric Allman posted to Bugtraq:
    It is an extremely subtle problem that involves making an alarm signal occur in a very small section of code as the result of a multi-minute timeout. The signal causes a longjmp that can leave a piece of code in an inconsistent state.

The rest of the details of the attack have probably already come out by the time you’re reading this post, or will very soon. Regardless of what Allman says, this is not a subtle bug. Sendmail timers work like exceptions.

Most of Allman’s Bugtraq message is actually useful (something about this advisory seems to have scrambled Gadi Evron’s brain). But it is Eric Allman writing about Sendmail security, and so we get this gem:

ISS explained it to us and told us that they had managed to craft an exploit in their lab, but frankly we don’t see how it can be practical. This literally requires nanosecond precision in the millisecond world of networking.

Yeah, because what’s happening here is that ISS has a state-of-the-art “lab” equipped with supercomputers and a time machine, not that Mark Dowd knows how to set a timer, multiply by 100,000, or write a loop. Then again, since SIGALRM-plus-longjmp has been a Sendmail idiom since the early ’90s (despite being literally the man-page example of what not to do with longjmp), maybe it just seems that way to Allman.

For those of you who missed the temp-file-race rennaissance of 1994: it is usually hard to trigger a race condition reliably. That’s why you attempt them over and over again until they work.

Viewing 15 Comments

Trackbacks

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus